diff --git a/checklists-ext/fullwaf_checklist.en.json b/checklists-ext/fullwaf_checklist.en.json index 62bebea18..06dbaba27 100644 --- a/checklists-ext/fullwaf_checklist.en.json +++ b/checklists-ext/fullwaf_checklist.en.json @@ -1,10289 +1,11057 @@ { "items": [ { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", - "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", - "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", - "service": "ACR", + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "af416482-663c-4ed6-b195-b44c7068e09c", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", + "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", + "service": "Container Apps", "severity": "High", - "text": "Disable Azure Container Registry image export", + "text": "Leverage Availability Zones if regionally applicable", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", - "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", - "service": "ACR", + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", + "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", + "service": "Container Apps", "severity": "High", - "text": "Enable Azure Policies for Azure Container Registry", + "text": "Use more than one replica and enable Zone Redundancy.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", - "guid": "d345293c-7639-4637-a551-c5c04e401955", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", - "service": "ACR", + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", "severity": "High", - "text": "Sign and Verify containers with notation (Notary v2)", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", - "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", - "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", - "service": "ACR", - "severity": "Medium", - "text": "Encrypt registry with a customer managed key", + "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", - "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", - "service": "ACR", + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", "severity": "High", - "text": "Use Managed Identities to connect instead of Service Principals", + "text": "Use Front Door or Traffic Manager to route traffic to the closest region", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", - "guid": "be0e38ce-e297-411b-b363-caaab79b198d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", - "service": "ACR", - "severity": "High", - "text": "Disable local authentication for management plane access", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", + "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", + "service": "Purview", + "severity": "Medium", + "text": "Leverage FTA Resillency Handbook", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", - "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "High", - "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", + "text": "Plan for Data Center level outage", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Disable anonymous pull/push access", - "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", - "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", + "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "Medium", - "text": "Disable Anonymous pull access", + "text": "Practice Failover for BCDR", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", - "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "97b15b8a-219a-44ab-bb57-879024d22678", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "High", - "text": "Disable repository-scoped access tokens", + "text": "Plan a backup strategy and take regular backups", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", - "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", - "service": "ACR", - "severity": "High", - "text": "Deploy images from a trusted environment", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", + "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", + "service": "Purview", + "severity": "Low", + "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", - "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", + "link": "https://learn.microsoft.com/purview/deployment-best-practices", + "service": "Purview", "severity": "Medium", - "text": "Disable Azure ARM audience tokens for authentication", + "text": "Follow Purview accounts architectures and deployment best practices", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", - "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", - "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", + "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", + "service": "Purview", "severity": "Medium", - "text": "Enable diagnostics logging", + "text": "Follow Collection Architectures and best practices", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", - "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", + "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", + "service": "Purview", "severity": "Medium", - "text": "Control inbound network access with Private Link", + "text": "Follow Assest lifecycle best practices", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Disable public network access if inbound network access is secured using Private Link", - "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", + "service": "Purview", "severity": "Medium", - "text": "Disable Public Network access", + "text": "Follow automation best practices", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Only the ACR Premium SKU supports Private Link access", - "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "Medium", - "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", + "text": "Follow Backup and Migration Best practices", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", - "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", - "service": "ACR", - "severity": "Low", - "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", + "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview Glossary Best Practices", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", - "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", - "service": "ACR", - "severity": "Medium", - "text": "Deploy validated container images", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", + "link": "https://learn.microsoft.com/purview/concept-workflow", + "service": "Purview", + "severity": "Low", + "text": "Leverage Workflows ", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", - "guid": "4e401955-387e-45ce-b126-cd132af5b20c", - "service": "ACR", - "severity": "High", - "text": "Use up-to-date platforms, languages, protocols and frameworks", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview Security Best Practices", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", + "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", + "service": "Purview", "severity": "Medium", - "text": "Use Standard SKU for production scenarios.", + "text": "Follow Purview Data Lineage Best Practices", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", + "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", + "service": "Purview", "severity": "Medium", - "text": "Use durability level Silver (5 VMs) or greater for production scenarios", + "text": "Follow Best Practices for Scanning Registered Sources", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", - "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", + "service": "Purview", "severity": "Medium", - "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", + "text": "Follow Classification Best Practices in Governance Portal", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", + "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", + "service": "Purview", "severity": "Medium", - "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", + "text": "Perform Sensitivity Labelling in the Purview Data Map", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", + "link": "https://learn.microsoft.com/purview/concept-data-share", + "service": "Purview", + "severity": "Low", + "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", - "guid": "4da21268-f775-4c89-a271-eb80543c8df7", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", - "waf": "Cost" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "severity": "Low", + "text": "Leverage Data Estate Insights", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", - "waf": "Cost" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", + "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", + "service": "Purview", + "severity": "Low", + "text": "Use Data stewardship and Catalog adoption", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", - "waf": "Cost" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "severity": "Low", + "text": "Use Inventory and Ownership", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", + "link": "https://learn.microsoft.com/purview/glossary-insights", + "service": "Purview", + "severity": "Low", + "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", - "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b130a888-9579-4e76-a896-e710a7da7be9", + "link": "https://learn.microsoft.com/purview/compliance-manager", + "service": "Purview", "severity": "Medium", - "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", + "text": "Generate assessment scores", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "001cbb6f-d88d-4431-8434-d01333397776", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", + "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", + "service": "Purview", "severity": "Medium", - "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", + "text": "Profiling- get summaries of data content", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", + "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", + "service": "Purview", + "severity": "Low", + "text": "Follow Microsoft Purview Data Owner access policies", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", - "link": "", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", + "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", + "service": "Purview", + "severity": "Low", + "text": "Follow Self-service access policies", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", - "link": "", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", + "link": "https://learn.microsoft.com/purview/concept-policies-devops", + "service": "Purview", + "severity": "Low", + "text": "Follow DevOps policies", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", + "arm-service": "Microsoft.Compute/virtualMachineScaleSets", + "checklist": "Resiliency Review", + "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", + "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", + "service": "VMSS", + "severity": "Low", + "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", + "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", + "service": "VM", + "severity": "High", + "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "AppGW", - "severity": "Medium", - "text": "Ensure you are using Application Gateway v2 SKU", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", + "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "VM", + "severity": "High", + "text": "Use Premium or Ultra disks for production VMs", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", - "severity": "Medium", - "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", + "guid": "b31e38c3-f298-412b-8363-cffe179b599d", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", + "service": "VM", + "severity": "High", + "text": "Ensure Managed Disks are used for all VMs", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", + "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", + "service": "VM", "severity": "Medium", - "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "text": "Do not use the Temp disk for anything that is not acceptable to be lost", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "AppGW", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", + "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "VM", "severity": "Medium", - "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "Leverage Availability Zones for your VMs in regions where they are supported", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "AppGW", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", + "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "VM", "severity": "Medium", - "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "AppGW", - "severity": "Medium", - "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", + "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "VM", + "severity": "High", + "text": "Avoid running a production workload on a single VM", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", - "service": "AppGW", - "severity": "Medium", - "text": "Configure autoscaling with a minimum amount of instances of two.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", + "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", + "severity": "High", + "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", - "service": "AppGW", - "severity": "Medium", - "text": "Deploy Application Gateway across Availability Zones", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", + "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", + "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", + "service": "VM", + "severity": "Low", + "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", + "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", + "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", + "service": "VM", "severity": "Medium", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Reliability" - }, - { - "ammp": true, - "arm-service": "microsoft.network/trafficManagerProfiles", - "checklist": "Azure Application Delivery Networking", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", - "severity": "High", - "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Increase quotas in DR region before testing failover with ASR", "waf": "Reliability" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", + "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", + "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", + "service": "VM", "severity": "Low", - "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "text": "Utilize Scheduled Events to prepare for VM maintenance", "waf": "Reliability" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", + "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Storage", "severity": "Medium", - "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Reliability" - }, - { - "ammp": true, - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", - "severity": "High", - "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", + "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "AppGW", - "severity": "High", - "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", + "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Storage", + "severity": "Low", + "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "AppGW", - "severity": "High", - "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", + "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Storage", + "severity": "Low", + "text": "Enable soft delete for Storage Account Containers", "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "AppGW", - "severity": "High", - "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", + "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Storage", + "severity": "Low", + "text": "Enable soft delete for blobs", "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "AppGW", - "severity": "High", - "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", + "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", + "service": "Backup", + "severity": "Medium", + "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "AppGW", - "severity": "Medium", - "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", + "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", + "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", + "service": "Backup", + "severity": "Low", + "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "AppGW", - "severity": "Medium", - "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", + "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", + "service": "Backup", + "severity": "Low", + "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "AppGW", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Resiliency Review", + "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", + "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", + "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", + "service": "DNS", "severity": "Low", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "text": "Implement DNS Failover using Azure DNS Private Resolvers", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "AppGW", + "arm-service": "Microsoft.PowerBI/gateways", + "checklist": "Resiliency Review", + "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", + "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", + "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", + "service": "Data Gateways", "severity": "Medium", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "AppGW", - "severity": "Medium", - "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", + "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", + "severity": "High", + "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "AppGW", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Storage", "severity": "Medium", - "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", - "waf": "Operations" + "text": "Consider the 'Azure security baseline for storage'", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "AppGW", - "severity": "Medium", - "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Storage", + "severity": "High", + "text": "Consider using private endpoints for Azure Storage", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "AppGW", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Storage", "severity": "Medium", - "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" + "text": "Ensure older storage accounts are not using 'classic deployment model'", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "AppGW", - "severity": "Medium", - "text": "Use WAF Policies instead of the legacy WAF configuration.", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Storage", + "severity": "High", + "text": "Enable Microsoft Defender for all of your storage accounts", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "AppGW", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Storage", "severity": "Medium", - "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", + "text": "Enable 'soft delete' for blobs", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "AppGW", - "severity": "High", - "text": "You should encrypt traffic to the backend servers.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Storage", + "severity": "Medium", + "text": "Disable 'soft delete' for blobs", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "AppGW", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Storage", "severity": "High", - "text": "You should use a Web Application Firewall.", + "text": "Enable 'soft delete' for containers", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "AppGW", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Storage", "severity": "Medium", - "text": "Redirect HTTP to HTTPS", + "text": "Disable 'soft delete' for containers", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "AppGW", - "severity": "Medium", - "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Storage", + "severity": "High", + "text": "Enable resource locks on storage accounts", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "AppGW", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Storage", "severity": "High", - "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", + "text": "Consider immutable blobs", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "AppGW", - "severity": "Low", - "text": "Create custom error pages to display a personalized user experience", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "High", + "text": "Require HTTPS, i.e. disable port 80 on the storage account", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "AppGW", - "severity": "Medium", - "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Storage", + "severity": "High", + "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "AppGW", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Storage", "severity": "Medium", - "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", - "waf": "Performance" + "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "AppGW", - "severity": "Medium", - "text": "Use transport layer load balancing", - "waf": "Performance" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Storage", + "severity": "High", + "text": "Enforce the latest TLS version for a storage account", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "AppGW", - "severity": "Medium", - "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Storage", + "severity": "High", + "text": "Use Microsoft Entra ID tokens for blob access", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "AppGW", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Storage", "severity": "Medium", - "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", + "text": "Least privilege in IaM permissions", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "AppGW", - "severity": "Low", - "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Storage", + "severity": "High", + "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", - "service": "PostgreSQL", - "severity": "Medium", - "text": "Leverage Flexible Server", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Storage", + "severity": "High", + "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", - "service": "PostgreSQL", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Storage", "severity": "High", - "text": "Leverage Availability Zones where regionally applicable", + "text": "Consider using Azure Monitor to audit control plane operations on the storage account", "waf": "Reliability" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "31b67c67-be59-4519-8083-845d587cb391", - "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", - "service": "PostgreSQL", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Storage", "severity": "Medium", - "text": "Leverage cross-region read replicas for BCDR", + "text": "When using storage account keys, consider enabling a 'key expiration policy'", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", - "service": "Cognitive Services", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Storage", "severity": "Medium", - "text": "Leverage FTA HandBook for Cognitive Services", + "text": "Consider configuring an SAS expiration policy", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Cognitive Services", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Storage", "severity": "Medium", - "text": "Backup Your Prompts", + "text": "Consider linking SAS to a stored access policy", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Cognitive Services", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Storage", + "severity": "Medium", + "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Storage", "severity": "High", - "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", + "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", - "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", - "service": "Cognitive Services", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Storage", + "severity": "High", + "text": "Strive for short validity periods for ad-hoc SAS", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Storage", "severity": "Medium", - "text": "Backup Your ChatGPT conversations", + "text": "Apply a narrow scope to a SAS", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", - "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", - "service": "Cognitive Services", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Storage", "severity": "Medium", - "text": "CI/CD for custom speech", + "text": "Consider scoping SAS to a specific client IP address, wherever possible", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "3687a046-7a1f-4893-9bda-43324f248116", - "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", - "service": "Cognitive Services", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Storage", "severity": "Low", - "text": "Move a knowledge base using export-import", + "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Storage", "severity": "High", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", - "severity": "High", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Storage", + "severity": "Medium", + "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Storage", "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", + "text": "Avoid overly broad CORS policies", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Storage", "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Storage", "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" + "text": "Determine which/if platform encryption should be used.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Functions", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Storage", + "severity": "Medium", + "text": "Determine which/if client-side encryption should be used.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Storage", "severity": "High", - "text": "Select the right Function hosting plan based on your business & SLO requirements", + "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", - "service": "Functions", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Storage", "severity": "High", - "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", + "text": "Leverage a storagev2 account type for better performance and reliability", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Functions", - "severity": "Medium", - "text": "Consider a Cross-Region DR strategy for critical workloads", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Storage", + "severity": "High", + "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Functions", - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Storage", + "severity": "Medium", + "text": "For write operation after failover, use customer-Managed Failover ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", - "service": "Functions", - "severity": "High", - "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Storage", + "severity": "Medium", + "text": "Understand Microsoft-Managed Failover details", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Functions", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Storage", "severity": "Medium", - "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", + "text": "Enable Soft Delete", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Functions", + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", + "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", - "service": "CosmosDB", + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", "severity": "Medium", - "text": "FTA Resiliency Playbook", - "waf": "Reliability" + "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", + "training": "https://github.com/Azure/sap-automation", + "waf": "Operations" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", - "severity": "High", - "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", + "severity": "Medium", + "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", - "service": "CosmosDB", + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", "severity": "Medium", - "text": "Run multiple replicas of the database (>1 ) in Prod", + "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", - "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", - "service": "CosmosDB", - "severity": "Medium", - "text": "Leverage Multi-Region Writes", + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", + "severity": "High", + "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Span Cosmos account across two or more regions with multi-region writes", - "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "severity": "Medium", - "text": "Distribute your data globally", + "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", - "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", - "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", - "service": "CosmosDB", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", "severity": "High", - "text": "Choose from several well-defined consistency models", + "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", - "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", - "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", - "service": "CosmosDB", - "severity": "Medium", - "text": "Enable Service managed failover", + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", + "severity": "Low", + "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", - "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", - "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", - "service": "CosmosDB", + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", "severity": "Medium", - "text": "Enable Automatic Backups", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", - "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", - "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", - "service": "CosmosDB", - "severity": "Medium", - "text": "Perform Periodic Backups", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", + "severity": "Low", + "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", - "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", - "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", - "service": "CosmosDB", - "severity": "Medium", - "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", - "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "High", + "text": "Native database replication technology should be used to synchronize the database in a HA pair.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", - "severity": "Low", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", + "severity": "High", + "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", - "severity": "Medium", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", + "severity": "High", + "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", - "severity": "Medium", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "High", + "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", - "severity": "Medium", - "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", + "severity": "High", + "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "severity": "High", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", - "severity": "Medium", - "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", + "severity": "High", + "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", - "severity": "Medium", - "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", + "severity": "High", + "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", - "severity": "Medium", - "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", + "severity": "High", + "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", - "severity": "Medium", - "text": "Leverage FTA Resillency HandBook", + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", + "severity": "High", + "text": "Make sure the Floating IP is enabled on the Load balancer", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", "severity": "High", - "text": "Leverage Availability Zones if regionally applicable", + "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", - "severity": "Medium", - "text": "Use the Premium or Dedicated SKUs for predicable performance", + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", + "severity": "High", + "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "severity": "High", - "text": "Plan for Geo Disaster Recovery using Active Passive configuration", + "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", "severity": "Medium", - "text": "For Business Critical Applications, use Active Active configuration", + "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", - "severity": "Medium", - "text": "Design Resilient Event Hubs", + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "High", + "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", - "severity": "Low", - "text": "If required for AKS Windows workloads HostProcess containers can be used", + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "High", + "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", - "severity": "Low", - "text": "Use KEDA if running event-driven workloads", - "waf": "Performance" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", - "severity": "Low", - "text": "Use Dapr to ease microservice development", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "High", + "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "High", - "text": "Use the SLA-backed AKS offering", + "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "Low", - "text": "Use Disruption Budgets in your pod and deployment definitions", + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", + "severity": "Medium", + "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", - "severity": "High", - "text": "If using a private registry, configure region replication to store images in multiple regions", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "Medium", + "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", - "severity": "Low", - "text": "Use an external application such as kubecost to allocate costs to different users", - "waf": "Cost" + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", + "severity": "Medium", + "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", - "severity": "Low", - "text": "Use scale down mode to delete/deallocate nodes", - "waf": "Cost" + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "High", + "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", + "severity": "High", + "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", + "severity": "High", + "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "High", + "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", "severity": "Medium", - "text": "When required use multi-instance partitioning GPU on AKS Clusters", + "text": "Automate SAP System Start-Stop to manage costs.", "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "severity": "Low", - "text": "If running a Dev/Test cluster use NodePool Start/Stop", + "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", - "severity": "Medium", - "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Low", + "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", + "severity": "High", + "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "severity": "Medium", - "text": "Separate applications from the control plane with user/system node pools", + "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", - "severity": "Low", - "text": "Add taint to your system nodepool to make it dedicated", + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "severity": "Medium", - "text": "Use a private registry for your images, such as ACR", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", "severity": "Medium", - "text": "Scan your images for vulnerabilities", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", - "severity": "High", - "text": "Define app separation requirements (namespace/nodepool/cluster)", + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", "severity": "Medium", - "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", - "severity": "High", - "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", + "severity": "Medium", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", "severity": "Medium", - "text": "If required add Key Management Service etcd encryption", + "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", - "severity": "Low", - "text": "If required consider using Confidential Compute for AKS", + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP HANA", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", "severity": "Medium", - "text": "Consider using Defender for Containers", + "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", - "severity": "High", - "text": "Use managed identities instead of Service Principals", + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", + "severity": "Medium", + "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", "severity": "Medium", - "text": "Integrate authentication with AAD (using the managed integration)", + "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", "severity": "Medium", - "text": "Limit access to admin kubeconfig (get-credentials --admin)", + "text": "Implement SSO to SAP BTP", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", "severity": "Medium", - "text": "Integrate authorization with AAD RBAC", + "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", - "severity": "High", - "text": "Use namespaces for restricting RBAC privilege in Kubernetes", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", + "checklist": "SAP Checklist", + "description": "Keep your management group hierarchy reasonably flat, no more than four.", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", "severity": "Medium", - "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", - "waf": "Reliability" + "text": "enforce existing Management Group policies to SAP Subscriptions", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", - "severity": "Medium", - "text": "For AKS non-interactive logins use kubelogin (preview)", - "waf": "Reliability" + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", - "severity": "Medium", - "text": "Disable AKS local accounts", - "waf": "Reliability" + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "Low", - "text": "Configure if required Just-in-time cluster access", - "waf": "Reliability" + "checklist": "SAP Checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", + "severity": "High", + "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", "severity": "Low", - "text": "Configure if required AAD conditional access for AKS", - "waf": "Reliability" + "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", - "severity": "Low", - "text": "If required for Windows AKS workloads configure gMSA ", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", + "severity": "High", + "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", - "severity": "Medium", - "text": "For finer control consider using a managed Kubelet Identity", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "High", + "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", "severity": "Medium", - "text": "If using AGIC, do not share an AppGW across clusters", - "waf": "Reliability" + "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "severity": "High", - "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", + "text": "Help protect your HANA database by using the Azure Backup service.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", "severity": "Medium", - "text": "For Windows workloads use Accelerated Networking", - "waf": "Performance" + "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "severity": "High", - "text": "Use the standard ALB (as opposed to the basic one)", - "waf": "Reliability" + "text": "Ensure time-zone matches between the operating system and the SAP system.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", "severity": "Medium", - "text": "If using Azure CNI, consider using different Subnets for NodePools", + "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", - "severity": "Medium", - "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", + "severity": "Low", + "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "High", - "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", + "severity": "Medium", + "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "High", - "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "High", - "text": "If using Azure CNI, check the maximum pods/node (default 30)", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", + "severity": "Low", + "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", - "severity": "Low", - "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", "severity": "High", - "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", - "waf": "Reliability" + "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", - "severity": "Low", - "text": "If required add your own CNI plugin", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", - "severity": "Low", - "text": "If required configure Public IP per node in AKS", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", "severity": "Medium", - "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", - "waf": "Reliability" + "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", - "severity": "Low", - "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "High", + "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", "severity": "Medium", - "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", + "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", - "severity": "High", - "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", + "severity": "Medium", + "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", "severity": "Medium", - "text": "If using a public API endpoint, restrict the IP addresses that can access it", - "waf": "Reliability" + "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", - "severity": "High", - "text": "Use private clusters if your requirements mandate it", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", + "severity": "Low", + "text": "Use inter-VM latency monitoring for latency-sensitive applications.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "Medium", - "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", - "severity": "High", - "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "Medium", + "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "High", - "text": "Use Kubernetes network policies to increase intra-cluster security", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", + "severity": "Low", + "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "High", - "text": "Use a WAF for web workloads (UIs or APIs)", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", + "severity": "Medium", + "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", "severity": "Medium", - "text": "Use DDoS Standard in the AKS Virtual Network", - "waf": "Reliability" + "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", - "severity": "Low", - "text": "If required add company HTTP Proxy", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", + "severity": "High", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", "severity": "Medium", - "text": "Consider using a service mesh for advanced microservice communication management", + "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", - "severity": "High", - "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", + "severity": "Medium", + "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", - "severity": "Low", - "text": "Check regularly Azure Advisor for recommendations on your cluster", + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", + "severity": "Medium", + "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", - "severity": "Low", - "text": "Enable AKS auto-certificate rotation", - "waf": "Operations" + "checklist": "SAP Checklist", + "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", + "severity": "Medium", + "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "severity": "High", - "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", - "waf": "Operations" + "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", + "training": "https://me.sap.com/notes/2731110", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", - "severity": "High", - "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", + "severity": "Medium", + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", - "severity": "High", - "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", + "severity": "Medium", + "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", - "severity": "Low", - "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", + "severity": "Medium", + "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", - "severity": "Low", - "text": "Consider using AKS command invoke on private clusters", - "waf": "Operations" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "High", + "text": "Public IP assignment to VM running SAP Workload is not recommended.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", - "service": "AKS", - "severity": "Low", - "text": "For planned events consider using Node Auto Drain", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", + "severity": "High", + "text": "Consider reserving IP address on DR side when configuring ASR", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "severity": "High", - "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", + "text": "Avoid using overlapping IP address ranges for production and DR sites.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "Low", - "text": "Use custom Node RG (aka 'Infra RG') name", + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", + "severity": "Medium", + "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", "severity": "Medium", - "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", - "waf": "Operations" + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", - "severity": "Low", - "text": "Taint Windows nodes", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", + "severity": "Medium", + "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", - "severity": "Low", - "text": "Keep windows containers patch level in sync with host patch level", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "Via Diagnostic Settings at the cluster level", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", - "severity": "Low", - "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", + "severity": "Medium", + "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", - "severity": "Low", - "text": "If required use nodePool snapshots", - "waf": "Cost" + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", - "severity": "Low", - "text": "Consider spot node pools for non time-sensitive workloads", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "Low", - "text": "Consider AKS virtual node for quick bursting", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", + "severity": "Medium", + "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", "severity": "High", - "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", - "waf": "Operations" + "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", - "severity": "High", - "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", + "severity": "Medium", + "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", "severity": "Medium", - "text": "Monitor CPU and memory utilization of the nodes", - "waf": "Operations" + "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "High", + "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "Medium", - "text": "If using Azure CNI, monitor % of pod IPs consumed per node", - "waf": "Operations" + "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "High", + "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "High", + "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", + "severity": "High", + "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", "severity": "Medium", - "text": "Monitor OS disk queue depth in nodes", - "waf": "Operations" + "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "High", + "text": "Review SAP HANA database backups for Azure VMs.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "Medium", - "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", + "text": "Review Site Recovery built-in monitoring, where used for SAP.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", + "severity": "High", + "text": "Review the Monitoring the SAP HANA System Landscape guidance.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", "severity": "Medium", - "text": "Subscribe to resource health notifications for your AKS cluster", + "text": "Review Oracle Database in Azure Linux VM backup strategies.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "High", - "text": "Configure requests and limits in your pod specs", + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", + "severity": "Medium", + "text": "Review the use of Azure Blob Storage with SQL Server 2016.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", "severity": "Medium", - "text": "Enforce resource quotas for namespaces", + "text": "Review the use of Automated Backup v2 for Azure VMs.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", "severity": "High", - "text": "Ensure your subscription has enough quota to scale out your nodepools", + "text": "Enabling Write accelerator for M series when using premium disks(V1)", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", - "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", - "service": "AKS", - "severity": "High", - "text": "Configure Liveness and Readiness probes for all deployments", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", + "severity": "Medium", + "text": "Test availability zone latency.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", "severity": "Medium", - "text": "Use the Cluster Autoscaler", + "text": "Activate SAP EarlyWatch Alert for all SAP components.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", - "severity": "Low", - "text": "Customize node configuration for AKS node pools", + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", + "severity": "Medium", + "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", + "training": "https://me.sap.com/notes/0002879613", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", "severity": "Medium", - "text": "Use the Horizontal Pod Autoscaler when required", + "text": "Review SQL Server performance monitoring using CCMS.", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", - "service": "AKS", - "severity": "High", - "text": "Consider an appropriate node size, not too large or too small", + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", + "severity": "Medium", + "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", + "training": "https://me.sap.com/notes/1100926/E", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", - "service": "AKS", - "severity": "Low", - "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", + "severity": "Medium", + "text": "Review SAP HANA studio alerts.", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", - "service": "AKS", - "severity": "Low", - "text": "Consider subscribing to EventGrid Events for AKS automation", + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", + "severity": "Medium", + "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", - "service": "AKS", - "severity": "Low", - "text": "For long running operation on an AKS cluster consider event termination", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "Medium", + "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", - "severity": "Low", - "text": "If required consider using Azure Dedicated Hosts for AKS nodes", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "Medium", + "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "High", - "text": "Use ephemeral OS disks", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "Low", + "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "severity": "High", - "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", - "waf": "Performance" + "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", + "training": "https://me.sap.com/notes/3019299/E", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", - "severity": "Low", - "text": "For hyper performance storage option use Ultra Disks on AKS", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "High", + "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", "severity": "Medium", - "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", - "waf": "Performance" + "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", - "severity": "Medium", - "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", - "waf": "Performance" + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", + "severity": "High", + "text": "Use Azure Key Vault to store your secrets and credentials", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "severity": "Medium", - "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", - "waf": "Performance" + "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", - "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", - "service": "Purview", + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", "severity": "Medium", - "text": "Leverage FTA Resillency Handbook", + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", "severity": "High", - "text": "Plan for Data Center level outage", + "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", - "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "Medium", - "text": "Practice Failover for BCDR", + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "High", + "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "97b15b8a-219a-44ab-bb57-879024d22678", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", "severity": "High", - "text": "Plan a backup strategy and take regular backups", + "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", - "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", - "service": "Purview", + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "severity": "Low", - "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", + "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", - "link": "https://learn.microsoft.com/purview/deployment-best-practices", - "service": "Purview", + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "severity": "Medium", - "text": "Follow Purview accounts architectures and deployment best practices", + "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", - "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", - "service": "Purview", - "severity": "Medium", - "text": "Follow Collection Architectures and best practices", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", + "severity": "High", + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", - "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", - "service": "Purview", - "severity": "Medium", - "text": "Follow Assest lifecycle best practices", + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", + "severity": "High", + "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", - "service": "Purview", - "severity": "Medium", - "text": "Follow automation best practices", + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", + "severity": "High", + "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "Medium", - "text": "Follow Backup and Migration Best practices", + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", + "severity": "High", + "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", - "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", - "service": "Purview", - "severity": "Medium", - "text": "Follow Purview Glossary Best Practices", + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", + "severity": "Low", + "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", - "link": "https://learn.microsoft.com/purview/concept-workflow", - "service": "Purview", + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", "severity": "Low", - "text": "Leverage Workflows ", + "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", - "link": "https://learn.microsoft.com/purview/concept-best-practices-security", - "service": "Purview", - "severity": "Medium", - "text": "Follow Purview Security Best Practices", + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", - "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", - "service": "Purview", - "severity": "Medium", - "text": "Follow Purview Data Lineage Best Practices", + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Low", + "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", - "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", - "service": "Purview", + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "severity": "Medium", - "text": "Follow Best Practices for Scanning Registered Sources", + "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", - "service": "Purview", - "severity": "Medium", - "text": "Follow Classification Best Practices in Governance Portal", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Service", + "severity": "Low", + "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", - "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", - "service": "Purview", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", + "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Service", "severity": "Medium", - "text": "Perform Sensitivity Labelling in the Purview Data Map", + "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", - "link": "https://learn.microsoft.com/purview/concept-data-share", - "service": "Purview", - "severity": "Low", - "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", + "service": "App Service", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", - "severity": "Low", - "text": "Leverage Data Estate Insights", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Service", + "severity": "Medium", + "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", - "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", - "service": "Purview", - "severity": "Low", - "text": "Use Data stewardship and Catalog adoption", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/azure/app-service/manage-backup", + "service": "App Service", + "severity": "High", + "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", - "severity": "Low", - "text": "Use Inventory and Ownership", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Service", + "severity": "High", + "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", - "link": "https://learn.microsoft.com/purview/glossary-insights", - "service": "Purview", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Service", "severity": "Low", - "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", + "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b130a888-9579-4e76-a896-e710a7da7be9", - "link": "https://learn.microsoft.com/purview/compliance-manager", - "service": "Purview", - "severity": "Medium", - "text": "Generate assessment scores", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", + "service": "App Service", + "severity": "High", + "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", - "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", - "service": "Purview", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", + "service": "App Service", "severity": "Medium", - "text": "Profiling- get summaries of data content", + "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", - "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", - "service": "Purview", - "severity": "Low", - "text": "Follow Microsoft Purview Data Owner access policies", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Service", + "severity": "Medium", + "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", - "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", - "service": "Purview", - "severity": "Low", - "text": "Follow Self-service access policies", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", + "service": "App Service", + "severity": "Medium", + "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", - "link": "https://learn.microsoft.com/purview/concept-policies-devops", - "service": "Purview", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", + "service": "App Service", "severity": "Low", - "text": "Follow DevOps policies", + "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "af416482-663c-4ed6-b195-b44c7068e09c", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", - "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", - "service": "Container Apps", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Service", "severity": "High", - "text": "Leverage Availability Zones if regionally applicable", + "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", - "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", - "service": "Container Apps", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Service", "severity": "High", - "text": "Use more than one replica and enable Zone Redundancy.", + "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Service", "severity": "High", - "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", + "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", - "severity": "High", - "text": "Use Front Door or Traffic Manager to route traffic to the closest region", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Service", + "severity": "Medium", + "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Service", "severity": "Medium", - "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", + "text": "Do not store sensitive data on local disk", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Service", "severity": "Medium", - "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", + "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", - "severity": "Medium", - "text": "Custom brand assets should be hosted on a CDN", - "waf": "Performance" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Service", + "severity": "High", + "text": "Deploy code to App Service from a trusted and secure environment.", + "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", - "severity": "Low", - "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Service", + "severity": "High", + "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "Medium", - "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Service", + "severity": "High", + "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "Medium", - "text": "Don't replicate! Replication can create issues with directory synchronization", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Service", + "severity": "High", + "text": "Pull container images from Azure Container Registry using a Managed Identity.", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Service", "severity": "Medium", - "text": "Have active-active for multi-regions", + "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Service", "severity": "Medium", - "text": "Add Azure AD Domain service stamps to additional regions and locations", + "text": "Send App Service activity logs to Log Analytics", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Service", "severity": "Medium", - "text": "Use Replica Sets for DR", + "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", - "service": "AVS", - "severity": "High", - "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Service", + "severity": "Low", + "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "75089c20-990d-4927-b105-885576f76fc2", - "service": "AVS", - "severity": "Medium", - "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Service", + "severity": "High", + "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Service", "severity": "High", - "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", + "text": "Use a Web Application Firewall (WAF) in front of App Service.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", - "service": "AVS", - "severity": "Medium", - "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Service", + "severity": "High", + "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", - "service": "AVS", - "severity": "Medium", - "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", - "service": "AVS", - "severity": "High", - "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", - "service": "AVS", - "severity": "Medium", - "text": "Has an RBAC model been created for use within VMware vSphere", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Service", "severity": "Medium", - "text": "RBAC permissions should be granted on ADDS groups and not on specific users", + "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Service", "severity": "High", - "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Service", "severity": "High", - "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", + "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", - "service": "AVS", - "severity": "High", - "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Service", "severity": "High", - "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", - "waf": "Operations" + "text": "Turn off remote debugging in production environments.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Service", "severity": "Medium", - "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", - "waf": "Operations" + "text": "Enable Defender for Cloud - Defender for App Service", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Service", "severity": "Medium", - "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", - "service": "AVS", - "severity": "High", - "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", - "waf": "Operations" + "text": "Enable DDOS Protection Standard on the WAF VNet", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", - "service": "AVS", - "severity": "High", - "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Service", + "severity": "Medium", + "text": "Pull container images over a Virtual Network from Azure Container Registry.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", - "service": "AVS", - "severity": "High", - "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Service", + "severity": "Medium", + "text": "Conduct a penetration test on the web application.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Service", "severity": "Medium", - "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", + "text": "Deploy validated and vulnerability-scanned code.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Service", "severity": "High", - "text": "Limit use of CloudAdmin account to emergency access only", + "text": "Use up-to-date platforms, languages, protocols and frameworks", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", + "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", + "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", + "service": "App Service", "severity": "Medium", - "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", + "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", + "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", + "service": "App Service", "severity": "Medium", - "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", - "service": "AVS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", + "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "App Service", "severity": "High", - "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", - "waf": "Reliability" + "text": "Apply Azure Policy to enforce compliance across App Service configurations.", + "waf": "Governance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", - "service": "AVS", - "severity": "Medium", - "text": "Is East-West traffic filtering implemented within NSX-T", - "waf": "Reliability" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", + "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", + "link": "https://learn.microsoft.com/azure/cost-management-billing/", + "service": "App Service", + "severity": "Low", + "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", - "service": "AVS", - "severity": "High", - "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", - "waf": "Reliability" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", + "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", + "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", + "service": "App Service", + "severity": "Medium", + "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", "severity": "High", - "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", - "service": "AVS", - "severity": "Medium", - "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", - "guid": "334fdf91-c234-4182-a652-75269440b4be", - "service": "AVS", - "severity": "Medium", - "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", - "service": "AVS", - "severity": "Medium", - "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", "severity": "Medium", - "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT Hub", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", - "service": "AVS", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT Hub", "severity": "Medium", - "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", - "service": "AVS", - "severity": "Low", - "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT Hub", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", - "service": "AVS", - "severity": "Low", - "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT Hub", + "severity": "High", + "text": "Learn how to trigger a manual failover.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5ac94222-3e13-4810-9230-81a941741583", - "service": "AVS", - "severity": "Medium", - "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT Hub", + "severity": "High", + "text": "Learn how to fail back after a failover.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "High", - "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", + "text": "Enable 2 replicas to have 99.9% availability for read operations", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "service": "AVS", - "severity": "High", - "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "severity": "Medium", + "text": "Enable 3 replicas to have 99.9% availability for read/write operations", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", "severity": "High", - "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "text": "Leverage Availability Zones by enabling read and/or write replicas", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "severity": "Medium", - "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", - "waf": "Operations" + "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", "severity": "Medium", - "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", - "waf": "Operations" + "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", "severity": "Medium", - "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", - "waf": "Cost" + "text": "Use Azure Traffic Manager to coordinate requests", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "service": "AVS", - "severity": "Low", - "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", - "waf": "Cost" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", + "severity": "High", + "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "service": "AVS", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", "severity": "Medium", - "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "text": "Follow reliability support recommendations in Azure Bot Service", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", - "service": "AVS", - "severity": "High", - "text": "Ensure all required resource reside within the same Azure availability zone(s)", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "service": "AVS", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", "severity": "Medium", - "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "text": "Deploying bots with local data residency and regional compliance", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "service": "AVS", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", "severity": "Medium", - "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", - "service": "AVS", - "severity": "High", - "text": "Enable Diagnostic and metric logging on Azure VMware Solution", - "waf": "Operations" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Monitor", + "severity": "Medium", + "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", - "service": "AVS", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Backup", "severity": "Medium", - "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", - "waf": "Operations" + "text": "check backup instances with the underlying datasource not found", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", "severity": "Medium", - "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", - "waf": "Operations" + "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", - "service": "AVS", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Backup", "severity": "Medium", - "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", - "waf": "Reliability" + "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "service": "AVS", + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Monitor", "severity": "Medium", - "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "service": "AVS", - "severity": "High", - "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", - "waf": "Reliability" + "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "service": "AVS", - "severity": "High", - "text": "Are data processing implications (service provider / service consumer model) clear and documented", - "waf": "Reliability" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Monitor", + "severity": "Medium", + "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", "severity": "Medium", - "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", - "waf": "Reliability" + "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", - "service": "AVS", - "severity": "High", - "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", + "severity": "Medium", + "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", - "service": "AVS", - "severity": "High", - "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", + "severity": "Medium", + "text": "Make sure advisor is configured for VM right sizing ", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", - "service": "AVS", - "severity": "High", - "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "description": "check by searching the Meter Category Licenses in the Cost analysys", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", + "severity": "Medium", + "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", - "service": "AVS", - "severity": "High", - "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", + "severity": "Medium", + "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", "severity": "Medium", - "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", - "waf": "Operations" + "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", - "severity": "Low", - "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", + "severity": "Medium", + "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", - "severity": "High", - "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", + "severity": "Medium", + "text": "Only larger disks can be reserved => 1 TiB -", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", "severity": "Medium", - "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", - "waf": "Operations" + "text": "After the right-sizing optimization", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", - "service": "AVS", + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", "severity": "Medium", - "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", - "waf": "Operations" + "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", - "waf": "Operations" + "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", - "waf": "Operations" + "text": "Consider using a VMSS to match demand rather than flat sizing", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", "severity": "Medium", - "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", - "waf": "Operations" + "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", - "service": "AVS", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Backup", "severity": "Medium", - "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", - "waf": "Operations" + "text": "Move recovery points to vault-archive where applicable (Validate)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", - "service": "AVS", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", - "waf": "Reliability" + "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Functions", "severity": "Medium", - "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", - "waf": "Reliability" + "text": "Functions - Reuse connections", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Functions", "severity": "Medium", - "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", - "waf": "Reliability" + "text": "Functions - Cache data locally", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Functions", "severity": "Medium", - "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", - "waf": "Reliability" + "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "service": "AVS", - "severity": "High", - "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", - "waf": "Reliability" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Functions", + "severity": "Medium", + "text": "Functions - Keep your functions warm", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Functions", "severity": "Medium", - "text": "Use the geopolitical region pair as the secondary disaster recovery environment", - "waf": "Reliability" + "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "service": "AVS", - "severity": "High", - "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", - "waf": "Reliability" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Functions", + "severity": "Medium", + "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Functions", "severity": "Medium", - "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", - "waf": "Reliability" + "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", "severity": "Medium", - "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", - "waf": "Reliability" + "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", "severity": "Medium", - "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", - "waf": "Reliability" + "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", "severity": "Medium", - "text": "Deploy your backup solution outside of vSan, on Azure native components", - "waf": "Reliability" + "text": "Consider archiving tiers for less used data", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", - "severity": "Low", - "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", - "waf": "Reliability" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", + "severity": "Medium", + "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "service": "AVS", - "severity": "Low", - "text": "For manual deployments, all configuration and deployments must be documented", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", + "severity": "Medium", + "text": "Consider using standard SSD rather than Premium or Ultra where possible", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "service": "AVS", - "severity": "Low", - "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", + "severity": "Medium", + "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "service": "AVS", - "severity": "Low", - "text": "For automated deployments, deploy a minimal private cloud and scale as needed", - "waf": "Operations" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", + "severity": "Medium", + "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "service": "AVS", - "severity": "Low", - "text": "For automated deployments, request or reserve quota prior to starting the deployment", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", + "severity": "Medium", + "text": "Storage accounts: check hot tier and/or GRS necessary", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "service": "AVS", - "severity": "Low", - "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", + "severity": "Medium", + "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "service": "AVS", - "severity": "Low", - "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", - "waf": "Operations" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", + "severity": "Medium", + "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "service": "AVS", - "severity": "Low", - "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", - "waf": "Operations" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", + "severity": "Medium", + "text": "Export cost data to a storage account for additional data analysis.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "service": "AVS", - "severity": "Low", - "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", - "waf": "Operations" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", + "severity": "Medium", + "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "service": "AVS", - "severity": "Low", - "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", - "waf": "Operations" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", + "severity": "Medium", + "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", "severity": "Medium", - "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", - "waf": "Performance" + "text": "Create multiple Apache Spark pool definitions of various sizes.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", "severity": "Medium", - "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", - "waf": "Performance" + "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", "severity": "Medium", - "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", - "waf": "Performance" + "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", "severity": "Medium", - "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", - "waf": "Performance" + "text": "Right-sizing all VMs", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", "severity": "Medium", - "text": "Define and enforce scale in/out maximum limits for your environment in the automations", - "waf": "Performance" + "text": "Swap VM sized with normalized and most recent sizes", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "service": "AVS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", "severity": "Medium", - "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", - "waf": "Operations" + "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", - "severity": "High", - "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "Reliability" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "severity": "Medium", + "text": "Containerizing an application can improve VM density and save money on scaling it", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", "severity": "High", - "text": "When using MON, you cannot enable MON on more than 100 Network extensions", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", - "service": "AVS", - "severity": "Medium", - "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", - "service": "AVS", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", "severity": "Medium", - "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", - "waf": "Performance" + "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", - "service": "AVS", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", "severity": "Medium", - "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", + "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "AVS", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "severity": "Medium", - "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", + "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", "severity": "Medium", - "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", - "waf": "Reliability" + "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", "severity": "Medium", - "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", + "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "AVS", - "severity": "High", - "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", + "service": "Front Door", + "severity": "Medium", + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", "severity": "High", - "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", + "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", "severity": "High", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", + "text": "Avoid placing Traffic Manager behind Front Door.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", "severity": "High", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", + "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "Low", + "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", + "severity": "Medium", + "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", + "severity": "Low", + "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "AVS", + "service": "Front Door", "severity": "High", - "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", - "waf": "Reliability" + "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", + "waf": "Operations" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", + "severity": "Medium", + "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", "severity": "High", - "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", + "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", "waf": "Reliability" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", "severity": "Medium", - "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", + "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", "waf": "Reliability" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", - "severity": "Medium", - "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=~'Enabled') and (mode=~'Prevention')), enabledState, mode", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", + "severity": "High", + "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", "waf": "Reliability" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", - "severity": "Medium", - "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", + "severity": "High", + "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", - "service": "Data Factory", - "severity": "Medium", - "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", + "severity": "High", + "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Data Factory", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", "severity": "High", - "text": "Use zone redundant pipelines in regions that support Availability Zones", + "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", - "service": "Data Factory", - "severity": "Medium", - "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", + "severity": "High", + "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Data Factory", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", "severity": "Medium", - "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", + "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Data Factory", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", "severity": "Medium", - "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", + "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Data Factory", - "severity": "Low", - "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", + "severity": "Medium", + "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", "severity": "Low", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", "severity": "Medium", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", "severity": "Medium", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Reliability" + "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", - "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", - "service": "Service Bus", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", "severity": "Medium", - "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", + "service": "Front Door", + "severity": "Medium", + "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", + "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", + "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", + "service": "Front Door", "severity": "High", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", + "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", + "service": "Front Door", "severity": "Medium", - "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", + "service": "Front Door", "severity": "Medium", - "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", + "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", + "service": "Front Door", "severity": "Medium", - "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", - "severity": "High", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", + "severity": "Medium", + "text": "Use caching for endpoints that support it.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", - "severity": "High", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", + "guid": "34069d73-e4de-46c5-a36f-625f87575a56", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "Low", + "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", + "service": "Front Door", + "severity": "Medium", + "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", + "service": "Front Door", + "severity": "Medium", + "text": "Use wildcard TLS certificates when possible.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" + "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", + "service": "Front Door", "severity": "Medium", - "text": "Consider the 'Azure security baseline for storage'", - "waf": "Reliability" + "text": "Use file compression when you're accessing downloadable content.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", + "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", + "link": "https://learn.microsoft.com/azure/cdn/tier-migration", + "service": "Front Door", "severity": "High", - "text": "Consider using private endpoints for Azure Storage", - "waf": "Reliability" + "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", + "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", + "service": "Front Door", "severity": "Medium", - "text": "Ensure older storage accounts are not using 'classic deployment model'", + "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", + "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", + "service": "Front Door", "severity": "High", - "text": "Enable Microsoft Defender for all of your storage accounts", + "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Storage", - "severity": "Medium", - "text": "Enable 'soft delete' for blobs", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", + "severity": "Low", + "text": "If required for AKS Windows workloads HostProcess containers can be used", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Storage", - "severity": "Medium", - "text": "Disable 'soft delete' for blobs", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", + "severity": "Low", + "text": "Use KEDA if running event-driven workloads", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", + "severity": "Low", + "text": "Use Dapr to ease microservice development", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", "severity": "High", - "text": "Enable 'soft delete' for containers", + "text": "Use the SLA-backed AKS offering", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Storage", - "severity": "Medium", - "text": "Disable 'soft delete' for containers", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "Low", + "text": "Use Disruption Budgets in your pod and deployment definitions", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Storage", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", "severity": "High", - "text": "Enable resource locks on storage accounts", + "text": "If using a private registry, configure region replication to store images in multiple regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Storage", - "severity": "High", - "text": "Consider immutable blobs", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", + "severity": "Low", + "text": "Use an external application such as kubecost to allocate costs to different users", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", - "severity": "High", - "text": "Require HTTPS, i.e. disable port 80 on the storage account", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", + "severity": "Low", + "text": "Use scale down mode to delete/deallocate nodes", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Storage", - "severity": "High", - "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", + "severity": "Medium", + "text": "When required use multi-instance partitioning GPU on AKS Clusters", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", + "severity": "Low", + "text": "If running a Dev/Test cluster use NodePool Start/Stop", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", + "severity": "Medium", + "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "severity": "Medium", - "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", + "text": "Separate applications from the control plane with user/system node pools", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Storage", - "severity": "High", - "text": "Enforce the latest TLS version for a storage account", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "Low", + "text": "Add taint to your system nodepool to make it dedicated", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Storage", - "severity": "High", - "text": "Use Microsoft Entra ID tokens for blob access", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", + "severity": "Medium", + "text": "Use a private registry for your images, such as ACR", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Storage", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", "severity": "Medium", - "text": "Least privilege in IaM permissions", + "text": "Scan your images for vulnerabilities", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", "severity": "High", - "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", + "text": "Define app separation requirements (namespace/nodepool/cluster)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Storage", - "severity": "High", - "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", + "severity": "Medium", + "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", "severity": "High", - "text": "Consider using Azure Monitor to audit control plane operations on the storage account", + "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Storage", - "severity": "Medium", - "text": "When using storage account keys, consider enabling a 'key expiration policy'", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", "severity": "Medium", - "text": "Consider configuring an SAS expiration policy", + "text": "If required add Key Management Service etcd encryption", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Storage", - "severity": "Medium", - "text": "Consider linking SAS to a stored access policy", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", + "severity": "Low", + "text": "If required consider using Confidential Compute for AKS", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", "severity": "Medium", - "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Storage", - "severity": "High", - "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", + "text": "Consider using Defender for Containers", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", "severity": "High", - "text": "Strive for short validity periods for ad-hoc SAS", + "text": "Use managed identities instead of Service Principals", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", "severity": "Medium", - "text": "Apply a narrow scope to a SAS", + "text": "Integrate authentication with AAD (using the managed integration)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", "severity": "Medium", - "text": "Consider scoping SAS to a specific client IP address, wherever possible", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Storage", - "severity": "Low", - "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Storage", - "severity": "High", - "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", + "text": "Limit access to admin kubeconfig (get-credentials --admin)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", "severity": "Medium", - "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", + "text": "Integrate authorization with AAD RBAC", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", "severity": "High", - "text": "Avoid overly broad CORS policies", + "text": "Use namespaces for restricting RBAC privilege in Kubernetes", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Storage", - "severity": "High", - "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", + "severity": "Medium", + "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", "severity": "Medium", - "text": "Determine which/if platform encryption should be used.", + "text": "For AKS non-interactive logins use kubelogin (preview)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", "severity": "Medium", - "text": "Determine which/if client-side encryption should be used.", + "text": "Disable AKS local accounts", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Storage", - "severity": "High", - "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Low", + "text": "Configure if required Just-in-time cluster access", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Storage", - "severity": "High", - "text": "Leverage a storagev2 account type for better performance and reliability", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Low", + "text": "Configure if required AAD conditional access for AKS", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Storage", - "severity": "High", - "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", + "severity": "Low", + "text": "If required for Windows AKS workloads configure gMSA ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", "severity": "Medium", - "text": "For write operation after failover, use customer-Managed Failover ", + "text": "For finer control consider using a managed Kubelet Identity", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", "severity": "Medium", - "text": "Understand Microsoft-Managed Failover details", + "text": "If using AGIC, do not share an AppGW across clusters", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Storage", - "severity": "Medium", - "text": "Enable Soft Delete", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", + "severity": "High", + "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", "waf": "Reliability" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", "severity": "Medium", - "text": "Follow reliability support recommendations in Azure Bot Service", - "waf": "Reliability" + "text": "For Windows workloads use Accelerated Networking", + "waf": "Performance" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", - "severity": "Medium", - "text": "Deploying bots with local data residency and regional compliance", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "severity": "High", + "text": "Use the standard ALB (as opposed to the basic one)", "waf": "Reliability" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", "severity": "Medium", - "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", + "text": "If using Azure CNI, consider using different Subnets for NodePools", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", "severity": "Medium", - "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", + "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", - "severity": "Medium", - "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "High", + "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", - "severity": "Medium", - "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", + "waf": "Performance" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", - "severity": "Medium", - "text": "Use more than 1 app instance for your apps", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "If using Azure CNI, check the maximum pods/node (default 30)", + "waf": "Performance" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", - "severity": "Medium", - "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "severity": "Low", + "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", - "severity": "Medium", - "text": "Set up autoscaling in Spring Cloud Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", "severity": "Low", - "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "text": "If required add your own CNI plugin", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", + "severity": "Low", + "text": "If required configure Public IP per node in AKS", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", "severity": "Medium", - "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", + "severity": "Low", + "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", + "severity": "Medium", + "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Device Update for IoT Hub", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", + "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Device Update for IoT Hub", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", + "severity": "Medium", + "text": "If using a public API endpoint, restrict the IP addresses that can access it", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "text": "Use private clusters if your requirements mandate it", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "Medium", - "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", - "severity": "Medium", - "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", - "waf": "Operations" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", - "severity": "Low", - "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", - "waf": "Operations" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "High", - "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", - "waf": "Operations" + "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", + "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "High", - "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "Cost" + "text": "Use Kubernetes network policies to increase intra-cluster security", + "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "High", - "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "text": "Use a WAF for web workloads (UIs or APIs)", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", "severity": "Medium", - "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Use DDoS Standard in the AKS Virtual Network", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", - "severity": "Medium", - "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", + "severity": "Low", + "text": "If required add company HTTP Proxy", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", - "severity": "High", - "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", + "severity": "Medium", + "text": "Consider using a service mesh for advanced microservice communication management", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", "severity": "High", - "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", - "waf": "Reliability" + "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", - "severity": "Medium", - "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", + "severity": "Low", + "text": "Check regularly Azure Advisor for recommendations on your cluster", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", - "severity": "Medium", - "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", + "severity": "Low", + "text": "Enable AKS auto-certificate rotation", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", - "severity": "Medium", - "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", + "severity": "High", + "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", - "severity": "Medium", - "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", + "severity": "High", + "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", + "waf": "Operations" }, { - "ammp": true, - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", "severity": "High", - "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", - "waf": "Reliability" + "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", - "severity": "Medium", - "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", + "severity": "Low", + "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", - "severity": "Medium", - "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", + "severity": "Low", + "text": "Consider using AKS command invoke on private clusters", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", - "severity": "Medium", - "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", + "severity": "Low", + "text": "For planned events consider using Node Auto Drain", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", "severity": "High", - "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Cost" + "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", - "severity": "High", - "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "Low", + "text": "Use custom Node RG (aka 'Infra RG') name", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", "severity": "Medium", - "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", - "waf": "Reliability" + "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", "severity": "Low", - "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", - "waf": "Reliability" + "text": "Taint Windows nodes", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualHubs", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", "severity": "Low", - "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", - "severity": "Medium", - "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", - "waf": "Performance" + "text": "Keep windows containers patch level in sync with host patch level", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", - "severity": "Medium", - "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Via Diagnostic Settings at the cluster level", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", + "severity": "Low", + "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", - "severity": "Medium", - "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", + "severity": "Low", + "text": "If required use nodePool snapshots", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", - "severity": "Medium", - "text": "Limit the number of routes per route table to 400.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", + "severity": "Low", + "text": "Consider spot node pools for non time-sensitive workloads", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", - "severity": "High", - "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "Low", + "text": "Consider AKS virtual node for quick bursting", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", "severity": "High", - "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", - "waf": "Reliability" + "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", "severity": "High", - "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", - "waf": "Reliability" + "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", "severity": "Medium", - "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "Monitor CPU and memory utilization of the nodes", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "Medium", - "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Reliability" + "text": "If using Azure CNI, monitor % of pod IPs consumed per node", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", - "severity": "High", - "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", + "severity": "Medium", + "text": "Monitor OS disk queue depth in nodes", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "severity": "Medium", - "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Reliability" + "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", - "severity": "High", - "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Performance" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", + "severity": "Medium", + "text": "Subscribe to resource health notifications for your AKS cluster", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", - "severity": "High", - "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Reliability" - }, - { - "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "High", - "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", - "severity": "Medium", - "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Configure requests and limits in your pod specs", "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "Medium", - "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "Reliability" + "text": "Enforce resource quotas for namespaces", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", - "severity": "Low", - "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", - "training": "https://learn.microsoft.com/training/courses/az-700t00", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", + "severity": "High", + "text": "Ensure your subscription has enough quota to scale out your nodepools", "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", + "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "service": "AKS", "severity": "High", - "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Configure Liveness and Readiness probes for all deployments", "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "Medium", - "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Reliability" + "text": "Use the Cluster Autoscaler", + "waf": "Performance" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", - "severity": "Medium", - "text": "Use Azure Bastion to securely connect to your network.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", + "severity": "Low", + "text": "Customize node configuration for AKS node pools", + "waf": "Performance" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "Medium", - "text": "Use Azure Bastion in a subnet /26 or larger.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Reliability" + "text": "Use the Horizontal Pod Autoscaler when required", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", - "severity": "Medium", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", + "severity": "High", + "text": "Consider an appropriate node size, not too large or too small", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", "severity": "Low", - "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" + "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "High", - "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", + "severity": "Low", + "text": "Consider subscribing to EventGrid Events for AKS automation", + "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "High", - "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", + "severity": "Low", + "text": "For long running operation on an AKS cluster consider event termination", + "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", - "severity": "High", - "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", + "severity": "Low", + "text": "If required consider using Azure Dedicated Hosts for AKS nodes", + "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", "severity": "High", - "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Reliability" + "text": "Use ephemeral OS disks", + "waf": "Performance" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", "severity": "High", - "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", - "severity": "Medium", - "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", + "severity": "Low", + "text": "For hyper performance storage option use Ultra Disks on AKS", + "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", "severity": "Medium", - "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", - "severity": "High", - "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Cost" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", - "severity": "High", - "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Cost" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", "severity": "Medium", - "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", + "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", "severity": "Medium", - "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", - "severity": "Medium", - "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "OpenAI", + "severity": "High", + "text": "Follow Metaprompting guardrails for resonsible AI", + "waf": "Operations" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", - "severity": "Medium", - "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "OpenAI", + "severity": "High", + "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", + "waf": "Operations" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", - "severity": "Medium", - "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "OpenAI", + "severity": "High", + "text": "Enable monitoring for your AOAI instances", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.insights/metricalerts' | extend compliant = (properties.targetResourceType =~ 'Microsoft.CognitiveServices/accounts') | project id, compliant", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "OpenAI", "severity": "High", - "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", - "severity": "Medium", - "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "OpenAI", + "severity": "High", + "text": "Monitor token usage to prevent service disruptions due to capacity", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "OpenAI", "severity": "Medium", - "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "OpenAI", + "severity": "Low", + "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Use ExpressRoute circuits from different peering locations for redundancy.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "OpenAI", + "severity": "High", + "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "OpenAI", + "severity": "High", + "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "OpenAI", "severity": "High", - "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", - "waf": "Reliability" + "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", + "waf": "Operations" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "OpenAI", "severity": "High", - "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "Evaluate usage of Provisioned throughput model ", + "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "OpenAI", + "severity": "High", + "text": "Review and implement Azure AI content safety", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "OpenAI", + "severity": "High", + "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "OpenAI", "severity": "Medium", - "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", + "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "OpenAI", "severity": "Medium", - "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", + "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "OpenAI", "severity": "High", - "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", + "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "OpenAI", "severity": "Medium", - "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", + "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "OpenAI", + "severity": "High", + "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "OpenAI", "severity": "Medium", - "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", "waf": "Performance" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "OpenAI", "severity": "Low", - "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", - "waf": "Performance" + "text": "Deploy multiple OAI instances across regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "OpenAI", "severity": "High", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Implement retry & healthchecks with Gateway pattern like APIM", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "OpenAI", "severity": "Medium", - "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Ensure having adequate quotas of TPM & RPM for the workload", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", - "severity": "Low", - "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "OpenAI", + "severity": "Medium", + "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "OpenAI", + "severity": "Medium", + "text": "Deploy separate fine tuned models across regions if finetuning is employed", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", - "severity": "High", - "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "OpenAI", + "severity": "Medium", + "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.search/searchservices' | extend compliant = (sku.name != 'free' and properties.replicaCount >= 3) | project id, compliant", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "OpenAI", "severity": "High", - "text": "Use Azure Firewall Premium to enable additional security features.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "Azure AI search service tiers should be choosen to have a SLA ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", - "severity": "High", - "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "OpenAI", + "severity": "Low", + "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "OpenAI", "severity": "High", - "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "OpenAI", "severity": "High", - "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", + "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", - "severity": "Medium", - "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "OpenAI", + "severity": "High", + "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", - "severity": "Important", - "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "OpenAI", + "severity": "Medium", + "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/ai-onboarding", + "service": "OpenAI", "severity": "High", - "text": "Use a /26 prefix for your Azure Firewall subnets.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "OpenAI", "severity": "Medium", - "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "Performance" + "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", - "severity": "Medium", - "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "OpenAI", + "severity": "High", + "text": "Implement Prompt shields and groundedness detection using Content Safety ", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", - "severity": "Medium", - "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "OpenAI", + "severity": "High", + "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "OpenAI", "severity": "Medium", - "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "OpenAI", "severity": "High", - "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", - "severity": "Low", - "text": "Use web categories to allow or deny outbound access to specific topics.", - "waf": "Performance" + "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "OpenAI", "severity": "Medium", - "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "Performance" + "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "OpenAI", "severity": "Medium", - "text": "Enable Azure Firewall DNS proxy configuration.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "OpenAI", "severity": "High", - "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Operations" + "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", - "severity": "Low", - "text": "Implement backups for your firewall rules", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "OpenAI", + "severity": "High", + "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.privateEndpointConnections != '[]' and properties.publicNetworkAccess !~ 'enabled')", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "OpenAI", "severity": "High", - "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "text": "Configure private endpoint for AI services to restrict service access within your network", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "OpenAI", "severity": "High", - "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", + "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "AppGW", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "OpenAI", "severity": "High", - "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "OpenAI", "severity": "Medium", - "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "Use prompt compression tools like LLMLingua or gprtrim", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (isnotnull(identity))", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "OpenAI", "severity": "High", - "text": "Don't enable virtual network service endpoints by default on all subnets.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "OpenAI", "severity": "Medium", - "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", - "severity": "High", - "text": "Use at least a /27 prefix for your Gateway subnets.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", - "severity": "High", - "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "OpenAI", "severity": "Medium", - "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "OpenAI", "severity": "Medium", - "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", - "severity": "Medium", - "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (tags != '{}')", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "OpenAI", + "severity": "Low", + "text": "Azure AI Services are properly tagged for better management", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", - "severity": "Medium", - "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "OpenAI", + "severity": "Low", + "text": "Azure AI Service accounts follows organizational naming conventions", + "waf": "Operations" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", - "severity": "Medium", - "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "OpenAI", + "severity": "High", + "text": "Diagnostic logs in Azure AI services resources should be enabled", "waf": "Operations" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", - "severity": "Medium", - "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.disableLocalAuth == true)", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "OpenAI", + "severity": "High", + "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", - "severity": "Medium", - "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "OpenAI", + "severity": "High", + "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", - "severity": "Medium", - "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "OpenAI", + "severity": "High", + "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", - "severity": "Medium", - "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "OpenAI", + "severity": "High", + "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", - "severity": "Medium", - "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "OpenAI", + "severity": "High", + "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", - "severity": "Medium", - "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "OpenAI", + "severity": "High", + "text": "Setup a process to regularly update and patch the LLM libraries and other system components", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", - "severity": "Medium", - "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "OpenAI", + "severity": "High", + "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", + "waf": "Operations" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", - "severity": "High", - "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "OpenAI", + "severity": "Medium", + "text": "Understand difference in cost of base models and fine tuned models and token step sizes", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "OpenAI", "severity": "High", - "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Reliability" + "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", "severity": "Medium", - "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", - "training": "https://learn.microsoft.com/training/modules/governance-security/", - "waf": "Reliability" + "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "OpenAI", "severity": "Medium", - "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Reliability" + "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "severity": "High", - "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "OpenAI", + "severity": "Medium", + "text": "Plan and manage AI Search Vector storage", + "waf": "Operations" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", - "severity": "Low", - "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "OpenAI", + "severity": "Medium", + "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", + "waf": "Operations" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "OpenAI", "severity": "High", - "text": "Use built-in policies where possible to minimize operational overhead.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Reliability" + "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "OpenAI", "severity": "Medium", - "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Reliability" + "text": "Evaluate the quality of prompts and applications when switching between model versions", + "waf": "Operations" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "OpenAI", "severity": "Medium", - "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Reliability" + "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", + "waf": "Operations" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "OpenAI", "severity": "Medium", - "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "Reliability" + "text": "Evaluate your Azure AI Search results based on different search parameters", + "waf": "Operations" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "OpenAI", "severity": "Medium", - "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", - "waf": "Reliability" + "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", + "waf": "Operations" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "OpenAI", "severity": "Medium", - "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", - "waf": "Reliability" + "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", + "waf": "Operations" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "OpenAI", "severity": "Medium", - "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", + "text": "Red team your GenAI applications", "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "OpenAI", "severity": "Medium", - "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "text": "Provide end users with scoring options for LLM responses and track these scores. ", "waf": "Operations" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", - "severity": "Medium", - "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "OpenAI", "severity": "High", - "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" + "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "OpenAI", "severity": "Medium", - "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", + "service": "OpenAI", "severity": "Medium", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operations" + "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", + "service": "OpenAI", "severity": "Medium", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operations" + "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/networkWatchers", - "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "OpenAI", "severity": "Medium", - "text": "Use Network Watcher to proactively monitor traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Operations" + "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", + "service": "OpenAI", "severity": "Medium", - "text": "Use Azure Monitor Logs for insights and reporting.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "Operations" + "text": "Tune content filters to minimize false positives from overly aggressive filters", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", + "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", + "service": "OpenAI", "severity": "Medium", - "text": "Use Azure Monitor alerts for the generation of operational alerts.", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "Operations" + "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' and kind =~ 'contentsafety' | project id, compliant = 1", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "OpenAI", "severity": "Medium", - "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", - "waf": "Operations" + "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", + "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", - "severity": "Low", - "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "OpenAI", + "severity": "Medium", + "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", "severity": "Medium", - "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", - "waf": "Reliability" + "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", + "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", + "service": "OpenAI", "severity": "Medium", - "text": "Monitor VM security configuration drift via Azure Policy.", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Reliability" + "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", "severity": "Medium", - "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", - "waf": "Operations" + "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", + "waf": "Cost" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", "severity": "Medium", - "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Operations" + "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", + "waf": "Cost" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", - "severity": "High", - "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", + "severity": "Medium", + "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", + "waf": "Cost" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", + "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", + "service": "OpenAI", "severity": "Medium", - "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", - "severity": "High", - "text": "Use Azure Key Vault to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5855", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", + "service": "OpenAI", + "severity": "Medium", + "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", - "severity": "Medium", - "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", + "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", + "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", + "query": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend exportPolicyStatus = properties.policies.exportPolicy.status | extend compliant = iif(exportPolicyStatus =~ 'Disabled', true, false) | project acrName, acrId, exportPolicyStatus, compliant", + "service": "ACR", + "severity": "High", + "text": "Disable Azure Container Registry image export", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medium", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", + "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", + "service": "ACR", + "severity": "High", + "text": "Enable Azure Policies for Azure Container Registry", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medium", - "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", + "guid": "d345293c-7639-4637-a551-c5c04e401955", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", + "service": "ACR", + "severity": "High", + "text": "Sign and Verify containers with notation (Notary v2)", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend encryptionStatus = properties.encryption.status | extend compliant = iif(encryptionStatus == 'disabled', false, true) | project acrName, acrId, encryptionStatus, compliant", + "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", + "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", + "service": "ACR", "severity": "Medium", - "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "text": "Encrypt registry with a customer managed key", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medium", - "text": "Establish an automated process for key and certificate rotation.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", + "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", + "severity": "High", + "text": "Use Managed Identities to connect instead of Service Principals", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medium", - "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", + "guid": "be0e38ce-e297-411b-b363-caaab79b198d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", + "severity": "High", + "text": "Disable local authentication for management plane access", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", - "severity": "Medium", - "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", + "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", + "service": "ACR", + "severity": "High", + "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable anonymous pull/push access", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend compliant = iif(properties.anonymousPullEnabled == false, true, false) | project compliant, name, id, tags | distinct id, compliant", + "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", + "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", + "service": "ACR", "severity": "Medium", - "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "text": "Disable Anonymous pull access", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", + "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", + "service": "ACR", + "severity": "High", + "text": "Disable repository-scoped access tokens", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", + "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", + "service": "ACR", + "severity": "High", + "text": "Deploy images from a trusted environment", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", + "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", + "service": "ACR", "severity": "Medium", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "text": "Disable Azure ARM audience tokens for authentication", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", + "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", + "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", + "service": "ACR", "severity": "Medium", - "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "text": "Enable diagnostics logging", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", + "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", + "service": "ACR", "severity": "Medium", - "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "text": "Control inbound network access with Private Link", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable public network access if inbound network access is secured using Private Link", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | where sku.name =~ 'Premium' // Check for Premium SKU | extend publicAccessEnabled = properties.publicNetworkAccess | extend defaultAction = tostring(properties.networkRuleSet.defaultAction) // Extract defaultAction | extend compliant = iif(publicAccessEnabled != 'Enabled' or defaultAction == 'Deny', true, false) | project name, id, publicAccessEnabled, defaultAction, compliant", + "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", + "service": "ACR", "severity": "Medium", - "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "text": "Disable Public Network access", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", - "severity": "High", - "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Only the ACR Premium SKU supports Private Link access", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend skuName = sku.name // Extract the SKU name | extend compliant = iif(skuName == 'Premium', true, false) // Check if SKU is Premium | project name, id, skuName, compliant", + "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", + "service": "ACR", + "severity": "Medium", + "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", - "severity": "High", - "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", + "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", + "service": "ACR", + "severity": "Low", + "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", - "severity": "High", - "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", + "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", + "service": "ACR", + "severity": "Medium", + "text": "Deploy validated container images", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", + "guid": "4e401955-387e-45ce-b126-cd132af5b20c", + "service": "ACR", "severity": "High", - "text": "Enable Endpoint Protection on IaaS Servers.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "text": "Use up-to-date platforms, languages, protocols and frameworks", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", - "service": "VM", - "severity": "Medium", - "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", + "guid": "ba7da7be-9951-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", + "service": "Data Explorer", + "text": "Leverage External Tables and Continuous data export overview to reduce costs", "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", - "severity": "Medium", - "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", + "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", + "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", + "service": "Data Explorer", + "text": "To share data, explore Leader-follower cluster configuration", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", - "severity": "High", - "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", + "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", + "service": "Data Explorer", + "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", - "severity": "Medium", - "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "436b0635-cb45-4e57-a603-324ace8cc123", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", + "service": "Data Explorer", + "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", - "severity": "Medium", - "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", + "service": "Data Explorer", + "text": "Ingest data into each cluster in parallel", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", - "severity": "High", - "text": "Enable secure transfer to storage accounts.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", + "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", + "service": "Data Explorer", + "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", - "severity": "High", - "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", + "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", + "service": "Data Explorer", + "text": "For critical applications, create Active-Active configuration in two paired regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", - "severity": "High", - "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", - "waf": "Operations" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Service", - "severity": "Low", - "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", - "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Service", - "severity": "Medium", - "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", + "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", + "service": "Data Explorer", + "text": "For applications, which required only read during failure, create Active-Hot standby configuration", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", - "service": "App Service", - "severity": "High", - "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", + "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", + "service": "Data Explorer", + "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", - "service": "App Service", - "severity": "Medium", - "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", + "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Data Explorer", + "text": "Wrap DevOps and source control around all your code", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/azure/app-service/manage-backup", - "service": "App Service", - "severity": "High", - "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Data Explorer", + "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Service", - "severity": "High", - "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Data Explorer", + "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Service", - "severity": "Low", - "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Data Factory", + "severity": "Medium", + "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", - "service": "App Service", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Data Factory", "severity": "High", - "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", + "text": "Use zone redundant pipelines in regions that support Availability Zones", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", - "service": "App Service", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Data Factory", "severity": "Medium", - "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", + "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", - "service": "App Service", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Data Factory", "severity": "Medium", - "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", + "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", - "service": "App Service", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Data Factory", "severity": "Medium", - "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", + "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", - "service": "App Service", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Data Factory", "severity": "Low", - "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", + "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", "severity": "High", - "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", + "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Service", - "severity": "High", - "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", + "severity": "Medium", + "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", "severity": "High", - "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", + "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", "severity": "Medium", - "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", + "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", "severity": "Medium", - "text": "Do not store sensitive data on local disk", + "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Service", - "severity": "Medium", - "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", + "severity": "High", + "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Service", - "severity": "High", - "text": "Deploy code to App Service from a trusted and secure environment.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", + "severity": "Medium", + "text": "Has an RBAC model been created for use within VMware vSphere", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Service", - "severity": "High", - "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", + "severity": "Medium", + "text": "RBAC permissions should be granted on ADDS groups and not on specific users", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", "severity": "High", - "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", + "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", "severity": "High", - "text": "Pull container images from Azure Container Registry using a Managed Identity.", + "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Service", - "severity": "Medium", - "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", + "severity": "High", + "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Service", - "severity": "Medium", - "text": "Send App Service activity logs to Log Analytics", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", + "severity": "High", + "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", "severity": "Medium", - "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", - "waf": "Reliability" + "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Service", - "severity": "Low", - "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", + "severity": "Medium", + "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", "severity": "High", - "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", - "waf": "Reliability" + "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", "severity": "High", - "text": "Use a Web Application Firewall (WAF) in front of App Service.", + "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", "severity": "High", - "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", + "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", "severity": "Medium", - "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Service", - "severity": "High", - "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", + "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", "severity": "High", - "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", + "text": "Limit use of CloudAdmin account to emergency access only", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Service", - "severity": "High", - "text": "Turn off remote debugging in production environments.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", + "severity": "Medium", + "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", "severity": "Medium", - "text": "Enable Defender for Cloud - Defender for App Service", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Service", - "severity": "Medium", - "text": "Enable DDOS Protection Standard on the WAF VNet", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", + "severity": "High", + "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", "severity": "Medium", - "text": "Pull container images over a Virtual Network from Azure Container Registry.", + "text": "Is East-West traffic filtering implemented within NSX-T", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Service", - "severity": "Medium", - "text": "Conduct a penetration test on the web application.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", + "severity": "High", + "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Service", - "severity": "Medium", - "text": "Deploy validated and vulnerability-scanned code.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", "severity": "High", - "text": "Use up-to-date platforms, languages, protocols and frameworks", + "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", - "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", - "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", "severity": "Medium", - "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", + "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", - "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", "severity": "Medium", - "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", + "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", - "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "App Service", - "severity": "High", - "text": "Apply Azure Policy to enforce compliance across App Service configurations.", - "waf": "Governance" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", - "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", - "link": "https://learn.microsoft.com/azure/cost-management-billing/", - "service": "App Service", - "severity": "Low", - "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", - "waf": "Cost" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", - "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", - "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", - "service": "App Service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", "severity": "Medium", - "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT Hub", - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", + "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT Hub", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", "severity": "Medium", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", + "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT Hub", - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT Hub", - "severity": "High", - "text": "Learn how to trigger a manual failover.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", + "severity": "Low", + "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT Hub", - "severity": "High", - "text": "Learn how to fail back after a failover.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", + "severity": "Low", + "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachineScaleSets", - "checklist": "Resiliency Review", - "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", - "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", - "service": "VMSS", - "severity": "Low", - "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", + "severity": "Medium", + "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", - "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", "severity": "High", - "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", + "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", - "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", "severity": "High", - "text": "Use Premium or Ultra disks for production VMs", + "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", - "guid": "b31e38c3-f298-412b-8363-cffe179b599d", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", "severity": "High", - "text": "Ensure Managed Disks are used for all VMs", + "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", - "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", "severity": "Medium", - "text": "Do not use the Temp disk for anything that is not acceptable to be lost", - "waf": "Reliability" + "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", - "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", "severity": "Medium", - "text": "Leverage Availability Zones for your VMs in regions where they are supported", - "waf": "Reliability" + "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", - "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", "severity": "Medium", - "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", - "waf": "Reliability" + "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", - "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "VM", - "severity": "High", - "text": "Avoid running a production workload on a single VM", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", + "severity": "Low", + "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", - "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", - "severity": "High", - "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", + "severity": "Medium", + "text": "Consider the use of Azure Private-Link when using other Azure Native Services", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", - "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", - "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", - "service": "VM", - "severity": "Low", - "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", + "severity": "High", + "text": "Ensure all required resource reside within the same Azure availability zone(s)", + "waf": "Performance" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", - "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", - "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "service": "AVS", "severity": "Medium", - "text": "Increase quotas in DR region before testing failover with ASR", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", - "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", - "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", - "service": "VM", - "severity": "Low", - "text": "Utilize Scheduled Events to prepare for VM maintenance", + "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", - "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "service": "AVS", "severity": "Medium", - "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", + "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", - "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Storage", - "severity": "Low", - "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "service": "AVS", + "severity": "High", + "text": "Enable Diagnostic and metric logging on Azure VMware Solution", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", - "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Storage", - "severity": "Low", - "text": "Enable soft delete for Storage Account Containers", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "service": "AVS", + "severity": "Medium", + "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", - "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Storage", - "severity": "Low", - "text": "Enable soft delete for blobs", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "service": "AVS", + "severity": "Medium", + "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "waf": "Operations" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", - "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", - "service": "Backup", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "service": "AVS", "severity": "Medium", - "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", + "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", - "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", - "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", - "service": "Backup", - "severity": "Low", - "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "service": "AVS", + "severity": "Medium", + "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", - "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", - "service": "Backup", - "severity": "Low", - "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "service": "AVS", + "severity": "High", + "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Resiliency Review", - "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", - "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", - "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", - "service": "DNS", - "severity": "Low", - "text": "Implement DNS Failover using Azure DNS Private Resolvers", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "service": "AVS", + "severity": "High", + "text": "Are data processing implications (service provider / service consumer model) clear and documented", "waf": "Reliability" }, { - "arm-service": "Microsoft.PowerBI/gateways", - "checklist": "Resiliency Review", - "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", - "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", - "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", - "service": "Data Gateways", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "service": "AVS", "severity": "Medium", - "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", + "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", - "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "service": "AVS", "severity": "High", - "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", - "waf": "Reliability" + "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "service": "AVS", "severity": "High", - "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Key Vault", - "severity": "Medium", - "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", - "waf": "Reliability" + "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", - "service": "Key Vault", - "severity": "Medium", - "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "service": "AVS", + "severity": "High", + "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", - "service": "Key Vault", - "severity": "Medium", - "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "service": "AVS", + "severity": "High", + "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "service": "AVS", "severity": "Medium", - "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", - "waf": "Reliability" + "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", + "severity": "Low", + "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", "severity": "High", - "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", - "waf": "Reliability" + "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", - "severity": "Low", - "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", + "severity": "Medium", + "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "Low", - "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", + "severity": "Medium", + "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "Low", - "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", "severity": "Medium", - "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", - "waf": "Reliability" + "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", - "guid": "d0642c1c-312b-4116-94ab-439e1c836819", - "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", "severity": "Medium", - "text": "RBAC is recommended to control access to your key vault. Familiarize yourself with the Key Vault's access control guidance.", - "waf": "Reliability" + "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", + "waf": "Operations" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", - "guid": "ba7da7be-9951-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", - "service": "Data Explorer", - "text": "Leverage External Tables and Continuous data export overview to reduce costs", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "waf": "Operations" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", - "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", - "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", - "service": "Data Explorer", - "text": "To share data, explore Leader-follower cluster configuration", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", - "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", - "service": "Data Explorer", - "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", + "severity": "Medium", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "436b0635-cb45-4e57-a603-324ace8cc123", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", - "service": "Data Explorer", - "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", + "severity": "Medium", + "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", - "service": "Data Explorer", - "text": "Ingest data into each cluster in parallel", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", - "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", - "service": "Data Explorer", - "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", + "severity": "High", + "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", - "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", - "service": "Data Explorer", - "text": "For critical applications, create Active-Active configuration in two paired regions", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", + "severity": "Medium", + "text": "Use the geopolitical region pair as the secondary disaster recovery environment", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", - "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", - "service": "Data Explorer", - "text": "For applications, which required only read during failure, create Active-Hot standby configuration", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "service": "AVS", + "severity": "High", + "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", - "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", - "service": "Data Explorer", - "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "service": "AVS", + "severity": "Medium", + "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", - "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Data Explorer", - "text": "Wrap DevOps and source control around all your code", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "service": "AVS", + "severity": "Medium", + "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Data Explorer", - "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "service": "AVS", + "severity": "Medium", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Data Explorer", - "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "service": "AVS", + "severity": "Medium", + "text": "Deploy your backup solution outside of vSan, on Azure native components", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", - "severity": "Medium", - "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "Operations" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "service": "AVS", + "severity": "Low", + "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", - "severity": "Medium", - "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", - "training": "https://github.com/Azure/sap-automation", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "service": "AVS", + "severity": "Low", + "text": "For manual deployments, all configuration and deployments must be documented", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", - "severity": "Medium", - "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "service": "AVS", + "severity": "Low", + "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", - "severity": "Medium", - "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "service": "AVS", + "severity": "Low", + "text": "For automated deployments, deploy a minimal private cloud and scale as needed", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", - "severity": "High", - "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "service": "AVS", + "severity": "Low", + "text": "For automated deployments, request or reserve quota prior to starting the deployment", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", - "severity": "Medium", - "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "service": "AVS", + "severity": "Low", + "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", - "severity": "High", - "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "service": "AVS", + "severity": "Low", + "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "service": "AVS", "severity": "Low", - "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", - "waf": "Reliability" + "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", - "severity": "Medium", - "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "service": "AVS", + "severity": "Low", + "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "service": "AVS", "severity": "Low", - "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "Reliability" + "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "High", - "text": "Native database replication technology should be used to synchronize the database in a HA pair.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "service": "AVS", + "severity": "Medium", + "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", - "severity": "High", - "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "service": "AVS", + "severity": "Medium", + "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", - "severity": "High", - "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "service": "AVS", + "severity": "Medium", + "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "High", - "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "service": "AVS", + "severity": "Medium", + "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", - "severity": "High", - "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "service": "AVS", + "severity": "Medium", + "text": "Define and enforce scale in/out maximum limits for your environment in the automations", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "High", - "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "service": "AVS", + "severity": "Medium", + "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "severity": "High", - "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "severity": "High", - "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "When using MON, you cannot enable MON on more than 100 Network extensions", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", - "severity": "High", - "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", + "service": "AVS", + "severity": "Medium", + "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", - "severity": "High", - "text": "Make sure the Floating IP is enabled on the Load balancer", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", + "service": "AVS", + "severity": "Medium", + "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", - "severity": "High", - "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", + "service": "AVS", + "severity": "Medium", + "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", - "severity": "High", - "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "AVS", + "severity": "Medium", + "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", - "severity": "High", - "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "AVS", + "severity": "Medium", + "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "AVS", "severity": "Medium", - "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "AVS", "severity": "High", - "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "AVS", "severity": "High", - "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", + "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "AVS", "severity": "High", - "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "AVS", "severity": "High", - "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", - "severity": "Medium", - "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "AVS", + "severity": "High", + "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", "severity": "Medium", - "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", "severity": "Medium", - "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", - "severity": "High", - "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", + "severity": "Medium", + "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", "severity": "High", - "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", - "severity": "High", - "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", + "severity": "Medium", + "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", - "severity": "High", - "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", + "severity": "Medium", + "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", "severity": "Medium", - "text": "Automate SAP System Start-Stop to manage costs.", - "waf": "Cost" + "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "Low", - "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", - "waf": "Cost" - }, - { - "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "Low", - "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", - "waf": "Cost" + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", + "severity": "Medium", + "text": "Leverage FTA Resillency HandBook", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", "severity": "High", - "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "Leverage Availability Zones if regionally applicable", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", "severity": "Medium", - "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "text": "Use the Premium or Dedicated SKUs for predicable performance", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", - "severity": "Medium", - "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", + "severity": "High", + "text": "Plan for Geo Disaster Recovery using Active Passive configuration", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", "severity": "Medium", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "text": "For Business Critical Applications, use Active Active configuration", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", "severity": "Medium", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "text": "Design Resilient Event Hubs", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", + "service": "Cognitive Services", "severity": "Medium", - "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "text": "Leverage FTA HandBook for Cognitive Services", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Cognitive Services", "severity": "Medium", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "text": "Backup Your Prompts", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", - "severity": "Medium", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Cognitive Services", + "severity": "High", + "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", + "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", + "service": "Cognitive Services", "severity": "Medium", - "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", + "text": "Backup Your ChatGPT conversations", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", + "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", + "service": "Cognitive Services", "severity": "Medium", - "text": "Implement SSO to SAP HANA", + "text": "CI/CD for custom speech", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "3687a046-7a1f-4893-9bda-43324f248116", + "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", + "service": "Cognitive Services", + "severity": "Low", + "text": "Move a knowledge base using export-import", + "waf": "Reliability" + }, + { + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", + "text": "Use Standard SKU for production scenarios.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", + "text": "Use durability level Silver (5 VMs) or greater for production scenarios", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", + "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", + "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Implement SSO to SAP BTP", + "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", + "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "description": "Keep your management group hierarchy reasonably flat, no more than four.", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", + "guid": "4da21268-f775-4c89-a271-eb80543c8df7", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "enforce existing Management Group policies to SAP Subscriptions", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", - "waf": "Operations" + "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "High", - "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", - "waf": "Operations" + "checklist": "Azure Service Fabric Review Checklist", + "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "High", - "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", - "waf": "Operations" + "checklist": "Azure Service Fabric Review Checklist", + "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", - "severity": "High", - "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "waf": "Operations" + "checklist": "Azure Service Fabric Review Checklist", + "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", - "severity": "Low", - "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", - "waf": "Operations" + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", + "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", - "severity": "High", - "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", - "waf": "Operations" + "checklist": "Azure Service Fabric Review Checklist", + "guid": "001cbb6f-d88d-4431-8434-d01333397776", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", - "severity": "High", - "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", - "waf": "Operations" + "checklist": "Azure Service Fabric Review Checklist", + "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", + "link": "", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "High", - "text": "Help protect your HANA database by using the Azure Backup service.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", + "link": "", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", + "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", - "severity": "High", - "text": "Ensure time-zone matches between the operating system and the SAP system.", - "waf": "Operations" + "checklist": "Azure Service Fabric Review Checklist", + "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", "severity": "Medium", - "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", - "severity": "Low", - "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", - "waf": "Cost" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", + "severity": "Medium", + "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", "severity": "Medium", - "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", - "waf": "Operations" + "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", "severity": "Medium", - "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", - "waf": "Operations" + "text": "Use more than 1 app instance for your apps", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", - "severity": "Low", - "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", - "waf": "Operations" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", + "severity": "Medium", + "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", "severity": "Medium", - "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Operations" + "text": "Set up autoscaling in Spring Cloud Gateway", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", - "severity": "High", - "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", - "waf": "Operations" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", + "severity": "Low", + "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", "severity": "Medium", - "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" + "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", - "severity": "Medium", - "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", - "waf": "Operations" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", "severity": "Medium", - "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", - "waf": "Operations" + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", - "severity": "High", - "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "waf": "Performance" - }, - { - "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", "severity": "Medium", - "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", + "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", + "service": "Service Bus", "severity": "Medium", - "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", - "severity": "Medium", - "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", - "waf": "Operations" - }, - { - "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", - "severity": "Low", - "text": "Use inter-VM latency monitoring for latency-sensitive applications.", - "waf": "Performance" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", + "severity": "High", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", "severity": "Medium", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", "severity": "Medium", - "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", - "waf": "Performance" + "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", - "severity": "Low", - "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", - "waf": "Performance" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", + "severity": "Medium", + "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", - "severity": "Medium", - "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", - "waf": "Performance" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "service": "Synapse", + "severity": "High", + "text": "Restrict use of local users on sql workloads on Synapse", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Synapse", "severity": "Medium", - "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", - "waf": "Performance" + "text": "Use managed identity to authenticate to the services", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "service": "Synapse", "severity": "High", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "waf": "Operations" + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse also includes Synapse role-based access control (RBAC) roles to manage different aspects of Synapse Studio. Leverage these built-in roles to assign permissions to users, groups, or other security principals to manage who can Publish code artifacts and list or access published code artifacts,Execute code on Apache Spark pools and integration runtimes,Access linked (data) services that are protected by credentials,Monitor or cancel job executions, review job output and execution logs.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Synapse", "severity": "Medium", - "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "text": "Use Azure RBAC to control access on storage and Synapse RBAC to control access on workspace level depending on the personas of the team to fine grain the access on data and compute", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Synapse", "severity": "Medium", - "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operations" + "text": "Implement RLS, CLS and data masking on sql workloads in dedicated sql pool to add additional layer of security", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network. This can be selected when deploying a workspace", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Synapse", "severity": "Medium", - "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operations" + "text": "Use managed vnet workspace to restrict the access over public internet", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "To protect any sensitive data, it's recommended to disable public access to the workspace endpoints entirely. By doing so, it ensures all workspace endpoints can only be accessed using�private endpoints.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Synapse", "severity": "Medium", - "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "text": "Configure private endpoints to connect to the external services and disable public access", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", - "severity": "High", - "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", - "training": "https://me.sap.com/notes/2731110", - "waf": "Performance" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If public access needs to be enabled, it's highly recommended to configure the IP firewall rules to allow inbound connections only from the specified list of public IP addresses.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Synapse", + "text": "If enabling public access highly recommended to configure IP firewall rules", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Synapse", "severity": "Medium", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "waf": "Operations" + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This can be done only when deploying the workspace, but Python libraries installed from public repositories like PyPI are not supported. (Think about the limitation before enabling it)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Synapse", "severity": "Medium", - "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "Operations" + "text": "Enable Data Exfiltration Protection (DEP)", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "First layer of encryption is done by Microsoft managed keys, you can add a second layer of encryption using Customer managed Keys", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Synapse", "severity": "Medium", - "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", - "waf": "Operations" + "text": "Data Encryption at rest using Customer managed Keys for workspace", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "severity": "High", - "text": "Public IP assignment to VM running SAP Workload is not recommended.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse leverages TLS to ensure data is encrypted in motion. SQL dedicated pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Synapse", + "severity": "Medium", + "text": "Data Encryption in transit ", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Keyvaults to store your secrets and credentials", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "service": "Synapse", "severity": "High", - "text": "Consider reserving IP address on DR side when configuring ASR", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Operations" + "text": "Store passwords, secerts and keys in Azure key vault", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "service": "Data Factory", "severity": "High", - "text": "Avoid using overlapping IP address ranges for production and DR sites.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "Operations" + "text": "Restrict use of local users whereever necessary", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Data Factory", "severity": "Medium", - "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "Operations" + "text": "Use managed identity to authenticate to the services", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", - "severity": "Medium", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "service": "Data Factory", + "severity": "High", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "service": "Data Factory", "severity": "Medium", - "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you create an Azure integration runtime within a Data Factory managed virtual network, the integration runtime is provisioned with the managed virtual network. It uses private endpoints to securely connect to supported data stores.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "service": "Data Factory", "severity": "Medium", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "text": "Use managed vnet IR to restrict the access over public internet for Azure Integration Runtime", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Managed private endpoints are private endpoints created in the Data Factory managed virtual network that establishes a private link to Azure resources. Data Factory manages these private endpoints on your behalf.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Data Factory", "severity": "Medium", - "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "text": "Configure managed private endpoints to connect to resources using managed azure IR", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This is a default setting", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "service": "Data Factory", "severity": "Medium", - "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "text": "Data Encryption at rest by Microsoft managed keys", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This is a default setting", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "service": "Data Factory", "severity": "Medium", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "Performance" + "text": "Data Encryption in transit by Microsoft managed keys", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you specify a customer-managed key, Data Factory uses�both�the factory system key and the CMK to encrypt customer data. Missing either would result in Deny of Access to data and factory.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Data Factory", "severity": "Medium", - "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "text": "Data Encryption in transit by BYOK (Customer managed keys)", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Data Factory", "severity": "High", - "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Performance" + "text": "Store passwords, secrets in Azure Key Vault", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "text": "Define roles and responsibilities to manage Microsoft Purview in control plane and data plane", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Azure RBACs for this", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "severity": "Medium", - "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "text": "Define roles and tasks required to deploy and manage Microsoft Purview inside an Azure subscription (control plane)", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "severity": "High", - "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Performance" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Microsoft Purview roles for this.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Define roles and task needed to perform data management and governance using Microsoft Purview. (Data plane for Data Map and Data Catalog.)", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "service": "Microsoft Purview", "severity": "Medium", - "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "Performance" + "text": "Assign roles to Microsoft Entra groups instead of assigning roles to individual users.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Use Azure�Active Directory Entitlement Management�to map user access to Microsoft Entra groups using Access Packages.", + "waf": "Reliability" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "service": "Microsoft Purview", "severity": "High", - "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Performance" + "text": "Enforce multifactor authentication for Microsoft Purview users, especially, for users with privileged roles such as collection admins, data source admins or data curators.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "service": "Microsoft Purview", "severity": "High", - "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Cost" + "text": "Use Microsoft Entra ID to provide authentication and authorization to all users, security groups registered in Entra, service principal and managed identities inside collections in Microsoft Purview", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "service": "Microsoft Purview", "severity": "High", - "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Performance" + "text": "Define Least Privilege model and Lower exposure of privileged accounts", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", "severity": "Medium", - "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", + "text": "Enable�end-to-end network isolation�using Private Link Service. (Microsoft Purview Data Map)", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "High", - "text": "Review SAP HANA database backups for Azure VMs.", - "waf": "Cost" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Use�Microsoft Purview Firewall�to disable Public access. (Microsoft Purview Data Map)", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Review Site Recovery built-in monitoring, where used for SAP.", - "waf": "Cost" + "text": "Deploy�Network Security Group (NSG) rules�for subnets where Azure data sources private endpoints, Microsoft Purview private endpoints and self-hosted runtime VMs are deployed. (Microsoft Purview Data Map)", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", - "severity": "High", - "text": "Review the Monitoring the SAP HANA System Landscape guidance.", - "waf": "Operations" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Implement Microsoft Purview with private endpoints managed by a Network Virtual Appliance, such as�Azure Firewall�for network inspection and network filtering. (Microsoft Purview Data Map)", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This private endpoint is also a prerequisite for the portal private endpoint. The Microsoft Purview�portal�private endpoint is required to enable connectivity to Microsoft Purview governance portal using a private network. Microsoft Purview can scan data sources in Azure or an on-premises environment by using ingestion private endpoints. Limitations on using private endpoints https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Review Oracle Database in Azure Linux VM backup strategies.", - "waf": "Operations" + "text": "Deploy private endpoints for Microsoft Purview accounts to add another layer of security, so only client calls that are originated from within the virtual network are allowed to access the Microsoft Purview account", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitation to be reviewed: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Review the use of Azure Blob Storage with SQL Server 2016.", - "waf": "Operations" + "text": "Block public access using Microsoft Purview firewall", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Review the use of Automated Backup v2 for Azure VMs.", - "waf": "Operations" + "text": "Use Network Security Groups to filter network traffic to and from Azure resources in an Azure virtual network", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "service": "Microsoft Purview", "severity": "High", - "text": "Enabling Write accelerator for M series when using premium disks(V1)", - "waf": "Operations" + "text": "If you have sensitive data that cannot leave the boundary of your on-prem vnet it is highly recommended to use SHIR VMs inside your corporate vnet to extract your metadata ", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Metadata is extracted and stored in Microsoft Purview Data Map, if you are not using managed storage account for your Purview account they are open to be accessed by all so implement proper RBACs and retrict the access of Data to only intended users. Applicable to Accounts deployed after December 15, 2023 (or deployed using API version 2023-05-01-preview onwards", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Test availability zone latency.", - "waf": "Performance" + "text": "Use Azure RBACs to restrict the access of your storage account (not managed by MS) only to intended users.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Activate SAP EarlyWatch Alert for all SAP components.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "Performance" + "text": "Data in rest is encrypted by microsoft managed keys", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", - "training": "https://me.sap.com/notes/0002879613", - "waf": "Performance" + "text": "Data in transit is encrypted by TLS 1.3", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", - "severity": "Medium", - "text": "Review SQL Server performance monitoring using CCMS.", - "waf": "Performance" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "service": "Microsoft Purview", + "severity": "High", + "text": "Always use Azure key vaults to store all credentials if not using managed identities or without password need methods", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", - "training": "https://me.sap.com/notes/1100926/E", - "waf": "Performance" + "text": "Prevent accidental deletion of Microsoft Purview accounts by applying resource Locks", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Review SAP HANA studio alerts.", - "waf": "Performance" + "text": "Plan for a break glass strategy for your Microsoft Entra tenant, Azure subscription and Microsoft Purview accounts to prevent tenant-wide account lockout.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", - "waf": "Performance" + "text": "Integrate with Microsoft 365 and Microsoft Defender for Cloud", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", - "severity": "Medium", - "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Separate admin accounts from normal user accounts.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "service": "Databricks", + "severity": "High", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", - "severity": "Medium", - "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Databricks supports Microsoft Entra ID conditional access, which allows administrators to control where and when users are permitted to sign in to Azure Databricks. Conditional access policies can restrict sign-in to your corporate network or can require multi-factor authentication (MFA).", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Databricks", + "severity": "High", + "text": "Configure single sign-on and unified login. Enable multi-factor authentication.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", - "severity": "Low", - "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Customers can use the Token Management API or UI controls to enable or disable personal access tokens (PATs) for REST API authentication, limit the users who are allowed to use PATs, set the maximum lifetime for new tokens, and manage existing tokens. Highly-secure customers typically provision a maximum token lifetime for new tokens for a workspace. This feature requires the Premium pricing tier.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Databricks", + "severity": "Medium", + "text": "Use token management.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If you have Databricks administrators who are also normal users of the Databricks platform (for example, there�s a lead data engineer who administers the platform and also does data engineering work), Databricks recommends creating a separate account for administrative tasks. It�s important to note that as part of the Azure RBAC model, users that are given Contributor or above permissions to the Resource Group for a deployed Azure Databricks workspace automatically become administrators when they login to that workspace. Therefore, the same considerations outlined above should be applied to Azure portal users too.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "service": "Databricks", "severity": "High", - "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", - "training": "https://me.sap.com/notes/3019299/E", + "text": "Separate admin accounts from normal user accounts", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "High", - "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "SCIM (System for Cross-domain Identity Management) allows you to sync users and groups from Microsoft Entra ID to Azure Databricks. There are three major benefits of this approach: 1. When you remove a user, the user is automatically removed from Databricks. 2. Users can also be disabled temporarily via SCIM. Customers have used this capability for scenarios where customers believe that an account may be compromised and need to investigate 3. Groups are automatically synchronized Please refer to the documentation for detailed instructions on how to configure SCIM for Azure Databricks. This feature requires the Premium pricing tier", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Databricks", + "severity": "Medium", + "text": "SCIM synchronization of users and groups.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Using either cluster policies or the older cluster ACLs, admins can define what users or groups within the organization are able to create clusters. Cluster ACLs allow you to specify which users can attach a notebook to a given cluster. Note that if a user shares a notebook already attached to a standard mode cluster, the recipient will also be able to execute code on that cluster. This does not apply to clusters that enforce user isolation: SQL Warehouses, high concurrency with table ACLs clusters, and high concurrency with credential passthrough clusters. Customers who use Unity Catalog can also enable single-user clusters to enforce isolation clusters.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "service": "Databricks", "severity": "Medium", - "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "text": "Limit cluster creation rights.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "It�s important to note that even if customers use Azure Key Vault to store their secrets, access controls still need to be defined within Azure Databricks. This is because the same service identity is used to retrieve the secret for all users of an Azure Databricks workspace.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "service": "Databricks", "severity": "High", - "text": "Use Azure Key Vault to store your secrets and credentials", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Store passwords, secrets in Azure Key Vault", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Clusters with user isolation include enforcement such that each user runs as a different non-privileged user account on the cluster host. Languages are also limited to those that can be implemented in an isolated manner (SQL and Python), and Spark APIs must be on an allowlist of those we believe to be isolation-safe.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "service": "Databricks", "severity": "Medium", - "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "text": "Use clusters that support user isolation.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "It is against security best practices to tie production workloads to individual user accounts, and so we recommend configuring Service Principals within Databricks. Service Principles separate administrator and user actions from the workload and prevent workloads from being impacted if a user leaves an organization. With Databricks, you can configure jobs to run as service principals and generate Personal Access Tokens for Service Principals.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Databricks", "severity": "Medium", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Use service principals to run production jobs. Use proper access control for workspace level (ACLs), account level (RBACs) and data level (Unity catalog) security controls", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "By default, DBFS is a filesystem that is accessible to all users of the given workspace and can be accessed via API. This is not necessarily a major data exfiltration concern as you can limit access to accessing data via the DBFS API or Databricks cli using IP access lists or private network access. However, as use of Azure Databricks grows and more users join a workspace, those users would have access to any data stored in DBFS, creating the potential for undesired information sharing. Databricks recommends that our customers do not store production data in DBFS.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "service": "Databricks", "severity": "High", - "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "text": "Avoid storing production data in DBFS.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "High", - "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "For the storage accounts that you manage, it is your responsibility to ensure that the storage accounts are protected according to your requirements. Examples might include: Encryption with your customer-managed key, Restrict access to trusted networks with a storage firewall, Anonymous public access is not allowed", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Databricks", + "severity": "Medium", + "text": "Encrypt storage and restrict access.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", - "severity": "High", - "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Add a customer-managed key for select data stored within the Azure Databricks control plane, such as notebooks, secrets, Databricks SQL queries, and Databricks SQL query history and for the root storage account used for DBFS. Azure Databricks requires access to this key for ongoing operations. You can revoke access to the key to prevent Azure Databricks from accessing encrypted data within the control plane (or in our backups). This is like a �nuclear option� where the workspace ceases to function, but it provides an emergency control for extreme situations. This feature requires the Premium pricing tier.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Databricks", + "severity": "Medium", + "text": "Add a customer-managed key for managed services and workspace storage", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Low", - "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Configure IP access lists that restrict the IP addresses that can authenticate to Databricks at account console and workspace level by checking if the user or API client is coming from a known good IP address range such as a VPN or office network. Established user sessions do not work if the user moves to a bad IP address, such as when disconnecting from the VPN. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Databricks", + "severity": "Medium", + "text": "Enable IP access lists to restrict access to certain IP addresses.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Private Link provides a private network route from one Azure environment to another. Private Link can be configured both between Azure Databricks users and the control plane, and also between the control plane and the data plane. Between Databricks users and the control plane, Private Link provides strong controls that limit the source for inbound requests. If a company already routes traffic through an Azure environment, they can use Private Link so that the communication between users and the Azure Databricks control plane does not traverse public IP addresses. This feature requires the Premium pricing tier. Use Azure Private Link to connect from Azure Databricks to your Azure resources. Not only does Private Link ensure", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Databricks", "severity": "Medium", - "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Configure and use Azure Private Link to access Azure resources.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", - "severity": "High", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", + "severity": "Medium", + "text": "Leverage Flexible Server", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", "severity": "High", - "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "text": "Leverage Availability Zones where regionally applicable", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", - "severity": "High", - "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", + "severity": "Medium", + "text": "Leverage Data-in replication for cross-region DR scenarios", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", - "severity": "High", - "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "AppGW", + "severity": "Medium", + "text": "Ensure you are using Application Gateway v2 SKU", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "severity": "Low", - "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", + "severity": "Medium", + "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", - "severity": "Low", - "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", + "severity": "Medium", + "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "High", - "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "AppGW", + "severity": "Medium", + "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Low", - "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "AppGW", + "severity": "Medium", + "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/application-gateway/tutorial-protect-application-gateway-ddos", + "service": "AppGW", "severity": "Medium", - "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "severity": "High", - "text": "Enable 2 replicas to have 99.9% availability for read operations", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "AppGW", + "severity": "Medium", + "text": "Configure autoscaling with a minimum amount of instances of two.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "AppGW", "severity": "Medium", - "text": "Enable 3 replicas to have 99.9% availability for read/write operations", + "text": "Deploy Application Gateway across Availability Zones", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", + "severity": "Medium", + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", "severity": "High", - "text": "Leverage Availability Zones by enabling read and/or write replicas", + "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", - "severity": "Medium", - "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "Low", + "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "severity": "Medium", - "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", + "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", - "severity": "Medium", - "text": "Use Azure Traffic Manager to coordinate requests", + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", + "severity": "High", + "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "AppGW", "severity": "High", - "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", + "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Monitor", - "severity": "Medium", - "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "AppGW", + "severity": "High", + "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Backup", - "severity": "Medium", - "text": "check backup instances with the underlying datasource not found", - "waf": "Cost" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "AppGW", + "severity": "High", + "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", - "severity": "Medium", - "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", - "waf": "Cost" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "AppGW", + "severity": "High", + "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Backup", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "AppGW", "severity": "Medium", - "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", - "waf": "Cost" + "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Monitor", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "AppGW", "severity": "Medium", - "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "Cost" + "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Monitor", - "severity": "Medium", - "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "Cost" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "AppGW", + "severity": "Low", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "AppGW", "severity": "Medium", - "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "Cost" + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "AppGW", "severity": "Medium", - "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "Cost" + "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "AppGW", "severity": "Medium", - "text": "Make sure advisor is configured for VM right sizing ", - "waf": "Cost" + "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "description": "check by searching the Meter Category Licenses in the Cost analysys", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "AppGW", "severity": "Medium", - "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", - "waf": "Cost" + "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "AppGW", "severity": "Medium", - "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "Cost" + "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "AppGW", "severity": "Medium", - "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "Cost" + "text": "Use WAF Policies instead of the legacy WAF configuration.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "AppGW", "severity": "Medium", - "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", - "waf": "Cost" + "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", - "severity": "Medium", - "text": "Only larger disks can be reserved => 1 TiB -", - "waf": "Cost" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "AppGW", + "severity": "High", + "text": "You should encrypt traffic to the backend servers.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", - "severity": "Medium", - "text": "After the right-sizing optimization", - "waf": "Cost" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "AppGW", + "severity": "High", + "text": "You should use a Web Application Firewall.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "AppGW", "severity": "Medium", - "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", - "waf": "Cost" + "text": "Redirect HTTP to HTTPS", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "AppGW", "severity": "Medium", - "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", - "waf": "Cost" + "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", - "severity": "Medium", - "text": "Consider using a VMSS to match demand rather than flat sizing", - "waf": "Cost" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "AppGW", + "severity": "High", + "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", - "severity": "Medium", - "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", - "waf": "Cost" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "AppGW", + "severity": "Low", + "text": "Create custom error pages to display a personalized user experience", + "waf": "Operations" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Backup", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "AppGW", "severity": "Medium", - "text": "Move recovery points to vault-archive where applicable (Validate)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "AppGW", "severity": "Medium", - "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", - "waf": "Cost" + "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", + "waf": "Performance" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Functions", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "AppGW", "severity": "Medium", - "text": "Functions - Reuse connections", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "Cost" + "text": "Use transport layer load balancing", + "waf": "Performance" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Functions", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "AppGW", "severity": "Medium", - "text": "Functions - Cache data locally", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "Cost" + "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Functions", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "AppGW", "severity": "Medium", - "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Cost" + "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Functions", - "severity": "Medium", - "text": "Functions - Keep your functions warm", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Cost" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "AppGW", + "severity": "Low", + "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Functions", - "severity": "Medium", - "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", - "waf": "Cost" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Functions", - "severity": "Medium", - "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", - "waf": "Cost" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Functions", - "severity": "Medium", - "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "Cost" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", - "severity": "Medium", - "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", - "waf": "Cost" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", "severity": "Medium", - "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", - "waf": "Cost" + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", - "severity": "Medium", - "text": "Consider archiving tiers for less used data", - "waf": "Cost" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "High", + "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", "severity": "Medium", - "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", - "waf": "Cost" + "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", "severity": "Medium", - "text": "Consider using standard SSD rather than Premium or Ultra where possible", - "waf": "Cost" + "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", "severity": "Medium", - "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", - "waf": "Cost" + "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", "severity": "Medium", - "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", - "waf": "Cost" + "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", - "severity": "Medium", - "text": "Storage accounts: check hot tier and/or GRS necessary", - "waf": "Cost" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "High", + "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "severity": "Medium", - "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", - "waf": "Cost" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "Low", + "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", - "severity": "Medium", - "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", - "waf": "Cost" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Low", + "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", - "severity": "Medium", - "text": "Export cost data to a storage account for additional data analysis.", - "waf": "Cost" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Low", + "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", "severity": "Medium", - "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", - "waf": "Cost" + "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", + "guid": "d0642c1c-312b-4116-94ab-439e1c836819", + "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", + "service": "Key Vault", "severity": "Medium", - "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", - "waf": "Cost" + "text": "RBAC is recommended to control access to your key vault. Familiarize yourself with the Key Vault's access control guidance.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", "severity": "Medium", - "text": "Create multiple Apache Spark pool definitions of various sizes.", - "waf": "Cost" + "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", "severity": "Medium", - "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", + "severity": "Low", + "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "waf": "Operations" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", + "severity": "High", + "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "waf": "Operations" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", + "severity": "High", + "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "Cost" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", + "severity": "High", + "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", + "severity": "Medium", + "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", + "severity": "Medium", + "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", + "severity": "High", + "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", + "severity": "High", + "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", + "severity": "Medium", + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", + "severity": "Medium", + "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", + "severity": "Medium", + "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", + "severity": "Medium", + "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "waf": "Reliability" + }, + { + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", + "severity": "High", + "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", + "severity": "Medium", + "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", + "severity": "Medium", + "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", + "severity": "Medium", + "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", + "severity": "High", + "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "VNet", + "severity": "High", + "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", + "severity": "Medium", + "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", + "severity": "Low", + "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "Low", + "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", + "severity": "Medium", + "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", + "severity": "Medium", + "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "severity": "Medium", + "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "severity": "Medium", + "text": "Limit the number of routes per route table to 400.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", + "severity": "High", + "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "severity": "High", + "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "severity": "High", + "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", + "severity": "Medium", + "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", + "severity": "High", + "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "Medium", + "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "High", + "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", + "severity": "High", + "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" + }, + { + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", + "severity": "High", + "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", + "severity": "Medium", + "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", + "severity": "Medium", + "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "severity": "Low", + "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", + "training": "https://learn.microsoft.com/training/courses/az-700t00", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", + "severity": "High", + "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", + "severity": "Medium", + "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", + "severity": "Medium", + "text": "Use Azure Bastion to securely connect to your network.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", + "severity": "Medium", + "text": "Use Azure Bastion in a subnet /26 or larger.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", + "severity": "Medium", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "Low", + "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "High", + "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "High", + "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", + "severity": "High", + "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "High", + "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", + "severity": "High", + "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", + "severity": "High", + "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", + "severity": "High", + "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", + "severity": "Medium", + "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", + "severity": "Medium", + "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", + "severity": "Medium", + "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", + "severity": "High", + "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Use ExpressRoute circuits from different peering locations for redundancy.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", "severity": "Medium", - "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", + "severity": "High", + "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", + "severity": "High", + "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", "severity": "Medium", - "text": "Right-sizing all VMs", - "waf": "Cost" + "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", "severity": "Medium", - "text": "Swap VM sized with normalized and most recent sizes", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", + "severity": "High", + "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", "severity": "Medium", - "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", "severity": "Medium", - "text": "Containerizing an application can improve VM density and save money on scaling it", + "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", + "severity": "Low", + "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", + "severity": "High", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Cost" + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "OpenAI", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", + "severity": "Medium", + "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", + "severity": "Low", + "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", "severity": "High", - "text": "Follow Metaprompting guardrails for resonsible AI", + "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "severity": "High", + "text": "Use Azure Firewall Premium to enable additional security features.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", + "severity": "High", + "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", + "severity": "High", + "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", + "severity": "High", + "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", + "severity": "Medium", + "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "OpenAI", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", "severity": "High", - "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", + "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "OpenAI", - "severity": "High", - "text": "Enable monitoring for your AOAI instances", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", + "severity": "High", + "text": "Use a /26 prefix for your Azure Firewall subnets.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", + "severity": "Medium", + "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", + "severity": "Medium", + "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "OpenAI", - "severity": "High", - "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", + "severity": "Medium", + "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "OpenAI", - "severity": "High", - "text": "Monitor token usage to prevent service disruptions due to capacity", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", + "severity": "Medium", + "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "OpenAI", - "severity": "Medium", - "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", + "severity": "High", + "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "OpenAI", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", "severity": "Low", - "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", - "waf": "Operations" + "text": "Use web categories to allow or deny outbound access to specific topics.", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "OpenAI", - "severity": "High", - "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", + "severity": "Medium", + "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "OpenAI", - "severity": "High", - "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", + "severity": "Medium", + "text": "Enable Azure Firewall DNS proxy configuration.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "OpenAI", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "severity": "High", - "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", + "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "OpenAI", - "severity": "High", - "text": "Evaluate usage of Provisioned throughput model ", - "waf": "Performance" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "Low", + "text": "Implement backups for your firewall rules", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "OpenAI", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "severity": "High", - "text": "Review and implement Azure AI content safety", - "waf": "Operations" + "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "OpenAI", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", "severity": "High", - "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", - "waf": "Performance" + "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "OpenAI", - "severity": "Medium", - "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", - "waf": "Performance" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "AppGW", + "severity": "High", + "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "OpenAI", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", "severity": "Medium", - "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", - "waf": "Performance" + "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "OpenAI", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", "severity": "High", - "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", - "waf": "Performance" + "text": "Don't enable virtual network service endpoints by default on all subnets.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "OpenAI", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "severity": "Medium", - "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", - "waf": "Performance" + "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "OpenAI", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", + "severity": "High", + "text": "Use at least a /27 prefix for your Gateway subnets.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", "severity": "High", - "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", - "waf": "Performance" + "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "OpenAI", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", "severity": "Medium", - "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", - "waf": "Performance" + "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "OpenAI", - "severity": "Low", - "text": "Deploy multiple OAI instances across regions", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", + "severity": "Medium", + "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "OpenAI", - "severity": "High", - "text": "Implement retry & healthchecks with Gateway pattern like APIM", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", + "severity": "Medium", + "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "OpenAI", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", "severity": "Medium", - "text": "Ensure having adequate quotas of TPM & RPM for the workload", + "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "OpenAI", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", "severity": "Medium", - "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", + "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "OpenAI", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", "severity": "Medium", - "text": "Deploy separate fine tuned models across regions if finetuning is employed", - "waf": "Reliability" + "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "OpenAI", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", "severity": "Medium", - "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", + "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "OpenAI", - "severity": "High", - "text": "Azure AI search service tiers should be choosen to have a SLA ", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", + "severity": "Medium", + "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "OpenAI", - "severity": "Low", - "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", - "waf": "Reliability" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", + "severity": "Medium", + "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "OpenAI", - "severity": "High", - "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", + "severity": "Medium", + "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "OpenAI", - "severity": "High", - "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", + "severity": "Medium", + "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "OpenAI", - "severity": "High", - "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", + "severity": "Medium", + "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "OpenAI", - "severity": "Medium", - "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", + "severity": "High", + "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", - "service": "OpenAI", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "High", - "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", + "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "OpenAI", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medium", - "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", + "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", + "training": "https://learn.microsoft.com/training/modules/governance-security/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "OpenAI", - "severity": "High", - "text": "Implement Prompt shields and groundedness detection using Content Safety ", - "waf": "Operations" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Medium", + "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Reliability" }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "OpenAI", + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "High", - "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", + "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "OpenAI", - "severity": "Medium", - "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "Low", + "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "OpenAI", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "High", - "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", + "text": "Use built-in policies where possible to minimize operational overhead.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "OpenAI", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "severity": "Medium", - "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", + "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "OpenAI", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medium", - "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", + "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "OpenAI", - "severity": "High", - "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", + "severity": "Medium", + "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "OpenAI", - "severity": "High", - "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", + "severity": "Medium", + "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "OpenAI", - "severity": "High", - "text": "Configure private endpoint for AI services to restrict service access within your network", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", + "severity": "Medium", + "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "OpenAI", - "severity": "High", - "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", + "severity": "Medium", + "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "OpenAI", - "severity": "High", - "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", - "waf": "Reliability" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", + "severity": "Medium", + "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "OpenAI", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "Medium", - "text": "Use prompt compression tools like LLMLingua or gprtrim", - "waf": "Cost" + "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "OpenAI", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "severity": "High", - "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", - "waf": "Reliability" + "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "OpenAI", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", "severity": "Medium", - "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", - "waf": "Reliability" + "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "OpenAI", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "service": "VM", "severity": "Medium", - "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", - "waf": "Reliability" + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "OpenAI", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", "severity": "Medium", - "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", - "waf": "Reliability" + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "OpenAI", - "severity": "Low", - "text": "Azure AI Services are properly tagged for better management", + "arm-service": "microsoft.network/networkWatchers", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", + "severity": "Medium", + "text": "Use Network Watcher to proactively monitor traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "OpenAI", - "severity": "Low", - "text": "Azure AI Service accounts follows organizational naming conventions", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", + "severity": "Medium", + "text": "Use Azure Monitor Logs for insights and reporting.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "OpenAI", - "severity": "High", - "text": "Diagnostic logs in Azure AI services resources should be enabled", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", + "severity": "Medium", + "text": "Use Azure Monitor alerts for the generation of operational alerts.", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", + "severity": "Medium", + "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "OpenAI", - "severity": "High", - "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "severity": "Low", + "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "OpenAI", - "severity": "High", - "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", + "severity": "Medium", + "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "OpenAI", - "severity": "High", - "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", + "severity": "Medium", + "text": "Monitor VM security configuration drift via Azure Policy.", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "OpenAI", - "severity": "High", - "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "OpenAI", - "severity": "High", - "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", - "waf": "Reliability" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", + "severity": "Medium", + "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "OpenAI", - "severity": "High", - "text": "Setup a process to regularly update and patch the LLM libraries and other system components", - "waf": "Reliability" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", + "severity": "Medium", + "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "OpenAI", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", "severity": "High", - "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", + "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "OpenAI", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", "severity": "Medium", - "text": "Understand difference in cost of base models and fine tuned models and token step sizes", - "waf": "Cost" + "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "severity": "High", - "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", - "waf": "Cost" + "text": "Use Azure Key Vault to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", "severity": "Medium", - "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", - "waf": "Cost" + "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", - "waf": "Cost" + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Review the guidance provided on setting up AI search for Reliability", - "waf": "Operations" + "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Plan and manage AI Search Vector storage", - "waf": "Operations" + "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", - "waf": "Operations" + "text": "Establish an automated process for key and certificate rotation.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "OpenAI", - "severity": "High", - "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", - "waf": "Cost" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", "severity": "Medium", - "text": "Evaluate the quality of prompts and applications when switching between model versions", - "waf": "Operations" + "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", - "waf": "Operations" + "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Evaluate your Azure AI Search results based on different search parameters", - "waf": "Operations" + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", - "waf": "Operations" + "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", "severity": "Medium", - "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", - "waf": "Operations" + "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "OpenAI", + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", "severity": "Medium", - "text": "Red team your GenAI applications", + "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "OpenAI", - "severity": "Medium", - "text": "Provide end users with scoring options for LLM responses and track these scores. ", - "waf": "Operations" + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", + "severity": "High", + "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "OpenAI", + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", "severity": "High", - "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", - "waf": "Cost" + "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "OpenAI", - "severity": "Medium", - "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", - "waf": "Operations" + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", + "severity": "High", + "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", - "service": "OpenAI", - "severity": "Medium", - "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", + "severity": "High", + "text": "Enable Endpoint Protection on IaaS Servers.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", - "service": "OpenAI", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", "severity": "Medium", - "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", + "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "OpenAI", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "Medium", - "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", + "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", - "service": "OpenAI", - "severity": "Medium", - "text": "Tune content filters to minimize false positives from overly aggressive filters", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", + "severity": "High", + "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", - "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", - "service": "OpenAI", + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "severity": "Medium", - "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", + "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "OpenAI", + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", "severity": "Medium", - "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", + "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "OpenAI", - "severity": "Medium", - "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "High", + "text": "Enable secure transfer to storage accounts.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", - "severity": "Medium", - "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", - "waf": "Cost" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", + "severity": "High", + "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", - "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", - "service": "OpenAI", - "severity": "Medium", - "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", - "waf": "Cost" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", + "severity": "High", + "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Functions", + "severity": "High", + "text": "Select the right Function hosting plan based on your business & SLO requirements", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", + "service": "Functions", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Functions", "severity": "Medium", - "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", - "waf": "Cost" + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", - "severity": "Medium", - "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", - "waf": "Cost" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Functions", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", - "severity": "Medium", - "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", - "waf": "Cost" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", + "service": "Functions", + "severity": "High", + "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", - "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", - "service": "OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Functions", "severity": "Medium", - "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", - "waf": "Operations" + "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5855", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", - "service": "OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Functions", "severity": "Medium", - "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", "waf": "Operations" }, { @@ -10527,6 +11295,17 @@ "text": "Be aware of APIM's limits", "waf": "Reliability" }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type =~ 'microsoft.apimanagement/service' | extend compliant = (properties.platformVersion != 'stv1') | project id, compliant", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8ce", + "link": "https://learn.microsoft.com/en-us/azure/api-management/migrate-stv1-to-stv2", + "service": "APIM", + "severity": "High", + "text": "Upgrade the platform version and follow lifecyle. stv1 is retirng on 31 August 2024", + "waf": "Reliability" + }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", @@ -10662,484 +11441,310 @@ "checklist": "Azure API Management Review", "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", - "severity": "Medium", - "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", - "severity": "High", - "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", - "severity": "High", - "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", - "severity": "Medium", - "text": "Use managed identities to authenticate to other Azure resources whenever possible", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", - "severity": "High", - "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", - "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Front Door", - "severity": "Medium", - "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", - "waf": "Operations" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", - "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Front Door", - "severity": "Medium", - "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", - "service": "Front Door", - "severity": "Medium", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", - "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "Front Door", - "severity": "High", - "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", - "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "Front Door", - "severity": "High", - "text": "Avoid placing Traffic Manager behind Front Door.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", - "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "Front Door", - "severity": "High", - "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", - "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "Low", - "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", - "waf": "Performance" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "Front Door", - "severity": "Medium", - "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", - "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "Front Door", - "severity": "Low", - "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", - "waf": "Performance" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", - "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "Front Door", - "severity": "High", - "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", - "waf": "Operations" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", - "service": "Front Door", - "severity": "Medium", - "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", - "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", - "service": "Front Door", - "severity": "High", - "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", - "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", - "service": "Front Door", + "service": "APIM", "severity": "Medium", - "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", + "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", "severity": "High", - "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", + "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", "severity": "High", - "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", + "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "Front Door", - "severity": "High", - "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", + "severity": "Medium", + "text": "Use managed identities to authenticate to other Azure resources whenever possible", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", "severity": "High", - "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", + "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", - "service": "Front Door", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", + "service": "CosmosDB", + "severity": "Medium", + "text": "FTA Resiliency Playbook", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", "severity": "High", - "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", + "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", - "service": "Front Door", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", + "service": "CosmosDB", "severity": "Medium", - "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "text": "Run multiple replicas of the database (>1 ) in Prod", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", - "service": "Front Door", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", + "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", + "service": "CosmosDB", "severity": "Medium", - "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "text": "Leverage Multi-Region Writes", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", - "service": "Front Door", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Span Cosmos account across two or more regions with multi-region writes", + "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", "severity": "Medium", - "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", + "text": "Distribute your data globally", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", - "service": "Front Door", - "severity": "Low", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", + "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", + "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", + "service": "CosmosDB", + "severity": "High", + "text": "Choose from several well-defined consistency models", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", - "service": "Front Door", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", + "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", + "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", + "service": "CosmosDB", "severity": "Medium", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "text": "Enable Service managed failover", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "Front Door", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", + "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", + "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", + "service": "CosmosDB", "severity": "Medium", - "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", - "waf": "Operations" + "text": "Enable Automatic Backups", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "845f5f91-9c21-4674-a725-5ce890850e20", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "Front Door", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", + "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", + "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", + "service": "CosmosDB", "severity": "Medium", - "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", - "waf": "Operations" + "text": "Perform Periodic Backups", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", - "service": "Front Door", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", + "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", + "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", + "service": "CosmosDB", "severity": "Medium", - "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", + "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", - "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", - "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", - "service": "Front Door", - "severity": "High", - "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", + "service": "PostgreSQL", + "severity": "Medium", + "text": "Leverage Flexible Server", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", - "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", - "service": "Front Door", - "severity": "Medium", - "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", + "service": "PostgreSQL", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", - "service": "Front Door", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "31b67c67-be59-4519-8083-845d587cb391", + "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", + "service": "PostgreSQL", "severity": "Medium", - "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", + "text": "Leverage cross-region read replicas for BCDR", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", - "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", - "service": "Front Door", - "severity": "Medium", - "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", - "severity": "Medium", - "text": "Use caching for endpoints that support it.", - "waf": "Cost" + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", - "guid": "34069d73-e4de-46c5-a36f-625f87575a56", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "Low", - "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", - "waf": "Cost" + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", - "service": "Front Door", - "severity": "Medium", - "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", - "waf": "Operations" + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", - "service": "Front Door", + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", "severity": "Medium", - "text": "Use wildcard TLS certificates when possible.", - "waf": "Operations" + "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", "severity": "Medium", - "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", - "waf": "Performance" + "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", - "service": "Front Door", + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", "severity": "Medium", - "text": "Use file compression when you're accessing downloadable content.", + "text": "Custom brand assets should be hosted on a CDN", "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", - "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", - "link": "https://learn.microsoft.com/azure/cdn/tier-migration", - "service": "Front Door", - "severity": "High", - "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", - "waf": "Operations" + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", + "severity": "Low", + "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", - "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", - "service": "Front Door", + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "Medium", - "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", + "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", - "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", - "service": "Front Door", - "severity": "High", - "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Medium", + "text": "Don't replicate! Replication can create issues with directory synchronization", "waf": "Reliability" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "Medium", - "text": "Leverage Flexible Server", + "text": "Have active-active for multi-regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", - "severity": "High", - "text": "Leverage Availability Zones where regionally applicable", + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", + "severity": "Medium", + "text": "Add Azure AD Domain service stamps to additional regions and locations", "waf": "Reliability" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "Medium", - "text": "Leverage Data-in replication for cross-region DR scenarios", + "text": "Use Replica Sets for DR", "waf": "Reliability" }, { @@ -21662,489 +22267,337 @@ }, { "description": "", - "guid": "ee4fab35-3fcf-469c-aa4a-baaa7ea46a76", + "guid": "12b36c73-1ef0-428b-89b2-2b3db9077b88", "service": "AppGW", - "text": "Deploy the instances in a zone-aware configuration, where available.", + "text": "Use Application Gateway v2 in new deployments unless your workload specifically requires Application Gateway v1.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "897c9b7a-c56c-4390-9938-71ed0ee875d8", + "guid": "f4a44a99-6a02-46f3-851a-5579949b9dee", "service": "AppGW", - "text": "Use Application Gateway with Web Application Firewall (WAF) within a virtual network to protect inbound `HTTP/S` traffic from the Internet.", + "text": "Build redundancy in your design. Spread Application Gateway instances across availability zones to improve fault tolerance and build redundancy. Traffic goes to other zones if one zone fails. For more information, see Recommendations for using availability zones and regions.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "9d1d0113-dcc3-4309-bf89-57f43eff537c", + "guid": "54a59adf-6a9e-4068-9276-ced14131275e", "service": "AppGW", - "text": "In new deployments, use Azure Application Gateway v2 unless there is a compelling reason to use Azure Application Gateway v1.", + "text": "Plan extra time for rule updates and other configuration changes before you access Application Gateway or make further changes. For example, you might need extra time to remove servers from a back-end pool because they have to drain existing connections.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "f6991e25-5c9d-4b36-9df6-d4cd17d6d7cc", + "guid": "fbc1a333-d306-4d1e-8796-17e2df93b21d", "service": "AppGW", - "text": "Plan for rule updates", + "text": "Implement the Health Endpoint Monitoring pattern. Your application should expose health endpoints, which aggregate the state of the critical services and dependencies that your application needs to serve requests. Application Gateway health probes use the endpoint to detect the health of servers in the back-end pool. For more information, see Health Endpoint Monitoring pattern.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "93d5c5fc-95da-40dc-a935-bcdf72bb49bc", + "guid": "a13fb2ce-1102-4f48-a841-41bb97cdecd8", "service": "AppGW", - "text": "Use health probes to detect backend unavailability", + "text": "Evaluate the impact of interval and threshold settings on a health probe. The health probe sends requests to the configured endpoint at a set interval. And the back end tolerates a limited number of failed requests before it's marked as unhealthy. These settings can conflict, which presents a tradeoff.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "e4a0745d-0b8a-459b-8fc0-0399061a6425", + "guid": "831469ab-6e35-4740-a283-1ac886bd1836", "service": "AppGW", - "text": "Review the impact of the interval and threshold settings on health probes", + "text": "Verify downstream dependencies through health endpoints. To isolate failures, each of your back ends might have its own dependencies. For example, an application that you host behind Application Gateway might have multiple back ends, and each back end connects to a different database, or replica. When such a dependency fails, the application might work but doesn't return valid results. For that reason, the health endpoint should ideally validate all dependencies.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "4d7b12c2-d9bb-4547-8238-c2c93491afed", + "guid": "b4a35881-6e26-4b8c-b870-fc00da6799eb", "service": "AppGW", - "text": "Verify downstream dependencies through health endpoints", + "text": "Consider Application Gateway limitations and known issues that might affect reliability. Review the Application Gateway FAQ for important information about by-design behavior, fixes under construction, platform limitations, and possible workarounds or mitigation strategies. Don't use UDRs in the Application Gateway dedicated subnet.", "type": "checklist", "waf": "Reliability" }, { - "description": "Plan enough time for updates before accessing Application Gateway or making further changes. For example, removing servers from backend pool might take some time because they have to drain existing connections.", - "guid": "f6991e25-5c9d-4b36-9df6-d4cd17d6d7cc", + "description": "", + "guid": "aacf5d13-97a8-4b22-b3b3-e9920e26cc8a", "service": "AppGW", - "text": "Plan for rule updates", - "type": "recommendation", + "text": "Consider Source Network Address Translation (SNAT) port limitations in your design that can affect back-end connections on Application Gateway. Some factors affect how Application Gateway reaches the SNAT port limit. For example, if the back end is a public IP address, it requires its own SNAT port. To avoid SNAT port limitations, you can do one of the following options:", + "type": "checklist", "waf": "Reliability" }, { - "description": "If Application Gateway is used to load balance incoming traffic over multiple backend instances, we recommend the use of health probes. These will ensure that traffic is not routed to backends that are unable to handle the traffic.", - "guid": "93d5c5fc-95da-40dc-a935-bcdf72bb49bc", + "description": "When you spread multiple instances across zones, your workload can withstand failures in a single zone. If you have an unavailable zone, traffic automatically shifts to healthy instances in other zones, which maintains application reliability.", + "guid": "d4a3a0ad-1d2b-4173-ac4c-44acb08fa368", "service": "AppGW", - "text": "Use health probes to detect backend unavailability", + "text": "Deploy Application Gateway instances in a zone-aware configuration. Check regional support for zone redundancy because not all regions offer this feature.", "type": "recommendation", "waf": "Reliability" }, { - "description": "The health probe sends requests to the configured endpoint at a set interval. Also, there's a threshold of failed requests that will be tolerated before the backend is marked unhealthy. These numbers present a trade-off.- Setting a higher interval puts a higher load on your service. Each Application Gateway instance sends its own health probes, so 100 instances every 30 seconds means 100 requests per 30 seconds.- Setting a lower interval leaves more time before an outage is detected.- Setting a low unhealthy threshold might mean that short, transient failures might take down a backend. - Setting a high threshold it can take longer to take a backend out of rotation.", - "guid": "e4a0745d-0b8a-459b-8fc0-0399061a6425", + "description": "Health probes ensure that traffic only routes to back ends that can handle the traffic. Application Gateway monitors the health of all the servers in its back-end pool and automatically stops sending traffic to any server that it considers unhealthy.", + "guid": "13ba88d2-e858-44f3-9747-f11a4c3615fd", "service": "AppGW", - "text": "Review the impact of the interval and threshold settings on health probes", + "text": "Use Application Gateway health probes to detect back-end unavailability.", "type": "recommendation", "waf": "Reliability" }, { - "description": "Suppose each backend has its own dependencies to ensure failures are isolated. For example, an application hosted behind Application Gateway might have multiple backends, each connected to a different database (replica). When such a dependency fails, the application might be working but won't return valid results. For that reason, the health endpoint should ideally validate all dependencies. Keep in mind that if each call to the health endpoint has a direct dependency call, that database would receive 100 queries every 30 seconds instead of 1. To avoid this, the health endpoint should cache the state of the dependencies for a short period of time.", - "guid": "4d7b12c2-d9bb-4547-8238-c2c93491afed", + "description": "Use rate limiting to avoid problems like retry storms.", + "guid": "0ace6ede-d8a6-4c71-bd0b-feba5fdb57ef", "service": "AppGW", - "text": "Verify downstream dependencies through health endpoints", + "text": "Configure rate-limiting rules for Azure WAF so that clients can't send too much traffic to your application.", "type": "recommendation", "waf": "Reliability" }, { - "description": "Certain scenarios can force you to implement rules specifically on Application Gateway. For example, if ModSec CRS 2.2.9, CRS 3.0 or CRS 3.1 rules are required, these rules can be only implemented on Application Gateway. Conversely, rate-limiting and geo-filtering are available only on Azure Front Door, not on AppGateway.", - "guid": "2cc68719-238d-40f1-9eda-37a4b77cabc2", + "description": "UDRs on the Application Gateway subnet can cause some problems. Don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics.", + "guid": "7fafa967-ba5d-4de5-8446-14c154e20b39", "service": "AppGW", - "text": "When using Azure Front Door and Application Gateway to protect `HTTP/S` applications, use WAF policies in Front Door and lock down Application Gateway to receive traffic only from Azure Front Door.", + "text": "Don't use UDRs on Application Gateway so that the back-end health report functions properly and generates the correct logs and metrics. If you must use a UDR in the Application Gateway subnet, see Supported UDRs.", "type": "recommendation", "waf": "Reliability" }, { - "description": "", - "guid": "c394ed0c-ddb2-4efa-b4eb-deb2f11cff32", + "description": "Set the IdleTimeout to match the back end. This setting ensures that the connection between Application Gateway and the client stays open if the back end takes more than four minutes to respond to the request. If you don't configure this setting, the connection closes, and the client doesn't see the back-end response.", + "guid": "e7750d05-2f4c-4dfa-b330-001d53221295", "service": "AppGW", - "text": "Set up a TLS policy for enhanced security", - "type": "checklist", + "text": "Configure the IdleTimeout settings to match the listener and traffic characteristics of the back-end application. The default value is four minutes. You can configure it to a maximum of 30 minutes. For more information, see Load balancer Transmission Control Protocol (TCP) reset and idle timeout.", + "type": "recommendation", "waf": "Reliability" }, { "description": "", - "guid": "f2c0a397-56bb-45f1-ac4d-b1837045db05", + "guid": "29e7a329-70b0-4458-8980-08810eeb5e8c", "service": "AppGW", - "text": "Use AppGateway for TLS termination", + "text": "Review the security baseline for Application Gateway.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "db6594c5-00d9-42e3-9190-0da310bd8af5", + "guid": "06e72d1f-194b-4f65-805a-fd78eb15deb1", "service": "AppGW", - "text": "Use Azure Key Vault to store TLS certificates", + "text": "Block common threats at the edge. WAF integrates with Application Gateway. Enable WAF rules on the front ends to protect applications from common exploits and vulnerabilities at the network edge, which is close to the attack source. For more information, see WAF on Application Gateway.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "79778b7d-1a8d-47bf-9000-cfe8f28007ed", + "guid": "e92b04dd-c98e-4f4e-bdd5-903fd4e50098", "service": "AppGW", - "text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)", + "text": "Allow only authorized access to the control plane. Use Application Gateway role-based access control (RBAC) to restrict access to only the identities that need it.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "32630271-62af-4005-933b-36e73b3d6c43", + "guid": "616bcb27-4b69-4b6d-be33-c97788d267d9", "service": "AppGW", - "text": "Use an appropriate DNS server for backend pool resources", + "text": "Protect data in transit. Enable end-to-end Transport Layer Security (TLS), TLS termination, and end-to-end TLS encryption. When you re-encrypt back-end traffic, ensure that the back-end server certificate contains both the root and intermediate certificate authorities (CAs).", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "5644f4cb-0c54-41d6-9aff-27357089743c", + "guid": "dfb1da6c-7250-47eb-9780-6d3661bce1ed", "service": "AppGW", - "text": "Comply with all NSG restrictions for Application Gateway", + "text": "Protect application secrets. Use Azure Key Vault to store TLS certificates for increased security and an easier certificate renewal and rotation process.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "5ff5e810-ac1d-42ef-9a30-812c15c42be8", + "guid": "0dbdce8a-165e-48ad-a562-5d7d4fd259e5", "service": "AppGW", - "text": "Refrain from using UDRs on the Application Gateway subnet", + "text": "Reduce the attack surface and harden the configuration. Remove default configurations that you don't need, and harden your Application Gateway configuration to tighten security controls. Comply with all network security group (NSG) restrictions for Application Gateway.", "type": "checklist", "waf": "Reliability" }, { "description": "", - "guid": "3ac67acb-dcca-413d-b0f9-50441d51675f", + "guid": "b6d22f85-e9d4-4a82-83cb-78e0bbe1c3da", "service": "AppGW", - "text": "Be aware of Application Gateway capacity changes when enabling WAF", + "text": "Monitor anomalous activity. Regularly review logs to check for attacks and false positives. Send WAF logs from Application Gateway to your organization's centralized security information and event management (SIEM), such as Microsoft Sentinel, to detect threat patterns and incorporate preventative measures in the workload design.", "type": "checklist", "waf": "Reliability" }, { - "description": "Set up a TLS policy for extra security. Ensure you're always using the latest TLS policy version available. This enforces TLS 1.2 and stronger ciphers.", - "guid": "c394ed0c-ddb2-4efa-b4eb-deb2f11cff32", - "service": "AppGW", - "text": "Set up a TLS policy for enhanced security", - "type": "recommendation", - "waf": "Reliability" - }, - { - "description": "There are advantages of using Application Gateway for TLS termination:- Performance improves because requests going to different backends to have to re-authenticate to each backend.- Better utilization of backend servers because they don't have to perform TLS processing- Intelligent routing by accessing the request content.- Easier certificate management because the certificate only needs to be installed on Application Gateway.", - "guid": "f2c0a397-56bb-45f1-ac4d-b1837045db05", - "service": "AppGW", - "text": "Use AppGateway for TLS termination", - "type": "recommendation", - "waf": "Reliability" - }, - { - "description": "Application Gateway can be integrated with Key Vault. This provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.", - "guid": "db6594c5-00d9-42e3-9190-0da310bd8af5", - "service": "AppGW", - "text": "Use Azure Key Vault to store TLS certificates", - "type": "recommendation", - "waf": "Reliability" - }, - { - "description": "A TLS certificate of the backend server must be issued by a well-known CA. If the certificate was not issued by a trusted CA, the Application Gateway checks if the certificate was issued by a trusted CA, and so on, until a trusted CA certificate is found. Only then a secure connection is established. Otherwise, Application Gateway marks the backend as unhealthy.", - "guid": "79778b7d-1a8d-47bf-9000-cfe8f28007ed", + "description": "Use the latest TLS policy to enforce the use of TLS 1.2 and stronger ciphers. The TLS policy includes control of the TLS protocol version and the cipher suites and also the order in which a TLS handshake uses ciphers.", + "guid": "1a3a9dbe-2312-4a68-b063-8b0c22592e23", "service": "AppGW", - "text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)", + "text": "Set up a TLS policy for enhanced security. Ensure that you use the latest TLS policy version.", "type": "recommendation", "waf": "Reliability" }, { - "description": "When the backend pool contains a resolvable FQDN, the DNS resolution is based on a private DNS zone or custom DNS server (if configured on the VNet), or it uses the default Azure-provided DNS.", - "guid": "32630271-62af-4005-933b-36e73b3d6c43", + "description": "Performance improves because requests that go to different back ends don't have to reauthenticate to each back end. The gateway can access the request content and make intelligent routing decisions. You only need to install the certificate on Application Gateway, which simplifies certificate management.", + "guid": "0c1b9371-c2cb-49da-85eb-26cc64757480", "service": "AppGW", - "text": "Use an appropriate DNS server for backend pool resources", + "text": "Use Application Gateway for TLS termination.", "type": "recommendation", "waf": "Reliability" }, { - "description": "NSGs are supported on Application Gateway subnet, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions. For details, see Network security groups.", - "guid": "5644f4cb-0c54-41d6-9aff-27357089743c", + "description": "This approach provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.", + "guid": "ea5e0485-b8da-4ee3-8a93-e99759bb4425", "service": "AppGW", - "text": "Comply with all NSG restrictions for Application Gateway", + "text": "Integrate Application Gateway with Key Vault to store TLS certificates.", "type": "recommendation", "waf": "Reliability" }, { - "description": "Using User Defined Routes (UDR) on the Application Gateway subnet can cause some issues. Health status in the back-end might be unknown. Application Gateway logs and metrics might not get generated. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics. If your organizations require to use UDR in the Application Gateway subnet, please ensure you review the supported scenarios. For more information, see Supported user-defined routes.", - "guid": "96ac0266-6e5d-4944-bccb-0c6b3bd00b89", + "description": "The Application Gateway subnet supports NSGs, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions.", + "guid": "573c5c87-a8d7-434a-bc3f-209bab02e1e3", "service": "AppGW", - "text": "Refrain from using UDRs on the Application gateway subnet", + "text": "Comply with all NSG restrictions for Application Gateway.", "type": "recommendation", "waf": "Reliability" }, - { - "description": "When WAF is enabled, every request must be buffered by the Application Gateway until it fully arrives, checks if the request matches with any rule violation in its core rule set, and then forwards the packet to the backend instances. When there are large file uploads (30MB+ in size), it can result in a significant latency. Because Application Gateway capacity requirements are different with WAF, we do not recommend enabling WAF on Application Gateway without proper testing and validation.", - "guid": "3ac67acb-dcca-413d-b0f9-50441d51675f", - "service": "AppGW", - "text": "Be aware of Application Gateway capacity changes when enabling WAF", - "type": "recommendation", - "waf": "Reliability" - }, - { - "description": "", - "guid": "dc1995b1-dcc3-4864-a862-0c5ceeb3452c", - "service": "AppGW", - "text": "Familiarize yourself with Application Gateway pricing", - "type": "checklist", - "waf": "Cost" - }, { "description": "", - "guid": "baadcfab-050c-4d30-a79a-a235e775836a", + "guid": "5a84b7c4-ee9e-4d73-aa23-c72b22068b5c", "service": "AppGW", - "text": "Review underutilized resources", + "text": "Familiarize yourself with Application Gateway and WAF pricing. Choose appropriately sized options to meet your workload capacity demand and deliver expected performance without wasting resources. To estimate costs, use the pricing calculator.", "type": "checklist", "waf": "Cost" }, { "description": "", - "guid": "03e1fbfa-86c2-4550-a6aa-e111d6ab895d", + "guid": "d3f52caf-385f-438a-a8f6-141c46452277", "service": "AppGW", - "text": "Stop Application Gateway instances that are not in use", + "text": "Remove unused Application Gateway instances, and optimize underused instances. To avoid unnecessary costs, identify and delete Application Gateway instances that have empty back-end pools. Stop Application Gateway instances when they're not in use.", "type": "checklist", "waf": "Cost" }, { "description": "", - "guid": "a63e6bb7-8040-4b43-9d0e-6ca8a3413315", + "guid": "189437c3-c8b7-4186-aefa-353651b4885a", "service": "AppGW", - "text": "Have a scale-in and scale-out policy", + "text": "Optimize the scaling cost of your Application Gateway instance. To optimize your scaling strategy and reduce your wokload's demands, see Recommendations for optimizing scaling cost.", "type": "checklist", "waf": "Cost" }, { "description": "", - "guid": "352664a9-dea7-4e45-9f4a-b1160768ac1b", + "guid": "2a8113e8-7870-49b1-aeaf-39fa6e5d9992", "service": "AppGW", - "text": "Review consumption metrics across different parameters", + "text": "Monitor Application Gateway consumption metrics, and understand their cost impact. Azure charges for metered instances of Application Gateway based on tracked metrics. Evaluate the various metrics and capacity units, and determine the cost drivers. For more information, see Microsoft Cost Management.", "type": "checklist", "waf": "Cost" }, { - "description": "For information about Application Gateway pricing, see Understanding Pricing for Azure Application Gateway and Web Application Firewall. You can also leverage the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", - "guid": "dc1995b1-dcc3-4864-a862-0c5ceeb3452c", - "service": "AppGW", - "text": "Familiarize yourself with Application Gateway pricing", - "type": "recommendation", - "waf": "Cost" - }, - { - "description": "Identify and delete Application Gateway instances with empty backend pools to avoid unnecessary costs.", - "guid": "baadcfab-050c-4d30-a79a-a235e775836a", - "service": "AppGW", - "text": "Review underutilized resources", - "type": "recommendation", - "waf": "Cost" - }, - { - "description": "You aren't billed when Application Gateway is in the stopped state. Continuously running Application Gateway instances can incur extraneous costs. Evaluate usage patterns and stop instances when you don't need them. For example, usage after business hours in Dev/Test environments is expected to be low.See these articles for information about how to stop and start instances.- Stop-AzApplicationGateway- Start-AzApplicationGateway", - "guid": "6af81413-0516-4067-9e26-8aad8d2d06ca", - "service": "AppGW", - "text": "Stop Application Gateway instances when not in use", - "type": "recommendation", - "waf": "Cost" - }, - { - "description": "A scale-out policy ensures that there will be enough instances to handle incoming traffic and spikes. Also, have a scale-in policy that makes sure the number of instances are reduced when demand drops. Consider the choice of instance size. The size can significantly impact the cost. Some considerations are described in the Estimate the Application Gateway instance count.For more information, see What is Azure Application Gateway v2?", - "guid": "a63e6bb7-8040-4b43-9d0e-6ca8a3413315", + "description": "A stopped Application Gateway instance doesn't incur costs. Application Gateway instances that continuously run can incur unnecessary costs. Evaluate usage patterns, and stop instances when you don't need them. For example, expect low usage after business hours in dev/test environments.", + "guid": "58efe3ac-2476-4879-a014-d8eccee8da2a", "service": "AppGW", - "text": "Have a scale-in and scale-out policy", + "text": "Stop Application Gateway instances when they're not in use. For more information, see Stop-AzApplicationGateway and Start-AzApplicationGateway.", "type": "recommendation", "waf": "Cost" }, { - "description": "You're billed based on metered instances of Application Gateway based on the metrics tracked by Azure. Evaluate the various metrics and capacity units and determine the cost drivers. For more information, see Microsoft Cost Management and Billing. The following metrics are key for Application Gateway. This information can be used to validate that the provisioned instance count matches the amount of incoming traffic.- Estimated Billed Capacity Units- Fixed Billable Capacity Units- Current Capacity UnitsFor more information, see Application Gateway metrics.Make sure you account for bandwidth costs.", - "guid": "352664a9-dea7-4e45-9f4a-b1160768ac1b", + "description": "Use these metrics to validate whether the provisioned instance count matches the amount of incoming traffic, and ensure that you fully utilize the allocated resources.", + "guid": "fd75964f-9b65-416c-a1c1-de548ad574ce", "service": "AppGW", - "text": "Review consumption metrics across different parameters", + "text": "Monitor key cost driver Application Gateway metrics, like: - Estimated billed capacity units. - Fixed billable capacity units. - Current capacity units. Make sure you account for bandwidth costs.", "type": "recommendation", "waf": "Cost" }, { "description": "", - "guid": "2aeef441-2f0c-4f28-b3fe-85bb210e70d4", - "service": "AppGW", - "text": "Monitor capacity metrics", - "type": "checklist", - "waf": "Operations" - }, - { - "description": "", - "guid": "2a3d27da-fdb8-49b0-95ed-7f9b32b4f7ca", - "service": "AppGW", - "text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)", - "type": "checklist", - "waf": "Operations" - }, - { - "description": "", - "guid": "69a9c288-6a98-447b-92f8-68c84adc85cd", - "service": "AppGW", - "text": "Use Azure Monitor Network Insights", - "type": "checklist", - "waf": "Operations" - }, - { - "description": "", - "guid": "82f522dd-25e0-4e7c-a547-bc23577f7f1c", - "service": "AppGW", - "text": "Match timeout settings with the backend application", - "type": "checklist", - "waf": "Operations" - }, - { - "description": "", - "guid": "6f9954fb-dff1-4d54-8672-0c1245908dca", + "guid": "21e05ca9-4195-40c4-a568-d40330b4a852", "service": "AppGW", - "text": "Monitor Key Vault configuration issues using Azure Advisor", + "text": "Enable diagnostics on Application Gateway and WAF. Collect logs and metrics so you can monitor the health of the workload, identify trends in the workload performance and reliability, and troubleshoot problems. To design your overall monitoring approach, see Recommendations for designing and creating a monitoring system.", "type": "checklist", "waf": "Operations" }, { "description": "", - "guid": "78bbcbf2-30c3-4c77-8e8f-8faf4c4b817d", + "guid": "417dcfc5-3516-4d5d-ab16-86b929b8e06a", "service": "AppGW", - "text": "Configure and monitor SNAT port limitations", + "text": "Use Azure Monitor Network Insights to get a comprehensive view of health and metrics for network resources, including Application Gateway. Use centralized monitoring to quickly identify and resolve problems, optimize performance, and ensure the reliability of your applications.", "type": "checklist", "waf": "Operations" }, { "description": "", - "guid": "ca428415-6120-410f-9a91-c1baeb6c0084", + "guid": "455209bc-8603-41ed-bcf9-0c535b024bda", "service": "AppGW", - "text": "Consider SNAT port limitations in your design", + "text": "Monitor Application Gateway recommendations in Azure Advisor. Configure alerts to notify your team when you have new, critical recommendations for your Application Gateway instance. Advisor generates recommendations based on properties, such as the category, impact level, and recommendation type.", "type": "checklist", "waf": "Operations" }, { - "description": "Use these metrics as indicators of utilization of the provisioned Application Gateway capacity. We strongly recommend setting up alerts on capacity. For details, see Application Gateway high traffic support.", - "guid": "2aeef441-2f0c-4f28-b3fe-85bb210e70d4", - "service": "AppGW", - "text": "Monitor capacity metrics", - "type": "recommendation", - "waf": "Operations" - }, - { - "description": "There are other metrics that can indicate issues either at Application Gateway or the backend. We recommend evaluating the following alerts:- Unhealthy Host Count- Response Status (dimension 4xx and 5xx)- Backend Response Status (dimension 4xx and 5xx)- Backend Last Byte Response Time- Application Gateway Total TimeFor more information, see Metrics for Application Gateway.", - "guid": "af883a3e-1ece-4f8a-9732-95a461fe244c", - "service": "AppGW", - "text": "Troubleshoot using metrics", - "type": "recommendation", - "waf": "Operations" - }, - { - "description": "Diagnostic logs allow you to view firewall logs, performance logs, and access logs. Use these logs to manage and troubleshoot issues with Application Gateway instances. For more information, see Back-end health and diagnostic logs for Application Gateway.", - "guid": "2a3d27da-fdb8-49b0-95ed-7f9b32b4f7ca", - "service": "AppGW", - "text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)", - "type": "recommendation", - "waf": "Operations" - }, - { - "description": "Azure Monitor Network Insights provides a comprehensive view of health and metrics for network resources, including Application Gateway. For additional details and supported capabilities for Application Gateway, see Azure Monitor Network insights.", - "guid": "69a9c288-6a98-447b-92f8-68c84adc85cd", + "description": "Set alerts when metrics cross thresholds so that you know when your usage increases. This approach ensures that you have enough time to implement necessary changes to your workload and prevents degradation or outages.", + "guid": "a6437209-8d1a-4a6b-94c8-84bb342256a4", "service": "AppGW", - "text": "Use Azure Monitor Network Insights", + "text": "Configure alerts to notify your team when capacity metrics, like CPU usage and compute unit usage, cross recommended thresholds. To configure a comprehensive set of alerts based on capacity metrics, see Application Gateway high-traffic support.", "type": "recommendation", "waf": "Operations" }, { - "description": "Ensure you have configured the IdleTimeout settings to match the listener and traffic characteristics of the backend application. The default value is set to four minutes and can be configured to a maximum of 30. For more information, see Load Balancer TCP Reset and Idle Timeout.For workload considerations, see Monitoring application health for reliability.", - "guid": "82f522dd-25e0-4e7c-a547-bc23577f7f1c", + "description": "Use alerts to help ensure that your team can respond to problems in a timely manner and facilitate troubleshooting.", + "guid": "0c7b12f7-1980-420c-bc6c-e6a14a76ef13", "service": "AppGW", - "text": "Match timeout settings with the backend application", + "text": "Configure alerts to notify your team about metrics that indicate problems either at Application Gateway or the back end. We recommend that you evaluate the following alerts:- Unhealthy host count- Response status, such as 4xx and 5xx errors - Back-end response status, such as 4xx and 5xx errors - Back-end last byte response time- Application Gateway total timeFor more information, see Metrics for Application Gateway.", "type": "recommendation", "waf": "Operations" }, { - "description": "Application Gateway checks for the renewed certificate version in the linked Key Vault at every 4-hour interval. If it is inaccessible due to any incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation. You must configure the Advisor alerts to stay updated and fix such issues immediately to avoid any Control or Data plane related problems. For more information, see Investigating and resolving key vault errors. To set an alert for this specific case, use the Recommendation Type as Resolve Azure Key Vault issue for your Application Gateway.", - "guid": "6f9954fb-dff1-4d54-8672-0c1245908dca", + "description": "Use logs to help detect, investigate, and troubleshoot problems with Application Gateway instances and your workload.", + "guid": "242dccc5-f6ec-483b-9f44-6b90695c9a55", "service": "AppGW", - "text": "Monitor Key Vault configuration issues using Azure Advisor", + "text": "Enable diagnostic logs on Application Gateway and WAF to collect firewall logs, performance logs, and access logs.", "type": "recommendation", "waf": "Operations" }, { - "description": "SNAT port limitations are important for backend connections on the Application Gateway. There are separate factors that affect how Application Gateway reaches the SNAT port limit. For example, if the backend is a public IP address, it will require its own SNAT port. In order to avoid SNAT port limitations, you can increase the number of instances per Application Gateway, scale out the backends to have more IP addresses, or move your backends into the same virtual network and use private IP addresses for the backends.Requests per second (RPS) on the Application Gateway will be affected if the SNAT port limit is reached. For example, if an Application Gateway reaches the SNAT port limit, then it won't be able to open a new connection to the backend, and the request will fail.", - "guid": "ca428415-6120-410f-9a91-c1baeb6c0084", + "description": "Use Advisor alerts to stay up to date and fix problems immediately. Prevent any control plane or data plane-related problems. Application Gateway checks for the renewed certificate version in the linked Key Vault instance every 4 hours. If the certificate version is inaccessible because of an incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation.", + "guid": "a0bfec93-73f3-421d-bce8-f055e8c52d03", "service": "AppGW", - "text": "Consider SNAT port limitations in your design", + "text": "Use Advisor to monitor Key Vault configuration problems. Set an alert to notify your team when you get the recommendation that states Resolve Azure Key Vault issue for your Application Gateway.", "type": "recommendation", "waf": "Operations" }, { "description": "", - "guid": "261fdf60-ce3b-4abd-8a85-b39ebb208df9", - "service": "AppGW", - "text": "Estimate the Application Gateway instance count", - "type": "checklist", - "waf": "Performance" - }, - { - "description": "", - "guid": "895dcecb-9895-4a39-bafd-4df574353366", - "service": "AppGW", - "text": "Define the maximum instance count", - "type": "checklist", - "waf": "Performance" - }, - { - "description": "", - "guid": "4d24ceaf-6ff5-4b88-96e2-851546c368c1", - "service": "AppGW", - "text": "Define the minimum instance count", - "type": "checklist", - "waf": "Performance" - }, - { - "description": "", - "guid": "57675336-826b-4523-b248-bfe3c324c38a", + "guid": "6c174b42-25c9-48b5-a7f0-66194a921499", "service": "AppGW", - "text": "Define Application Gateway subnet size", + "text": "Estimate capacity requirements for Application Gateway to support your workload requirements. Take advantage of the autoscaling functionality in Application Gateway v2. Set appropriate values for the minimum and maximum number of instances. Appropriately size the dedicated subnet that Application Gateway requires. For more information, see Recommendations for capacity planning.", "type": "checklist", "waf": "Performance" }, { "description": "", - "guid": "958240c8-23f1-447d-9cb7-ce9edb5aa606", + "guid": "6d050160-98d5-49dd-9181-c01917b3f19a", "service": "AppGW", - "text": "Take advantage of Application Gateway V2 features for autoscaling and performance benefits", + "text": "Take advantage of features for autoscaling and performance benefits. The v2 SKU offers autoscaling, which scales up Application Gateway as traffic increases. Compared to the v1 SKU, the v2 SKU has capabilities that enhance the performance of the workload. For example, the v2 SKU has better TLS offload performance, quicker deployment and update times, and zone-redundancy support. For more information, see Scaling Application Gateway v2 and WAF v2.", "type": "checklist", "waf": "Performance" }, { - "description": "For Application Gateway v2 SKU, autoscaling takes some time (approximately six to seven minutes) before the additional set of instances is ready to serve traffic. During that time, if there are short spikes in traffic, expect transient latency or loss of traffic.We recommend that you set your minimum instance count to an optimal level. After you estimate the average instance count and determine your Application Gateway autoscaling trends, define the minimum instance count based on your application patterns. For information, see Application Gateway high traffic support.Check the Current Compute Units for the past one month. This metric represents the gateway's CPU utilization. To define the minimum instance count, divide the peak usage by 10. For example, if your average Current Compute Units in the past month is 50, set the minimum instance count to five.", - "guid": "4d24ceaf-6ff5-4b88-96e2-851546c368c1", - "service": "AppGW", - "text": "Define the minimum instance count", - "type": "recommendation", - "waf": "Performance" - }, - { - "description": "We recommend 125 as the maximum autoscale instance count. Make sure the subnet that has the Application Gateway has sufficient available IP addresses to support the scale-up set of instances.Setting the maximum instance count to 125 has no cost implications because you're billed only for the consumed capacity.", - "guid": "895dcecb-9895-4a39-bafd-4df574353366", + "description": "For Application Gateway v2, autoscaling takes approximately six to seven minutes before the extra set of instances are ready to serve traffic. During that time, if Application Gateway has short spikes in traffic, expect transient latency or loss of traffic.", + "guid": "b556535f-178c-4d6f-a2eb-be758dfd24da", "service": "AppGW", - "text": "Define the maximum instance count", + "text": "Set the minimum instance count to an optimal level based on you estimated instance count, actual Application Gateway autoscaling trends, and your application patterns. Check the current compute units for the past month. This metric represents the gateway's CPU usage. To define the minimum instance count, divide the peak usage by 10. For example, if your average current compute units in the past month is 50, set the minimum instance count to five.", "type": "recommendation", "waf": "Performance" }, { - "description": "Application Gateway needs a dedicated subnet within a virtual network. The subnet can have multiple instances of the deployed Application Gateway resource. You can also deploy other Application Gateway resources in that subnet, v1 or v2 SKU.Here are some considerations for defining the subnet size:- Application Gateway uses one private IP address per instance and another private IP address if a private front-end IP is configured.- Azure reserves five IP addresses in each subnet for internal use.- Application Gateway (Standard or WAF SKU) can support up to 32 instances. Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum subnet size of /26 is recommended. Because the Standard_v2 or WAF_v2 SKU can support up to 125 instances, using the same calculation, a subnet size of /24 is recommended.- If you want to deploy additional Application Gateway resources in the same subnet, consider the additional IP addresses that will be required for their maximum instance count for both, Standard and Standard v2.", - "guid": "57675336-826b-4523-b248-bfe3c324c38a", + "description": "Application Gateway can scale out as needed to handle increased traffic to your applications. This setting doesn't increase cost because you only pay for the consumed capacity.", + "guid": "4d433fe8-4f14-4878-b319-c27bb4846a48", "service": "AppGW", - "text": "Define Application Gateway subnet size", + "text": "Set the maximum autoscale instance count to the maximum possible, which is 125 instances. Make sure that the Application Gateway dedicated subnet has sufficient available IP addresses to support the increased set of instances.", "type": "recommendation", "waf": "Performance" }, { - "description": "The v2 SKU offers autoscaling to ensure that your Application Gateway can scale up as traffic increases. When compared to v1 SKU, v2 has capabilities that enhance the performance of the workload. For example, better TLS offload performance, quicker deployment and update times, zone redundancy, and more. For more information about autoscaling features, see Scaling Application Gateway v2 and WAF v2.If you are running v1 SKU Application gateway, consider migrating to the Application gateway v2 SKU. For more information, see Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.", - "guid": "508791c8-897f-4490-8590-fc33a9df8f73", + "description": "Use a /24 subnet to provide support for all IP addresses that your Application Gateway v2 deployment needs. Application Gateway uses one private IP address for each instance and another private IP address if you configure a private front-end IP. The Standard_v2 or WAF_v2 SKU can support up to 125 instances. Azure reserves five IP addresses in each subnet for internal use.", + "guid": "e3323d47-6019-49e3-bc22-a24bcfa4efba", "service": "AppGW", - "text": "Take advantage of features for autoscaling and performance benefits", + "text": "Appropriately size the Application Gateway dedicated subnet. We highly recommend a /24 subnet for an Application Gateway v2 deployment. If you want to deploy other Application Gateway resources in the same subnet, consider the extra IP addresses that you require for the maximum instance count. For more considerations about sizing the subnet, see Application Gateway infrastructure configuration.", "type": "recommendation", "waf": "Performance" }, @@ -26511,7 +26964,7 @@ ], "metadata": { "name": "WAF checklist", - "timestamp": "October 02, 2024" + "timestamp": "October 21, 2024" }, "severities": [ { diff --git a/checklists/checklist.en.master.json b/checklists/checklist.en.master.json index db42e3e6d..f3f6709ba 100644 --- a/checklists/checklist.en.master.json +++ b/checklists/checklist.en.master.json @@ -1,43401 +1,44519 @@ { "items": [ { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "9f519499-5820-4060-88fe-cab4538c9dd0", - "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements", + "category": "Business", + "checklist": "Multitenant architecture", + "guid": "41177955-fe8f-430b-ae72-20dc5b6880da", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview", "services": [ - "Storage" + "Entra" ], - "severity": "Medium", - "subcategory": "Physical", - "text": "All planned storage pools should use direct-attached storage (SATA, SAS, NVMe)", - "waf": "Performance" + "severity": "High", + "subcategory": "Business", + "text": "Understand what kind of solution you're creating, such as business-to-business (B2B), business-to-consumer (B2C), or your enterprise software, and how tenants are different from users.", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "f7c015e0-7d97-4283-b006-567afeb2b5ca", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/drive-symmetry-considerations#understand-capacity-imbalance", - "services": [ - "ACR", - "Storage" - ], - "severity": "Medium", - "subcategory": "Physical", - "text": "Disks are symmetrical across all nodes", - "waf": "Performance" + "category": "Business", + "checklist": "Multitenant architecture", + "guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "services": [], + "severity": "High", + "subcategory": "Business", + "text": "Define your tenants. Understand how many tenants you will support initially, and your growth plans.", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "f785b143-2c1e-4466-9baa-dde8ba4c7aaa", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/fault-tolerance#parity", - "services": [ - "Storage", - "Backup" - ], - "severity": "Medium", - "subcategory": "S2D", - "text": "Parity type disk redundancy should only be used for low I/O volumes (backup/archive)", - "waf": "Performance" + "category": "Business", + "checklist": "Multitenant architecture", + "guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models", + "services": [], + "severity": "High", + "subcategory": "Business", + "text": "Define your pricing model and ensure it aligns with your tenants' consumption of Azure resources.", + "waf": "Cost" }, { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "8a705965-9840-43cc-93b3-06d089406bb4", - "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements#physical-deployments", - "services": [ - "Storage" - ], + "category": "Business", + "checklist": "Multitenant architecture", + "guid": "331e84a6-2d65-4359-92ff-a1870b062995", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models", + "services": [], "severity": "Medium", - "subcategory": "S2D", - "text": "Ensure there at least 2 capacity disks with available capacity in the Storage Pool", - "waf": "Reliability" - }, - { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "2a4f629a-d623-4610-a8e3-d6fd66057d8e", - "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/delimit-volume-allocation", - "services": [ - "Storage" - ], - "severity": "Low", - "subcategory": "S2D", - "text": "'Delimited allocation' has been considered to improve volume resiliency in a multi-node failure", - "waf": "Reliability" + "subcategory": "Business", + "text": "Understand whether you need to separate your tenants into different tiers. Tiers might have different pricing, features, performance promises, geographic locations, and so forth.", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "960eb9be-1f0f-4fc1-9b31-fcf1cf9e34e6", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#choosing-how-many-volumes-to-create", - "services": [ - "Storage" - ], + "category": "Business", + "checklist": "Multitenant architecture", + "guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "services": [], "severity": "Medium", - "subcategory": "S2D", - "text": "CSVs are created in multiples of node count", - "waf": "Performance" + "subcategory": "Business", + "text": "Based on your customers' requirements, decide on the tenancy models that are appropriate for various parts of your solution.", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "859ba2b9-a3a8-4ca1-bb61-165effbf1c03", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/cache", + "category": "Business", + "checklist": "Multitenant architecture", + "guid": "f5d76ae1-7048-4ff5-abba-f1ca799578b9", + "link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer", "services": [ - "Storage" + "Entra" ], "severity": "Medium", - "subcategory": "S2D", - "text": "If a cache tier is implemented, the number of capacity drives is a multiple of the number of cache drives", - "waf": "Performance" + "subcategory": "Business", + "text": "When you're ready, sell your B2B multitenant solution using the Microsoft Commercial Marketplace.", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "d8a65f05-db06-461d-81dc-7899ad3f8f1e", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#reserve-capacity", - "services": [ - "Storage" - ], - "severity": "Medium", - "subcategory": "S2D", - "text": "A minimum of 1 type of each disk type per node has been factored as a reserve disk", + "category": "Reliability", + "checklist": "Multitenant architecture", + "guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist", + "services": [], + "severity": "High", + "subcategory": "Reliability", + "text": "Review the Azure Well-Architected Reliability checklist, which is applicable to all workloads.", "waf": "Reliability" }, { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "description": "VMFleet is a tool that can be used to measure the performance of a storage subsystem, best used to baseline performance prior to workload deployment", - "guid": "9d138f1d-5363-476e-bbd7-acfa500bdc0c", - "link": "https://github.com/microsoft/diskspd/wiki/VMFleet", - "services": [ - "Storage" - ], - "severity": "Low", - "subcategory": "S2D", - "text": "VMFleet has been run prior to workload deployment to baseline storage performance", - "waf": "Performance" - }, - { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "13c12e2a-c938-4dd1-9223-507d5e17f9c5", - "services": [ - "Storage" - ], - "severity": "Medium", - "subcategory": "Host OS", - "text": "OS drives use a dedicated storage controller", + "category": "Reliability", + "checklist": "Multitenant architecture", + "guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75", + "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor", + "services": [], + "severity": "High", + "subcategory": "Reliability", + "text": "Understand the Noisy Neighbor antipattern. Prevent individual tenants from impacting the system's availability for other tenants.", "waf": "Reliability" }, { - "category": "Storage", - "checklist": "Azure Stack HCI Review", - "guid": "a631e7dc-8879-45bd-b0a7-e5927b805428", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-csv-cache", - "services": [ - "Storage" - ], + "category": "Reliability", + "checklist": "Multitenant architecture", + "guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview", + "services": [], "severity": "Medium", - "subcategory": "Host OS", - "text": "CSV in-memory read caching is enabled and properly configured", - "waf": "Performance" + "subcategory": "Reliability", + "text": "Design your multitenant solution for the level of growth that you expect. But don't overengineer for unrealistic growth.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "c062cd9a-f1db-4f83-aab3-9cb03f56c140", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements#switch-embedded-teaming-set", - "services": [ - "ACR" - ], + "category": "Reliability", + "checklist": "Multitenant architecture", + "guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics", + "services": [], "severity": "Medium", - "subcategory": "Host", - "text": "NICs are symmetrical across nodes", + "subcategory": "Reliability", + "text": "Define service-level objectives (SLOs) and optionally service-level agreements (SLAs) for your solution. SLAs and SLOs should be based on the requirements of your tenants, as well as the composite SLA of the Azure resources in your architecture.", "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "ea8054db-a558-4533-80c8-5d9cf447ba19", - "services": [ - "Storage" - ], + "category": "Reliability", + "checklist": "Multitenant architecture", + "guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute", + "services": [], "severity": "High", - "subcategory": "Host", - "text": "Storage networking is redundant", + "subcategory": "Reliability", + "text": "Test the scale of your solution. Ensure that it performs well under all levels of load, and that it scales correctly as the number of tenants increases.", "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "15d976c5-e267-49a1-8b00-62010bfa5188", - "link": "https://learn.microsoft.com/azure-stack/hci/deploy/network-atc", + "category": "Reliability", + "checklist": "Multitenant architecture", + "guid": "2ff55551-984b-4606-95eb-bfb9c8b36761", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute", "services": [], "severity": "Medium", - "subcategory": "Host", - "text": "Host networking configuration is managed by Network ATC and intents are healthy", + "subcategory": "Reliability", + "text": "Apply chaos engineering principles to test the reliability of your solution.", "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "676c53ad-b29a-4de1-9d03-d7d2674405b8", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/network-hud-overview", + "category": "Security", + "checklist": "Multitenant architecture", + "guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c", + "link": "https://learn.microsoft.com/security/zero-trust", "services": [], - "severity": "Low", - "subcategory": "Host", - "text": "Network HUD has been configured", - "waf": "Reliability" + "severity": "High", + "subcategory": "Security", + "text": "Apply the Zero Trust and least privilege principles in all layers of your solution.", + "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "8f6d58d9-6c1a-4ec1-b2d7-b2c6ba8f3949", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements", + "category": "Security", + "checklist": "Multitenant architecture", + "guid": "92160e00-6894-4102-97e0-615d4ed93c01", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests", "services": [ - "Storage", - "VNet" + "Entra" ], - "severity": "Medium", - "subcategory": "Host", - "text": "Storage NICs are assigned static IP addresses on separate subnets and VLANs", - "waf": "Reliability" + "severity": "High", + "subcategory": "Security", + "text": "Ensure that you can correctly map user requests to tenants. Consider including the tenant context as part of the identity system, or by using another means, like application-level tenant authorization.", + "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "824e53ec-953e-40c2-a6b8-52970b5b0f74", - "link": "https://learn.microsoft.com/azure-stack/hci/plan/two-node-switched-converged", + "category": "Security", + "checklist": "Multitenant architecture", + "guid": "3c1538b4-5676-4b85-b451-432befb37b4f", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", "services": [], "severity": "Medium", - "subcategory": "Host", - "text": "For switchless designs, dual link full mesh connectivity has been implemented", - "waf": "Reliability" + "subcategory": "Security", + "text": "Perform ongoing penetration testing and security code reviews.", + "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "dbc85d0e-0ebd-4589-a789-0fa8ceb1d0f0", - "link": "https://learn.microsoft.com/azure-stack/hci/concepts/physical-network-requirements#using-switchless", - "services": [ - "Storage" - ], - "severity": "Medium", - "subcategory": "Host", - "text": "If the cluster is made up of more than 3 nodes, a switched storage network has been implemented", - "waf": "Reliability" + "category": "Security", + "checklist": "Multitenant architecture", + "guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance", + "services": [], + "severity": "High", + "subcategory": "Security", + "text": "Understand your tenants' compliance requirements, including data residency and any compliance or regulatory standards that they require you to meet.", + "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "603c6d71-59d2-419c-a312-8edc6e799c6a", + "category": "Security", + "checklist": "Multitenant architecture", + "guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names", "services": [ - "Storage" + "DNS" ], "severity": "High", - "subcategory": "Host", - "text": "RDMA is enabled on the Storage networking", - "waf": "Performance" + "subcategory": "Security", + "text": "Correctly manage domain names and avoid vulnerabilities like dangling DNS and subdomain takeover attacks.", + "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "9e260eae-bca1-4827-a259-76ee63fda8d6", - "link": "https://github.com/microsoft/SDN/blob/master/Diagnostics/Test-Rdma.ps1", + "category": "Security", + "checklist": "Multitenant architecture", + "guid": "72ded36d-c633-4e0d-bd41-799a29da3481", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview", "services": [], "severity": "Medium", - "subcategory": "Host", - "text": "Test-RDMA.ps1 has been run to validate the RDMA configuration", - "waf": "Performance" - }, - { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "description": "This ensures that Management traffic is not exposed to the VM traffic", - "guid": "abc85d0e-0ebd-4589-a777-0fa8ceb1d0f0", - "link": "", - "services": [ - "VM" - ], - "severity": "Medium", - "subcategory": "Host", - "text": "If a VMSwitch is shared for Compute and Management traffic, require that Management traffic is tagged with a VLAN ID", + "subcategory": "Security", + "text": "Follow service-specific guidance for multitenancy.", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "description": "This ensures you have at least 3 NCs active at all times during NC upgrades.", - "guid": "eb36f5f4-0fa7-4a2c-85f3-1b1c7c7817c0", + "category": "Cost Optimization", + "checklist": "Multitenant architecture", + "guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8", + "link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist", "services": [ - "VM" + "Cost" ], "severity": "Medium", - "subcategory": "SDN", - "text": "There are at least 3 Network Controller VMs deployed", - "waf": "Reliability" + "subcategory": "Cost Optimization", + "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.", + "waf": "Cost" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "8bc78c85-6028-4a43-af2d-082a0a344909", - "link": "https://learn.microsoft.com/windows-server/networking/sdn/manage/update-backup-restore", + "category": "Cost Optimization", + "checklist": "Multitenant architecture", + "guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption", "services": [ - "Backup" + "Cost" ], "severity": "High", - "subcategory": "SDN", - "text": "Backups of SDN infrastructure are configured and tested", - "waf": "Operations" + "subcategory": "Cost Optimization", + "text": "Ensure you can adequately measure per-tenant consumption and correlate it with your infrastructure costs.", + "waf": "Cost" }, { - "category": "Management and Monitoring", - "checklist": "Azure Stack HCI Review", - "guid": "51eaa4b6-b9a7-43e1-a7dc-634d3107bc6d", + "category": "Cost Optimization", + "checklist": "Multitenant architecture", + "guid": "c851fd44-7cf1-459c-95a4-f6455d75a981", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation", "services": [ - "Monitor" + "Monitor", + "Cost" ], "severity": "Medium", - "subcategory": "Cluster", - "text": "SCOM Managed Instance has been considered for more complex monitoring and alerting scenarios", - "waf": "Operations" + "subcategory": "Cost Optimization", + "text": "Avoid antipatterns. Antipatterns include failing to track costs, tracking costs with unnecessary precision, real-time measurement, and using monitoring tools for billing.", + "waf": "Cost" }, { - "category": "Management and Monitoring", - "checklist": "Azure Stack HCI Review", - "guid": "831f5aca-99ef-41e7-8263-9509f5093b43", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/setup-hci-system-alerts", - "services": [ - "Monitor" - ], + "category": "Operational Excellence", + "checklist": "Multitenant architecture", + "guid": "0d475a5a-2c0f-47ab-b1e1-701da68d3407", + "link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops", + "services": [], "severity": "High", - "subcategory": "Cluster", - "text": "Alerts have been configured for the cluster, either using Azure Monitor, SCOM, or a third-party solution", + "subcategory": "Operational Excellence", + "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.", "waf": "Operations" }, { - "category": "Management and Monitoring", - "checklist": "Azure Stack HCI Review", - "guid": "f95d0e7e-9f61-476d-bf65-59f2454d1d39", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later", - "services": [ - "Monitor" - ], + "category": "Operational Excellence", + "checklist": "Multitenant architecture", + "guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle", + "services": [], "severity": "Medium", - "subcategory": "Cluster", - "text": "Insights has been enabled at the cluster level and all nodes are reporting data", + "subcategory": "Operational Excellence", + "text": "Use automation to manage the tenant lifecycle, such as onboarding, deployment, provisioning, and configuration.", "waf": "Operations" }, { - "category": "Management and Monitoring", - "checklist": "Azure Stack HCI Review", - "guid": "f4250fcb-ff53-40c9-b304-3560464fd90c", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later", - "services": [ - "Monitor" - ], + "category": "Operational Excellence", + "checklist": "Multitenant architecture", + "guid": "e0bfceed-4f4e-492d-b9f5-898815faa363", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates", + "services": [], "severity": "Medium", - "subcategory": "Cluster", - "text": "Azure Monitoring Agent has been deployed to hosts and an appropriate Data Collection Rule has been configured", + "subcategory": "Operational Excellence", + "text": "Find the right balance for deploying service updates. Consider both your tenants' requirements and your own operational requirements.", "waf": "Operations" }, { - "category": "Management and Monitoring", - "checklist": "Azure Stack HCI Review", - "guid": "6143af1d-0d1a-4163-b1c9-662f7459bb98", + "category": "Operational Excellence", + "checklist": "Multitenant architecture", + "guid": "a3f80518-d428-4c02-b2cc-dfaef47db7e2", "services": [ "Monitor" ], - "severity": "Medium", - "subcategory": "Hardware", - "text": "Relevant hardware monitoring has been configured", + "severity": "High", + "subcategory": "Operational Excellence", + "text": "Monitor the health of the overall system, as well as each tenant.", "waf": "Operations" }, { - "category": "Management and Monitoring", - "checklist": "Azure Stack HCI Review", - "guid": "9cbdf225-549a-41cf-9c97-794766a6f2b0", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/health-service-overview", + "category": "Operational Excellence", + "checklist": "Multitenant architecture", + "guid": "dfb42da5-f871-4953-9e5c-da6fda3f1411", "services": [ "Monitor" ], "severity": "Medium", - "subcategory": "Hardware", - "text": "Relevant hardware alerting has been configured", + "subcategory": "Operational Excellence", + "text": "Configure and test alerts to notify you when specific tenants are experiencing issues or are exceeding their consumption limits.", "waf": "Operations" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "c0da5bbd-0f0d-4a26-98ec-38c9cc42b323", - "services": [ - "VM" - ], - "severity": "Low", - "subcategory": "VM Management - Resource Bridge", - "text": "The Azure CLI has been installed on every node to enable RB management from WAC", + "category": "Operational Excellence", + "checklist": "Multitenant architecture", + "guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization", + "services": [], + "severity": "High", + "subcategory": "Operational Excellence", + "text": "Organize your Azure resources for isolation and scale.", "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "a8ecf23c-c048-4fa9-b87b-51ebfb409863", - "services": [ - "VM" - ], - "severity": "Low", - "subcategory": "VM Management - Resource Bridge", - "text": "DHCP is available in the cluster to support Guest Configuration at VM deployment from Azure", + "category": "Operational Excellence", + "checklist": "Multitenant architecture", + "guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration", + "services": [], + "severity": "Medium", + "subcategory": "Operational Excellence", + "text": "Avoid deployment and configuration antipatterns. Antipatterns include running separate versions of the solution for each tenant, hardcoding tenant-specific configurations or logic, and manual deployments.", "waf": "Operations" }, { - "category": "Backup and Disaster Recovery", - "checklist": "Azure Stack HCI Review", - "guid": "074541e3-fe08-458a-8062-32d13dcc10c6", - "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines", - "services": [ - "Backup", - "VM", - "ASR" - ], + "category": "Performance Efficiency", + "checklist": "Multitenant architecture", + "guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd", + "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency", + "services": [], "severity": "High", - "subcategory": "VM", - "text": "Backups of HCI VMs have been configured using MABS or a third-party solution", - "waf": "Operations" + "subcategory": "Performance Efficiency", + "text": "Review the Azure Well-Architected Performance Efficiency checklist, which is applicable to all workloads.", + "waf": "Performance" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "48f7ae57-1035-4101-8a38-fbe163d03e8a", + "category": "Performance Efficiency", + "checklist": "Multitenant architecture", + "guid": "18911c4c-934c-49a8-839a-60c092afce30", + "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor", "services": [], "severity": "High", - "subcategory": "Cluster Configuration", - "text": "Cluster configuration or a configuration script has been documented and maintained", - "waf": "Operations" + "subcategory": "Performance Efficiency", + "text": "If you use shared infrastructure, plan for how you'll mitigate Noisy Neighbor concerns. Ensure that one tenant can't reduce the performance of the system for other tenants.", + "waf": "Performance" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "f2a6a19a-ffe6-444d-badb-cb336c8e7b50", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/witness", + "category": "Performance Efficiency", + "checklist": "Multitenant architecture", + "guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute", + "services": [ + "Storage" + ], + "severity": "Medium", + "subcategory": "Performance Efficiency", + "text": "Determine how you'll scale your compute, storage, networking, and other Azure resources to match the demands of your tenants.", + "waf": "Performance" + }, + { + "category": "Performance Efficiency", + "checklist": "Multitenant architecture", + "guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization", "services": [], "severity": "High", - "subcategory": "Cluster Configuration", - "text": "A cluster witness has been configured for clusters with less than 5 nodes", + "subcategory": "Performance Efficiency", + "text": "Consider each Azure resource's scale limits. Organize your resources appropriately, in order to avoid resource organization antipatterns. For example, don't over-architect your solution to work within unrealistic scale requirements.", + "waf": "Performance" + }, + { + "category": "BC and DR", + "checklist": "Container Apps Review", + "guid": "af416482-663c-4ed6-b195-b44c7068e09c", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", + "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", + "service": "Container Apps", + "services": [], + "severity": "High", + "subcategory": "High Availability", + "text": "Leverage Availability Zones if regionally applicable", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "a47339fe-62c5-44a0-bb83-3d46ef16292f", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/update-cluster", + "category": "BC and DR", + "checklist": "Container Apps Review", + "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", + "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", + "service": "Container Apps", "services": [], - "severity": "Medium", - "subcategory": "Cluster Configuration", - "text": "Cluster-Aware Updating has been configured for Windows and hardware updates (if available)", - "waf": "Operations" + "severity": "High", + "subcategory": "High Availability", + "text": "Use more than one replica and enable Zone Redundancy.", + "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "7f1d6fe8-3079-44ea-8ea6-14494d1aa470", - "link": "https://learn.microsoft.com/azure-stack/hci/deploy/validate", + "category": "BC and DR", + "checklist": "Container Apps Review", + "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", "services": [], "severity": "High", - "subcategory": "Cluster Configuration", - "text": "Cluster validation has been run against the configured cluster", + "subcategory": "High Availability", + "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "81693af0-5638-4aa2-a153-1d6189df30a7", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits", + "category": "BC and DR", + "checklist": "Container Apps Review", + "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", "services": [ - "VM" + "TrafficManager", + "FrontDoor" ], - "severity": "Medium", - "subcategory": "Cluster Configuration", - "text": "Azure Benefits has been enabled at the cluster and VM levels", - "waf": "Cost" + "severity": "High", + "subcategory": "High Availability", + "text": "Use Front Door or Traffic Manager to route traffic to the closest region", + "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "8c967ee8-8170-4537-a28d-33431cd3632a", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-environment-checker", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", + "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", + "service": "Purview", "services": [], "severity": "Medium", - "subcategory": "Cluster Configuration", - "text": "The Environment Checker module has been run to validate the environment", + "subcategory": "Best Practices", + "text": "Leverage FTA Resillency Handbook", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "43ffbfab-766e-4950-a102-78b479136e4d", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "services": [ - "AzurePolicy" + "ASR" ], - "severity": "Medium", - "subcategory": "Cluster Configuration", - "text": "Group Policy inheritance on the HCI cluster and node Active Directory organizational unit has been blocked or applied policies have been evaluated for compatibility issues (usually WinRM and PowerShell execution policy)", - "waf": "Operations" + "severity": "High", + "subcategory": "Disaster Recovery", + "text": "Plan for Data Center level outage", + "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "e6a3f3a7-4a7d-49e2-985a-6e39dd284027", - "services": [], + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", + "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", + "services": [ + "ASR" + ], "severity": "Medium", - "subcategory": "Cluster Configuration", - "text": "WAC is on the latest release and configured to automatically upgrade extensions", + "subcategory": "Disaster Recovery", + "text": "Practice Failover for BCDR", "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "d1caa31f-cc26-42b2-b92f-2b667c0e6020", - "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "97b15b8a-219a-44ab-bb57-879024d22678", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "services": [ - "Entra" + "Backup" ], - "severity": "Medium", - "subcategory": "Stretch Clustering", - "text": "There is sub 5ms latency between each site if synchronous replication is being configured AAD", - "waf": "Performance" + "severity": "High", + "subcategory": "Backup and Restore ", + "text": "Plan a backup strategy and take regular backups", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "3277558e-3155-4088-b49a-78594cb4ce1a", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", + "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", + "service": "Purview", "services": [ - "Storage", - "VNet" + "EventHubs" ], - "severity": "High", - "subcategory": "Stretch Clustering", - "text": "Management, Replication and Storage networks excluded from stretched VLANs configurations, are routed, and in different subnets", + "severity": "Low", + "subcategory": "Purview Accounts Replications", + "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "baed6066-8531-44ba-bd94-38cbabbf4099", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", + "link": "https://learn.microsoft.com/purview/deployment-best-practices", + "service": "Purview", "services": [], - "severity": "High", - "subcategory": "Stretch Clustering", - "text": "There is a plan detailed for site failure and recovery", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Data catalog", + "text": "Follow Purview accounts architectures and deployment best practices", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Stack HCI Review", - "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b4", - "services": [ - "ACR" - ], + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", + "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", + "service": "Purview", + "services": [], "severity": "Medium", - "subcategory": "Stretch Clustering", - "text": "Separate vLANs and networks are used for each replication network across both sites", + "subcategory": "Data catalog", + "text": "Follow Collection Architectures and best practices", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b5", - "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization", - "services": [ - "Storage" - ], - "severity": "High", - "subcategory": "Stretch Clustering", - "text": "Use either a cloud witness or a file share witness in a third site for cluster quorum for clusters with less than 5 nodes", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", + "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", + "service": "Purview", + "services": [], + "severity": "Medium", + "subcategory": "Data catalog", + "text": "Follow Assest lifecycle best practices", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b6", - "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", + "service": "Purview", "services": [], - "severity": "High", - "subcategory": "Stretch Clustering", - "text": "When using data deduplication, only enable it on the primary/source volumes", + "severity": "Medium", + "subcategory": "Data catalog", + "text": "Follow automation best practices", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Stack HCI Review", - "guid": "ac527887-f6f4-40a3-b883-e04d704f013b", - "link": "https://learn.microsoft.com/windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage#provision-operating-system-features-roles-storage-and-network", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "services": [ - "Storage" + "Backup" ], - "severity": "High", - "subcategory": "Stretch Clustering", - "text": "Storage backing log volumes must be faster (ideally) or at least as fast as capacity storage", + "severity": "Medium", + "subcategory": "Data catalog", + "text": "Follow Backup and Migration Best practices", "waf": "Reliability" }, { - "category": "Backup and Disaster Recovery", - "checklist": "Azure Stack HCI Review", - "guid": "8ea49f70-1038-4283-b0c4-230165d3eabc", - "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-site-recovery", - "services": [ - "Backup", - "ASR" - ], + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", + "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", + "service": "Purview", + "services": [], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Azure Site Recovery has been considered for DR purposes", - "waf": "Operations" + "subcategory": "Data catalog", + "text": "Follow Purview Glossary Best Practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Stack HCI Review", - "guid": "03e65fdc-2628-4a1a-ba2e-a5174340ba52", - "link": "https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", + "link": "https://learn.microsoft.com/purview/concept-workflow", + "service": "Purview", "services": [], - "severity": "Medium", - "subcategory": "Host", - "text": "BitLocker has been enabled on CSVs for volume encryption, where appropriate", - "waf": "Security" + "severity": "Low", + "subcategory": "Data catalog", + "text": "Leverage Workflows ", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Stack HCI Review", - "guid": "9645d2e6-ba28-453c-b6d5-d9ef29fc34be", - "link": "https://learn.microsoft.com/windows-server/storage/file-server/smb-security", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security", + "service": "Purview", "services": [], "severity": "Medium", - "subcategory": "Host", - "text": "SMB encryption has been enabled, where appropriate", - "waf": "Security" + "subcategory": "Data catalog", + "text": "Follow Purview Security Best Practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Stack HCI Review", - "guid": "8f03437a-5068-4486-9a78-0402ce771298", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server", - "services": [ - "Defender" - ], + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", + "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", + "service": "Purview", + "services": [], "severity": "Medium", - "subcategory": "Host", - "text": "Microsoft Defender Antivirus has been enabled on all nodes", - "waf": "Security" + "subcategory": "Data Map", + "text": "Follow Purview Data Lineage Best Practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Stack HCI Review", - "guid": "dba6b211-fc02-43b3-b7c8-f163c188332e", - "link": "https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", + "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", + "service": "Purview", "services": [], "severity": "Medium", - "subcategory": "Host", - "text": "Credential Guard has been configured, where appropriate", - "waf": "Security" + "subcategory": "Data Map", + "text": "Follow Best Practices for Scanning Registered Sources", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", - "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", - "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", - "service": "ACR", - "services": [ - "ACR" - ], - "severity": "High", - "subcategory": "Data Protection", - "text": "Disable Azure Container Registry image export", - "waf": "Security" + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", + "service": "Purview", + "services": [], + "severity": "Medium", + "subcategory": "Data Map", + "text": "Follow Classification Best Practices in Governance Portal", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", - "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", - "service": "ACR", - "services": [ - "ACR", - "AzurePolicy" - ], - "severity": "High", - "subcategory": "Data Protection", - "text": "Enable Azure Policies for Azure Container Registry", - "waf": "Security" + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", + "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", + "service": "Purview", + "services": [], + "severity": "Medium", + "subcategory": "Data Map", + "text": "Perform Sensitivity Labelling in the Purview Data Map", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", - "guid": "d345293c-7639-4637-a551-c5c04e401955", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", - "service": "ACR", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", + "link": "https://learn.microsoft.com/purview/concept-data-share", + "service": "Purview", "services": [ - "ACR", - "AKV" + "Storage" ], - "severity": "High", - "subcategory": "Data Protection", - "text": "Sign and Verify containers with notation (Notary v2)", - "waf": "Security" + "severity": "Low", + "subcategory": "Data Sharing", + "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", - "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", - "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", - "service": "ACR", - "services": [ - "ACR", - "AKV" - ], - "severity": "Medium", - "subcategory": "Data Protection", - "text": "Encrypt registry with a customer managed key", - "waf": "Security" + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "services": [], + "severity": "Low", + "subcategory": "Data Estate", + "text": "Leverage Data Estate Insights", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", - "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", - "service": "ACR", - "services": [ - "ACR", - "Entra", - "RBAC" - ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Use Managed Identities to connect instead of Service Principals", - "waf": "Security" + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", + "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", + "service": "Purview", + "services": [], + "severity": "Low", + "subcategory": "Data Estate", + "text": "Use Data stewardship and Catalog adoption", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", - "guid": "be0e38ce-e297-411b-b363-caaab79b198d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", - "service": "ACR", - "services": [ - "ACR", - "Entra", - "RBAC" - ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Disable local authentication for management plane access", - "waf": "Security" + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "services": [], + "severity": "Low", + "subcategory": "Data Estate", + "text": "Use Inventory and Ownership", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", - "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", - "service": "ACR", - "services": [ - "ACR", - "Entra", - "RBAC" - ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", - "waf": "Security" + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", + "link": "https://learn.microsoft.com/purview/glossary-insights", + "service": "Purview", + "services": [], + "severity": "Low", + "subcategory": "Data Estate", + "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Disable anonymous pull/push access", - "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", - "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", - "service": "ACR", - "services": [ - "ACR", - "Entra" - ], + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b130a888-9579-4e76-a896-e710a7da7be9", + "link": "https://learn.microsoft.com/purview/compliance-manager", + "service": "Purview", + "services": [], "severity": "Medium", - "subcategory": "Identity and Access Control", - "text": "Disable Anonymous pull access", - "waf": "Security" + "subcategory": "Data Quality ", + "text": "Generate assessment scores", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", - "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", - "service": "ACR", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", + "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", + "service": "Purview", + "services": [], + "severity": "Medium", + "subcategory": "Data Quality ", + "text": "Profiling- get summaries of data content", + "waf": "Reliability" + }, + { + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", + "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", + "service": "Purview", "services": [ - "ACR", - "Entra" + "AzurePolicy" ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Disable repository-scoped access tokens", - "waf": "Security" + "severity": "Low", + "subcategory": "Data Policy", + "text": "Follow Microsoft Purview Data Owner access policies", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", - "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", - "service": "ACR", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", + "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", + "service": "Purview", "services": [ - "ACR", - "Entra", - "PrivateLink", - "EventHubs" + "AzurePolicy" ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Deploy images from a trusted environment", - "waf": "Security" + "severity": "Low", + "subcategory": "Data Policy", + "text": "Follow Self-service access policies", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", - "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", - "service": "ACR", + "category": "Operations management", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", + "link": "https://learn.microsoft.com/purview/concept-policies-devops", + "service": "Purview", "services": [ - "ACR", - "Entra", "AzurePolicy" ], - "severity": "Medium", - "subcategory": "Identity and Access Control", - "text": "Disable Azure ARM audience tokens for authentication", - "waf": "Security" + "severity": "Low", + "subcategory": "Data Policy", + "text": "Follow DevOps policies", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", - "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", - "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", - "service": "ACR", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", + "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", + "service": "VMSS", "services": [ - "ACR", - "Monitor", - "Entra" + "VM" ], - "severity": "Medium", - "subcategory": "Logging and Monitoring", - "text": "Enable diagnostics logging", - "waf": "Security" + "severity": "Low", + "subcategory": "VM Scale Sets", + "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", - "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", - "service": "ACR", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", + "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", + "service": "VM", "services": [ - "ACR", - "Firewall", - "PrivateLink", - "VNet" + "VM", + "Backup" ], - "severity": "Medium", - "subcategory": "Network Security", - "text": "Control inbound network access with Private Link", - "waf": "Security" + "severity": "High", + "subcategory": "Virtual Machines", + "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Disable public network access if inbound network access is secured using Private Link", - "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", - "service": "ACR", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", + "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "VM", "services": [ - "ACR", - "PrivateLink" + "VM" ], - "severity": "Medium", - "subcategory": "Network Security", - "text": "Disable Public Network access", - "waf": "Security" + "severity": "High", + "subcategory": "Virtual Machines", + "text": "Use Premium or Ultra disks for production VMs", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Only the ACR Premium SKU supports Private Link access", - "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", - "service": "ACR", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", + "guid": "b31e38c3-f298-412b-8363-cffe179b599d", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", + "service": "VM", "services": [ - "ACR", - "PrivateLink" + "VM" ], - "severity": "Medium", - "subcategory": "Network Security", - "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", - "waf": "Security" + "severity": "High", + "subcategory": "Virtual Machines", + "text": "Ensure Managed Disks are used for all VMs", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", - "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", - "service": "ACR", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", + "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", + "service": "VM", "services": [ - "ACR", - "Defender" + "VM", + "Storage", + "SQL" ], - "severity": "Low", - "subcategory": "Network Security", - "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", - "waf": "Security" + "severity": "Medium", + "subcategory": "Virtual Machines", + "text": "Do not use the Temp disk for anything that is not acceptable to be lost", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", - "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", - "service": "ACR", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", + "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "VM", "services": [ + "Storage", + "VM", "ACR" ], "severity": "Medium", - "subcategory": "Vulnerability Management", - "text": "Deploy validated container images", - "waf": "Security" + "subcategory": "Virtual Machines", + "text": "Leverage Availability Zones for your VMs in regions where they are supported", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Container Registry Security Review", - "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", - "guid": "4e401955-387e-45ce-b126-cd132af5b20c", - "service": "ACR", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", + "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "VM", "services": [ - "ACR" + "VM" ], - "severity": "High", - "subcategory": "Vulnerability Management", - "text": "Use up-to-date platforms, languages, protocols and frameworks", - "waf": "Security" + "severity": "Medium", + "subcategory": "Virtual Machines", + "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", + "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "guid": "65285269-440c-44be-9d3e-0844276d4bdc", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foudations-playbooks-ADB_v1.docx", - "services": [], + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", + "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "VM", + "services": [ + "VM", + "ASR" + ], "severity": "High", - "subcategory": "Best Practices", - "text": "Reference Databricks HA/DR playbook", + "subcategory": "Virtual Machines", + "text": "Avoid running a production workload on a single VM", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6", - "link": "https://learn.microsoft.com/azure/databricks/security/secrets/secret-scopes", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", + "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", "services": [ - "Backup" + "VM", + "ASR", + "AVS" ], - "severity": "Medium", - "subcategory": "Backup", - "text": "Backup Your Workspace Configuration including ARM templates and Secret Scopes", + "severity": "High", + "subcategory": "Virtual Machines", + "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", + "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", + "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", + "service": "VM", "services": [ - "ACR", - "Backup" + "VM" ], - "severity": "Medium", - "subcategory": "Backup", - "text": "Share MetaData Across different Databricks Workspaces using Hive External Metastore", + "severity": "Low", + "subcategory": "Virtual Machines", + "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "guid": "769e3969-0e78-428a-a936-657d03b0f466", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", + "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", + "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", + "service": "VM", "services": [ - "Backup", + "VM", "ASR" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Plan Disaster Recovery Strategy in Databricks using the Hive External Metastore", + "subcategory": "Virtual Machines", + "text": "Increase quotas in DR region before testing failover with ASR", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b", - "link": "https://www.databricks.com/blog/2021/04/20/attack-of-the-delta-clones-against-disaster-recovery-availability-complexity.html", + "category": "Compute", + "checklist": "Resiliency Review", + "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", + "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", + "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", + "service": "VM", "services": [ - "Backup" + "VM" ], - "severity": "Medium", - "subcategory": "Backup", - "text": "Backup your data with deep and shallow clones", + "severity": "Low", + "subcategory": "Virtual Machines", + "text": "Utilize Scheduled Events to prepare for VM maintenance", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "description": "Download the blob using Secondary Endpoint in RAGRS Storage Account", - "guid": "7abae48a-bd54-4cd7-ae2e-86768357c559", - "link": "https://techcommunity.microsoft.com/t5/azure-paas-blog/download-the-blob-using-secondary-endpoint-in-ragrs-storage/ba-p/2403750", + "category": "Data", + "checklist": "Resiliency Review", + "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", + "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", "services": [ - "Storage", - "Backup" + "Storage" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Backup your data to Azure Storage RA-GRS", + "subcategory": "Storage Accounts", + "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a", - "link": "https://learn.microsoft.com/azure/databricks/dev-tools/index-ci-cd", + "category": "Data", + "checklist": "Resiliency Review", + "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", + "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "services": [ - "Backup" + "Storage" ], - "severity": "High", - "subcategory": "Backup", - "text": "Backup your code with DevOps", + "severity": "Low", + "subcategory": "Storage Accounts", + "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a", - "link": "https://learn.microsoft.com/azure/databricks/administration-guide/disaster-recovery", + "category": "Data", + "checklist": "Resiliency Review", + "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", + "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", "services": [ - "ASR" + "Storage" ], - "severity": "High", - "subcategory": "Disaster Recovery", - "text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration", + "severity": "Low", + "subcategory": "Storage Accounts", + "text": "Enable soft delete for Storage Account Containers", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace", - "guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc", - "link": "https://github.com/databrickslabs/migrate", + "category": "Data", + "checklist": "Resiliency Review", + "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", + "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", + "services": [ + "Storage" + ], + "severity": "Low", + "subcategory": "Storage Accounts", + "text": "Enable soft delete for blobs", + "waf": "Reliability" + }, + { + "category": "General", + "checklist": "Resiliency Review", + "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", + "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", + "service": "Azure Backup", "services": [ "Backup" ], "severity": "Medium", - "subcategory": "Migration", - "text": "Use Databricks Migration tools", + "subcategory": "Backup", + "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DataBricks Review Checklist", - "guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd", - "link": "https://github.com/databrickslabs/databricks-sync", - "services": [], + "category": "General", + "checklist": "Resiliency Review", + "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", + "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", + "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", + "service": "Azure Backup", + "services": [ + "Backup" + ], "severity": "Low", - "subcategory": "Migration", - "text": "Use Databricks Sync", + "subcategory": "Backup", + "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DNS Review Checklist", - "guid": "a96b96ad-8840-48f3-9273-4c876ba28021", - "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency", + "category": "General", + "checklist": "Resiliency Review", + "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", + "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", + "service": "Azure Backup", "services": [ - "DNS", - "VNet" + "Storage", + "Backup" ], - "severity": "High", - "subcategory": "Azure Private DNS", - "text": "Verify that Zones are linked to Vnets in multiple regions", + "severity": "Low", + "subcategory": "Backup", + "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DNS Review Checklist", - "guid": "45901465-d38e-453f-accb-d969266acca2", - "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency", + "category": "General", + "checklist": "Resiliency Review", + "description": "Clearly define your organization's business continuity and disaster recovery requirements for your Azure environment. This includes identifying the critical applications, data, and services that need to be protected, as well as specifying the desired recovery objectives and strategies.", + "guid": "72e52e36-11dd-458c-9a4b-1521e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery", "services": [ - "DNS" + "ASR" ], "severity": "High", - "subcategory": "Azure Private DNS", - "text": "If different Zones are used between regions, verify a plan for making sure that Zones are up to date in a DR failover situation", + "subcategory": "Design", + "text": "Define business continuity and disaster recovery requirements", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DNS Review Checklist", - "guid": "74faa19b-f39d-495d-94c7-c8919ca1f6d5", - "link": "https://learn.microsoft.com/azure/reliability/reliability-traffic-manager?toc=%2Fazure%2Fdns%2Ftoc.json", - "services": [ - "TrafficManager", - "DNS", - "ASR" - ], - "severity": "Medium", - "subcategory": "Azure DNS", - "text": "Plan for disaster recovery with Azure DNS and Traffic Manager", + "category": "General", + "checklist": "Resiliency Review", + "description": "Ensure that your Azure architectures are designed with a focus on reliability. Consider implementing fault-tolerant mechanisms, redundancy, and resiliency patterns to minimize the impact of failures and maximize the availability of your applications and services.", + "guid": "c2399c4d-7b67-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/architecture/reliability/architect", + "services": [], + "severity": "High", + "subcategory": "Design", + "text": "Implement reliability best practices in Azure architectures", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DNS Review Checklist", - "guid": "315ae524-ba34-4d45-a5e1-2139bd7bb012", - "link": "https://learn.microsoft.com/azure/dns/private-resolver-reliability#availability-zones", + "category": "General", + "checklist": "Resiliency Review", + "description": "IaC configurations can play a role in your disaster recovery plan, particularly in situations where recovery time is not time-sensitive. In the event of infrastructure recreation in a second region, IaC can be used to reproduce the necessary infrastructure.", + "guid": "fe237de2-43b1-46c3-8d7a-a9b7570449aa", + "link": "https://learn.microsoft.com/azure/well-architected/devops/automation-infrastructure", "services": [ - "DNS" + "RBAC", + "ASR" ], "severity": "Medium", - "subcategory": "Azure DNS Resolver", - "text": "Enable availability zones with Private Resolver", + "subcategory": "DevOps", + "text": "Implement Infrastructure as Code (IaC) for Rapid Infrastructure Recovery", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DNS Review Checklist", - "guid": "f7b95e06-e154-4e2a-a359-2828e6e20517", - "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", + "category": "General", + "checklist": "Resiliency Review", + "description": "Azure offers region pairs that are geographically separated and can be used for cross-region replication and disaster recovery. These region pairs provide redundancy and protection against regional or large-scale disasters.", + "guid": "dcb1f7d5-769a-4e56-aba3-8d4a85e2213d", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", "services": [ - "DNS", "ASR" ], "severity": "Medium", - "subcategory": "Azure DNS Resolver", - "text": "Plan for failover with Private Resolvers in a Disaster Recovery", + "subcategory": "Multi-region", + "text": "Plan for cross-region recovery by leveraging region pairs", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DNS Review Checklist", - "guid": "2676ae46-691e-4883-9ad9-42223e138105", - "link": "https://learn.microsoft.com/azure/reliability/reliability-virtual-machines?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json&tabs=graph", + "category": "Network", + "checklist": "Resiliency Review", + "description": "By deploying an Application Gateway with a minimum instance count of two, you will have at least two instances available under normal circumstances. In the event that one of the instances encounters a problem, the other instance will handle the traffic while a new instance is being created. This approach significantly reduces the risk of service disruption and ensures a seamless experience for your users.", + "guid": "93c76286-37a5-451c-9b04-e4f1854387e5", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#autoscaling-and-high-availability", "services": [ - "DNS", - "VM" + "AppGW" ], "severity": "Medium", - "subcategory": "VM Based DNS Service", - "text": "Follow VM Guidance for resillency of VM", + "subcategory": "Application Gateways", + "text": "Deploy Application Gateways with a minimum instance count of 2 to avoid instance provisioning downtime", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "DNS Review Checklist", - "guid": "23081a94-1741-4583-9ff7-ad7c6d373316", - "link": "https://www.windows-active-directory.com/azure-ad-dns-for-custom-domain-names-with-advanced-dns-settings.html", + "category": "Network", + "checklist": "Resiliency Review", + "description": "The v2 SKU offers several advantages and critical new features that enhance the availability and resilience of your application infrastructure. One notable feature supported by the v2 SKU is zone redundancy, which allows an Application Gateway deployment to span multiple Availability Zones.", + "guid": "ced126cd-032a-4f5b-8fc6-998a535e3378", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", "services": [ - "DNS", - "Entra", - "VM" + "AppGW", + "Storage" ], - "severity": "Medium", - "subcategory": "VM Based DNS Service", - "text": "IF AD based DNS, follow the Identity -> Windows Server AD path", + "severity": "High", + "subcategory": "Application Gateways", + "text": "Deploy Azure Application Gateway v2 for zone redundancy support", "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", - "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", - "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "Azure Front Door provides automatic failover capabilities, ensuring continuity in the event of a primary region becoming unavailable. However, during the failover process, there may be a brief period (typically 20-60 seconds) when clients cannot reach the application. It is essential to review the Azure Front Door service level agreement (SLA) to determine whether relying solely on Front Door meets your business requirements for high availability. ", + "guid": "97e31c67-d68c-4f6a-92a1-194956d697dc", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/multi-region#azure-front-door", "services": [ - "WAF", - "ACR" + "FrontDoor" ], - "severity": "High", - "text": "Disable Azure Container Registry image export", - "waf": "Security" + "severity": "Low", + "subcategory": "Azure Front Door", + "text": "Consider a redundant traffic management solution in conjunction with Azure Front Door", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", - "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "By implementing Traffic Manager, you can configure it to continuously monitor the health of your application endpoints and automatically redirect traffic to an alternate endpoint when necessary. This automation minimizes downtime and provides a more seamless experience for your users during disaster recovery scenarios.", + "guid": "8df03a82-2cd4-463c-abbc-8ac299ebc92a", + "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager", "services": [ - "WAF", - "ACR", - "AzurePolicy" + "TrafficManager", + "DNS", + "ASR", + "Monitor" ], - "severity": "High", - "text": "Enable Azure Policies for Azure Container Registry", - "waf": "Security" + "severity": "Low", + "subcategory": "DNS", + "text": "Plan for automated failover using Traffic Manager for DNS Traffic", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", - "guid": "d345293c-7639-4637-a551-c5c04e401955", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", + "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", + "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", + "service": "DNS", "services": [ - "WAF", - "ACR", - "AKV" + "DNS", + "ASR", + "ACR" ], - "severity": "High", - "text": "Sign and Verify containers with notation (Notary v2)", - "waf": "Security" + "severity": "Low", + "subcategory": "DNS", + "text": "Implement DNS Failover using Azure DNS Private Resolvers", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", - "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", - "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", + "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", + "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", + "service": "Data Gateways", "services": [ - "WAF", - "ACR", - "AKV" + "ACR" ], "severity": "Medium", - "text": "Encrypt registry with a customer managed key", - "waf": "Security" + "subcategory": "Data Gateways", + "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", - "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "When using ExpressRoute, it's important to design for high availability by incorporating redundancy in both the partner and customer networks. This can include multiple ExpressRoute circuits, redundant connections from your network to Microsoft, and ensuring your on-premises network equipment has redundant connections.", + "guid": "c0e7c28d-c936-4657-802b-ff4564b0d934", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", "services": [ - "WAF", - "ACR", - "Entra", - "RBAC" + "ExpressRoute" ], - "severity": "High", - "text": "Use Managed Identities to connect instead of Service Principals", - "waf": "Security" + "severity": "Medium", + "subcategory": "ExpressRoute", + "text": "Ensure redundancy within both the partner network and customer network when utilizing ExpressRoute for high availability", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", - "guid": "be0e38ce-e297-411b-b363-caaab79b198d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "The primary circuit should handle regular traffic while the backup circuit stays ready to take over if the primary circuit fails. Utilize BGP attributes to influence routing and designate your primary and backup circuits effectively.", + "guid": "a359c373-e7dd-4616-83a3-64a907ebae48", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", "services": [ - "WAF", - "RBAC" + "ExpressRoute", + "Backup" ], - "severity": "High", - "text": "Disable local authentication for management plane access", - "waf": "Security" + "severity": "Medium", + "subcategory": "ExpressRoute", + "text": "When using multiple ExpressRoute circuits ensure that routing allows for a primary and backup", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", - "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "S2S VPN connection can provide a cost-effective, resilient backup solution in the event of an ExpressRoute circuit failure. By using S2S VPN as a failover, you can maintain connectivity to your Azure resources without relying solely on ExpressRoute.", + "guid": "ead53cc7-de2e-48aa-ab35-71549ab9153d", + "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", "services": [ - "WAF", - "ACR", - "Entra", - "RBAC" + "Cost", + "ExpressRoute", + "VPN", + "Backup" ], - "severity": "High", - "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", - "waf": "Security" + "severity": "Low", + "subcategory": "ExpressRoute", + "text": "Consider deploying site-to-site VPN as a backup for your ExpressRoute private peering", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Disable anonymous pull/push access", - "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", - "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "Standard Load Balancer SKU offers an SLA of 99.99% and a higher level of service availability compared to the Basic Load Balancer SKU.", + "guid": "778468d5-5a78-45d6-be96-c96ad8844cf3", + "link": "https://learn.microsoft.com/azure/load-balancer/skus", "services": [ - "WAF" + "LoadBalancer" ], "severity": "Medium", - "text": "Disable Anonymous pull access", - "waf": "Security" + "subcategory": "Load Balancers", + "text": "Leverage the Standard SKU for Load Balancers that handle traffic to production applications", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", - "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "By configuring the load balancer with a zone-redundant frontend, it can serve zonal resources in any zone with a single IP address. As long as at least one zone remains healthy within the region, the IP address associated with the frontend can survive one or more zone failures. It is recommended to have multiple zonal resources, such as virtual machines from different zones, in the backend pool of the load balancer. ", + "guid": "b2b38c88-6ba2-4c02-8499-114a5d3ce574", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", "services": [ - "WAF", - "Entra" + "VM", + "LoadBalancer" ], - "severity": "High", - "text": "Disable repository-scoped access tokens", - "waf": "Security" + "severity": "Low", + "subcategory": "Load Balancers", + "text": "For load balancers, consider using a zone-redundant frontend with multiple zonal resources in the backend", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", - "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "When designing health probes for your Azure Load Balancer, it is important to follow best practices to ensure reliable and accurate monitoring of your backend instances.", + "guid": "dccbd979-2a6b-4cca-8b5f-ea1ebf3dd95d", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance", "services": [ - "WAF", - "ACR", - "PrivateLink", - "EventHubs" + "LoadBalancer", + "Monitor" ], - "severity": "High", - "text": "Deploy images from a trusted environment", - "waf": "Security" + "severity": "Low", + "subcategory": "Load Balancers", + "text": "Select the right protocol, appropriate intervals and timeouts, representative paths and probe responses when defining Load Balancer Health Probes", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", - "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", + "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "services": [ - "WAF", - "ACR", - "Entra", - "AzurePolicy" + "NVA" ], - "severity": "Medium", - "text": "Disable Azure ARM audience tokens for authentication", - "waf": "Security" + "severity": "High", + "subcategory": "NVAs", + "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", - "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", - "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "By deploying VPN Gateways in an active-active mode, you can distribute VPN traffic across multiple gateways, improving reliability and ensuring continuous connectivity in case of failures or maintenance.", + "guid": "927139b8-2110-42db-b6ea-f11e6f843e53", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", "services": [ - "WAF", - "ACR", - "Monitor", - "Entra" + "VPN", + "ACR" ], "severity": "Medium", - "text": "Enable diagnostics logging", - "waf": "Security" + "subcategory": "VPN Gateways", + "text": "Deploy Azure VPN Gateways in an active-active mode to ensure high availability and redundancy for your VPN connections.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", - "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", - "service": "ACR", + "category": "Network", + "checklist": "Resiliency Review", + "description": "Zone-redundant SKUs ensure that your VPN gateways are physically and logically separated within a region, providing resiliency and scalability. This deployment configuration safeguards your on-premises network connectivity to Azure from zone-level failures.", + "guid": "f4722d92-8c1b-41cd-921f-54b29b9de39a", + "link": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways", "services": [ - "WAF", - "Firewall", - "PrivateLink", - "VNet" + "VPN" ], "severity": "Medium", - "text": "Control inbound network access with Private Link", - "waf": "Security" + "subcategory": "VPN Gateways", + "text": "Use zone-redundant SKUs when deploying VPN Gateways to enhance resilience and protect against zone-level failures", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Disable public network access if inbound network access is secured using Private Link", - "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", - "service": "ACR", + "category": "Foundation", + "checklist": "Azure Arc Review", + "description": "Define a resource group structure for placement of Azure Arc-enabled servers resources", + "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2", "services": [ - "WAF", - "PrivateLink" + "Arc" ], - "severity": "Medium", - "text": "Disable Public Network access", - "waf": "Security" + "severity": "High", + "subcategory": "Capacity Planning", + "text": "One or more resource groups is required for onboarding servers into Azure", + "waf": "Operations" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Only the ACR Premium SKU supports Private Link access", - "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", - "service": "ACR", + "category": "Foundation", + "checklist": "Azure Arc Review", + "guid": "aa359271-8e6e-4205-8725-769e46691e88", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", "services": [ - "WAF", - "ACR", - "PrivateLink" + "Entra", + "Arc" ], "severity": "Medium", - "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", - "waf": "Security" + "subcategory": "Capacity Planning", + "text": "Take Azure Active Directory object limitations into account", + "waf": "Performance" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", - "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", - "service": "ACR", + "category": "Foundation", + "checklist": "Azure Arc Review", + "description": "The following resource providers needs to be registered: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity", + "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers", "services": [ - "WAF", - "ACR", - "Defender" + "Subscriptions", + "Arc" ], - "severity": "Low", - "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", - "waf": "Security" + "severity": "High", + "subcategory": "General", + "text": "Has the Resource providers required been registered in all subscriptions", + "waf": "Operations" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", - "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", - "service": "ACR", + "category": "Foundation", + "checklist": "Azure Arc Review", + "description": "Aligning with an existing or creating an Azure tagging strategy is recommended. Resource tags allow you to quickly locate it, automate operational tasks amd more. ", + "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/", "services": [ - "WAF" + "Arc" ], - "severity": "Medium", - "text": "Deploy validated container images", - "waf": "Security" + "severity": "Low", + "subcategory": "General", + "text": "Has a tagging strategy for Azure Arc-enabled servers been defined", + "waf": "Cost" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", - "guid": "4e401955-387e-45ce-b126-cd132af5b20c", - "service": "ACR", + "category": "Foundation", + "checklist": "Azure Arc Review", + "description": "Installation of the connected machine agent is supported on most newer Windows and Linux operative systems, review the link to se the latest list", + "guid": "7778424c-5167-475c-9fa9-5b96ad88408e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems", "services": [ - "WAF" + "Arc" ], "severity": "High", - "text": "Use up-to-date platforms, languages, protocols and frameworks", - "waf": "Security" + "subcategory": "General", + "text": "What operating systems need to be Azure Arc-enabled", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", - "service": "Azure Service Fabric", + "category": "Foundation", + "checklist": "Azure Arc Review", + "description": "There are software requirements to the agent installation. Some might require a system reboot after installation, review to link", + "guid": "372734b8-76ba-428f-8145-901365d38e53", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements", "services": [ - "WAF" + "Arc" ], - "severity": "Medium", - "text": "Use Standard SKU for production scenarios.", - "waf": "Reliability" + "severity": "High", + "subcategory": "General", + "text": "Are required software installed on Windows and Linux servers to support the installation", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", - "service": "Azure Service Fabric", + "category": "Foundation", + "checklist": "Azure Arc Review", + "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc®ions=all", "services": [ - "WAF", - "VM" + "Arc" ], - "severity": "Medium", - "text": "Use durability level Silver (5 VMs) or greater for production scenarios", + "severity": "High", + "subcategory": "General", + "text": "Make sure to use a supported Azure region", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", - "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", - "service": "Azure Service Fabric", + "category": "Foundation", + "checklist": "Azure Arc Review", + "description": "The scope include organization into management groups, subscriptions, and resource groups.", + "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies", "services": [ - "WAF", - "ACR" + "Subscriptions", + "Arc" ], - "severity": "Medium", - "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Organization", + "text": "Define the structure for Azure management of resources", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", - "service": "Azure Service Fabric", + "category": "Identity", + "checklist": "Azure Arc Review", + "description": "Define RBAC rules to the servers / resource groups as required for servers management, the 'Azure Connected Machine Resource Administrator' or 'Hybrid Server Resource Administrator' role would be sufficient for management of the Azure Arc-enabled servers resources in Azure", + "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control", "services": [ - "WAF", - "APIM" + "Entra", + "RBAC", + "Arc" ], "severity": "Medium", - "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", - "waf": "Reliability" + "subcategory": "Access", + "text": "Assign RBAC rights to Azure AD user/group access for managing Azure Arc-enabled servers", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", - "service": "Azure Service Fabric", + "category": "Identity", + "checklist": "Azure Arc Review", + "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e", + "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad", "services": [ - "WAF" + "AKV", + "Entra", + "Arc" ], - "severity": "Medium", - "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Access", + "text": "Consider using managed identities for applications to access Azure resources like Key Vault example in link", + "waf": "Security" }, { - "checklist": "WAF checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", - "guid": "4da21268-f775-4c89-a271-eb80543c8df7", - "service": "Azure Service Fabric", + "category": "Identity", + "checklist": "Azure Arc Review", + "description": "An Azure subscription must be parented to the same Azure AD tenant", + "guid": "35ac9322-23e1-4380-8523-081a94174158", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", "services": [ - "WAF", - "VM" + "Entra", + "Subscriptions", + "Arc" ], - "severity": "Medium", - "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", - "waf": "Cost" + "severity": "High", + "subcategory": "Requirements", + "text": "An Azure Active Directory tenant must be available with at least one subscription", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", - "service": "Azure Service Fabric", + "category": "Identity", + "checklist": "Azure Arc Review", + "description": "Users (or SPs) need the 'Azure Connected Machine Onboarding' or 'Contributor' role to onboarding of servers", + "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", "services": [ - "WAF", - "VM" + "Entra", + "RBAC", + "Arc" ], "severity": "Medium", - "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", - "waf": "Cost" + "subcategory": "Requirements", + "text": "Define which users (AAD user/groups) has access to onboard Azure Arc-enabled servers", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", - "service": "Azure Service Fabric", + "category": "Identity", + "checklist": "Azure Arc Review", + "description": "Ensure to only add the rights to users or groups that is required to perform their role", + "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", "services": [ - "WAF" + "Entra", + "RBAC", + "Arc" ], "severity": "Medium", - "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", - "waf": "Cost" + "subcategory": "Security", + "text": "Use the principle of least privileged", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", - "service": "Azure Service Fabric", + "category": "Identity", + "checklist": "Azure Arc Review", + "description": "A service principle with the 'Azure Connected Machine Onboarding' role is required for at-scale onboarding of servers, consider more SP's if onboarding is done by different teams/decentralized management", + "guid": "ad88408e-3727-434b-a76b-a28f21459013", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", "services": [ - "WAF", - "APIM", - "VNet" + "Entra", + "RBAC", + "Arc" ], "severity": "Medium", - "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", + "subcategory": "Security", + "text": "How many Service Principals are needed for onboarding Arc-enabled servers into Azure", "waf": "Security" }, { - "checklist": "WAF checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", - "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "category": "Identity", + "checklist": "Azure Arc Review", + "description": "Consider assigning the rights for the 'Azure Connected Machine Onboarding' role at the resource group level, to control the resource creation", + "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", "services": [ - "Storage", - "VM", - "WAF", "Entra", - "AKV" + "RBAC", + "Arc" ], "severity": "Medium", - "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", + "subcategory": "Security", + "text": "Limit the rights to onboard Azure Arc-enabled servers to the desired resource groups", "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "001cbb6f-d88d-4431-8434-d01333397776", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", - "service": "Azure Service Fabric", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "description": "Plan for agent deployments at scale", + "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment", "services": [ - "WAF" + "Monitor", + "Arc" ], "severity": "Medium", - "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", - "waf": "Security" + "subcategory": "Management", + "text": "Define a strategy for agent provisioning", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", - "service": "Azure Service Fabric", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "description": "Use Microsoft Update to ensure that the connected machine agent is always up-to-date", + "guid": "c78e1d76-6673-457c-9496-74c5ed85b859", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent", "services": [ - "WAF", - "ACR" + "Monitor", + "Arc" ], - "severity": "Medium", - "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", - "waf": "Security" + "severity": "High", + "subcategory": "Management", + "text": "Define a strategy for agent updates", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", - "link": "", - "service": "Azure Service Fabric", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "description": "Recommendation is to use Azure Policy, or another automation tool like Azure DevOps - important is to avoid configuration drift.", + "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions", "services": [ - "WAF" + "AzurePolicy", + "Monitor", + "Arc" ], "severity": "Medium", - "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", - "waf": "Security" + "subcategory": "Management", + "text": "Define a strategy for extension installation", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", - "link": "", - "service": "Azure Service Fabric", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "description": "Use automatic upgrades where available and define an update strategy for all extensions not supporting automatic upgrades.", + "graph": "resources | where type =~ 'microsoft.hybridcompute/machines/extensions'| extend compliant = (properties.enableAutomaticUpgrade == 'true') | distinct id, compliant", + "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal", "services": [ - "WAF", - "AKV" + "Monitor", + "Arc" ], - "severity": "Medium", - "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", - "waf": "Security" + "severity": "High", + "subcategory": "Management", + "text": "Define a strategy for extension updates", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "description": "Azure Machine Configuration to help implement Microsoft best-practices for servers management in Azure", + "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", "services": [ - "WAF", - "Entra" + "Monitor", + "Arc" ], "severity": "Medium", - "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", - "waf": "Security" + "subcategory": "Management", + "text": "Consider using Azure Machine Configuration to control settings and avoid configuration drift on servers", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", - "service": "Azure Service Fabric", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", "services": [ - "WAF" + "Monitor", + "Arc" ], - "severity": "Medium", - "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", - "waf": "Security" + "severity": "High", + "subcategory": "Monitoring", + "text": "Monitor for unresponsive agents", + "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "App Gateway", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected", "services": [ - "WAF", - "AppGW" + "Monitor", + "Arc" ], "severity": "Medium", - "text": "Ensure you are using Application Gateway v2 SKU", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Design a monitoring strategy to send metrics and logs to an Log Analytics workspace", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782", + "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide", "services": [ - "WAF", - "LoadBalancer" + "Monitor", + "Arc" ], "severity": "Medium", - "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Use notification in Activity logs to receive notification on unexpected changes to the resources", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "WAF checklist", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "guid": "89c93555-6d02-4bfe-9564-b0d834a34872", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights", "services": [ - "WAF", - "LoadBalancer" + "Monitor", + "Arc" ], "severity": "Medium", - "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Use Azure Monitor for compliance and operational monitoring", + "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "App Gateway", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", "services": [ - "WAF", - "AppGW", - "VNet" + "Monitor", + "Arc" ], "severity": "Medium", - "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Create an alert to identify Azure Arc-enabled servers that aren't using the latest version of the Azure connected machine agent", + "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", + "category": "Management and Monitoring", + "checklist": "Azure Arc Review", + "description": "Use Azure Update Manager to manage and schedule updates at scale across your Azure Arc-enabled servers", + "graph": "resources | where type =~ 'microsoft.hybridcompute/machines' | project id = tolower(id), arcMachineName = name | join kind=leftouter (maintenanceresources | extend baseIdParts = split(tolower(id), '/providers/microsoft.maintenance/') | extend maintenanceMachineId = tostring(baseIdParts[0]) | project maintenanceMachineId, maintenanceId = id) on $left.id == $right.maintenanceMachineId | extend compliant = iif(maintenanceMachineId == '', 'No', 'Yes') | project id, compliant", + "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview%2Cwindows-maintenance", "services": [ - "NVA", - "WAF", - "Entra", - "AppGW", - "Subscriptions", - "VNet" + "Monitor", + "ACR", + "Arc" ], - "severity": "Medium", - "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "severity": "Low", + "subcategory": "Security", + "text": "Use Azure Arc-enabled servers to control software updates deployments to servers", + "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", + "category": "Networking", + "checklist": "Azure Arc Review", + "description": "The Connected Machine Agent will by default communicate with Azure services over public Internet connectivity using HTTPS (TCP port 443)", + "guid": "f6e043d2-aa35-4927-88e6-e2050725769e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details", "services": [ - "WAF", - "DDoS" + "Arc" ], - "severity": "Medium", - "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "High", + "subcategory": "Networking", + "text": "Define a connectivity method from the server to Azure", + "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", - "service": "App Gateway", + "category": "Networking", + "checklist": "Azure Arc Review", + "description": "The Connected Machine Agent can be configured to use a proxy server, it is recommended to define the proxy server address using 'azcmagent config set proxy.url' command on the local system.", + "guid": "46691e88-35ac-4932-823e-13800523081a", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings", "services": [ - "WAF" + "Arc" ], "severity": "Medium", - "text": "Configure autoscaling with a minimum amount of instances of two.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" + "subcategory": "Networking", + "text": "Is a proxy server a required for communication over the Public Internet", + "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", - "service": "App Gateway", + "category": "Networking", + "checklist": "Azure Arc Review", + "description": "The Connected Machine Agent can use a Private Link for communication with Azure Services over an existing ExpressRoute or VPN connection", + "guid": "94174158-33ee-47ad-9c6d-3733165c7acb", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security", "services": [ - "WAF", - "ACR", - "AppGW" + "PrivateLink", + "ExpressRoute", + "VPN", + "Arc" ], "severity": "Medium", - "text": "Deploy Application Gateway across Availability Zones", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" + "subcategory": "Networking", + "text": "Is a private (not public Internet) connection required?", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", + "category": "Networking", + "checklist": "Azure Arc Review", + "description": "Firewall configuration might be required for the agent to communicate with Azure, use the link to see ServiceTags and/or URL's required", + "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags", "services": [ - "WAF", - "AppGW", - "AzurePolicy", - "FrontDoor" + "Arc" ], - "severity": "Medium", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "severity": "High", + "subcategory": "Networking", + "text": "Will Firewall configurations be needed in order to ensure communication with Azure Services?", "waf": "Security" }, { - "ammp": true, - "arm-service": "microsoft.network/trafficManagerProfiles", - "checklist": "WAF checklist", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", + "category": "Networking", + "checklist": "Azure Arc Review", + "description": "Use available automation tool for the system in question to regularly update the Azure endpoints", + "guid": "6fa95b96-ad88-4408-b372-734b876ba28f", + "link": "https://www.microsoft.com/download/details.aspx?id=56519", "services": [ - "WAF", - "TrafficManager" + "Arc" ], - "severity": "High", - "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Networking", + "text": "Can the Firewall or Proxy rules be automated updated if Service Tags or IP addresses change", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "category": "Networking", + "checklist": "Azure Arc Review", + "description": "Configure Servers to use Transport Layer Security (TLS) version 1.2", + "guid": "21459013-65d3-48e5-9f9c-cbd868266abc", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol", "services": [ - "WAF", - "AVD", - "Entra" + "Arc" ], - "severity": "Low", - "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "severity": "High", + "subcategory": "Networking", + "text": "Always use secure communication for Azure where possible", "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "category": "Networking", + "checklist": "Azure Arc Review", + "description": "All extensions (like log analytics etc.) have separate network requirements, be sure to include all in the network design.", + "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method", "services": [ - "WAF", - "Entra" + "PrivateLink", + "Monitor", + "Arc" ], - "severity": "Medium", - "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "severity": "Low", + "subcategory": "Networking", + "text": "Include communication for Azure Arc-enabled Servers extensions in the design (firewall/proxy/private link)", "waf": "Security" }, { - "ammp": true, - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c", + "link": "https://learn.microsoft.com/azure/governance/policy/", "services": [ - "WAF", - "LoadBalancer" + "AzurePolicy", + "Arc" ], - "severity": "High", - "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Management", + "text": "Use Azure Policy to implement a governance model for hybrid connected servers", + "waf": "Security" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", "services": [ - "WAF", - "AppGW" + "Arc" ], - "severity": "High", - "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Management", + "text": "Consider using Machine configurations for in guest OS configurations", + "waf": "Operations" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "667357c4-4967-44c5-bd85-b859c7733be2", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create", "services": [ - "WAF", - "AppGW", - "AzurePolicy" + "AzurePolicy", + "Arc" ], - "severity": "High", - "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Management", + "text": "Evaluate the need for custom Guest Configuration policies", + "waf": "Operations" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77", + "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview", "services": [ - "WAF", - "AppGW" + "Monitor", + "Arc" ], - "severity": "High", - "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Monitoring", + "text": "Consider using change tracking for tracking changes made on the servers", + "waf": "Operations" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency", "services": [ - "WAF", - "AppGW", - "AzurePolicy" + "Arc" ], - "severity": "High", - "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", + "severity": "Medium", + "subcategory": "Requirements", + "text": "Make sure to use an Azure region for storing the metadata approved by the organization", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780", + "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts", "services": [ - "WAF", - "AppGW" + "AKV", + "Arc" ], "severity": "Medium", - "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "subcategory": "Secrets", + "text": "Use Azure Key Vault for certificate management on servers", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "description": "Consider using a short-lived Azure AD service principal client secrets.", + "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b", + "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret", "services": [ - "WAF", - "AppGW" + "AKV", + "Storage", + "Entra", + "Arc" ], - "severity": "Medium", - "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", + "severity": "High", + "subcategory": "Secrets", + "text": "What is the acceptable life time of the secret used by SP's", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "description": "A private key is saved to the disk, ensure this is protected using disk encryption", + "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption", "services": [ - "WAF" + "AKV", + "Arc" ], - "severity": "Low", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "severity": "Medium", + "subcategory": "Secrets", + "text": "Secure the public key for Azure Arc-enabled Servers", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "description": "Local administrator is required to install the Connected Machine Agent on Windows and Linux systems", + "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually", "services": [ - "WAF", - "AppGW" + "Arc" ], - "severity": "Medium", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "severity": "High", + "subcategory": "Security", + "text": "Ensure there is local administrator access for executing the agent installation", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "description": "Members of the local administrator group on Windows and users with root privileges on Linux, have permissions to manage the agent via command line.", + "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions", "services": [ - "WAF", - "AppGW" + "Arc" ], "severity": "Medium", - "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "subcategory": "Security", + "text": "Limit the amount of users with local administrator rights to the servers", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication", "services": [ - "WAF", - "AppGW" + "Entra", + "Arc" ], "severity": "Medium", - "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", - "waf": "Operations" + "subcategory": "Security", + "text": "Consider using and restricting access to managed identities for applications.", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "description": "Use Defender for Endpoint or another AV and EDR solution to protect endpoints", + "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868", + "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started", "services": [ - "WAF", - "Sentinel", - "AppGW" + "Defender", + "Arc" ], "severity": "Medium", - "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", - "waf": "Operations" + "subcategory": "Security", + "text": "Enable Defender for Servers for all servers to secure hybrid workloads from threats", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c", "services": [ - "WAF", - "AppGW" + "Arc" ], "severity": "Medium", - "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" + "subcategory": "Security", + "text": "Define controls to detect security misconfigurations and track compliance", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "App Gateway", + "category": "Security, Governance and Compliance", + "checklist": "Azure Arc Review", + "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists", "services": [ - "WAF", - "AzurePolicy" + "Arc" ], "severity": "Medium", - "text": "Use WAF Policies instead of the legacy WAF configuration.", - "waf": "Operations" + "subcategory": "Security", + "text": "Use allow- or block-lists to control what extensions can be installed on the Azure Arc-enabled servers", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "services": [ - "VPN", - "WAF", - "ExpressRoute", - "AppGW", - "VNet" + "Storage" ], "severity": "Medium", - "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", + "subcategory": " Overview", + "text": "Consider the 'Azure security baseline for storage'", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", "services": [ - "WAF" + "Storage", + "PrivateLink" ], "severity": "High", - "text": "You should encrypt traffic to the backend servers.", + "subcategory": "Networking", + "text": "Consider using private endpoints for Azure Storage", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", "services": [ - "WAF" + "RBAC", + "Storage", + "Subscriptions" + ], + "severity": "Medium", + "subcategory": "Governance", + "text": "Ensure older storage accounts are not using 'classic deployment model'", + "waf": "Security" + }, + { + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", + "services": [ + "Storage", + "Defender" ], "severity": "High", - "text": "You should use a Web Application Firewall.", + "subcategory": "Governance", + "text": "Enable Microsoft Defender for all of your storage accounts", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "Redirect HTTP to HTTPS", + "subcategory": "Data Availability", + "text": "Enable 'soft delete' for blobs", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", - "waf": "Operations" + "subcategory": "Confidentiality", + "text": "Disable 'soft delete' for blobs", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], "severity": "High", - "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", + "subcategory": "Data Availability", + "text": "Enable 'soft delete' for containers", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], - "severity": "Low", - "text": "Create custom error pages to display a personalized user experience", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Confidentiality", + "text": "Disable 'soft delete' for containers", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], - "severity": "Medium", - "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", + "severity": "High", + "subcategory": "Data Availability", + "text": "Enable resource locks on storage accounts", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", "services": [ - "WAF", - "FrontDoor" + "AzurePolicy", + "Storage", + "Subscriptions" ], - "severity": "Medium", - "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", - "waf": "Performance" + "severity": "High", + "subcategory": "Data Availability, Compliance", + "text": "Consider immutable blobs", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], - "severity": "Medium", - "text": "Use transport layer load balancing", - "waf": "Performance" + "severity": "High", + "subcategory": "Networking", + "text": "Require HTTPS, i.e. disable port 80 on the storage account", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], - "severity": "Medium", - "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", + "severity": "High", + "subcategory": "Networking", + "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "services": [ - "WAF", - "Entra" + "Storage" ], "severity": "Medium", - "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", + "subcategory": "Networking", + "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", - "services": [ - "WAF", - "AppGW" - ], - "severity": "Low", - "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", - "waf": "Security" - }, - { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "WAF checklist", - "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", - "service": "PostgreSQL", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], - "severity": "Medium", - "text": "Leverage Flexible Server", - "waf": "Reliability" + "severity": "High", + "subcategory": "Networking", + "text": "Enforce the latest TLS version for a storage account", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "WAF checklist", - "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", - "service": "PostgreSQL", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", "services": [ - "WAF" + "Storage", + "Entra" ], "severity": "High", - "text": "Leverage Availability Zones where regionally applicable", - "waf": "Reliability" + "subcategory": "Identity and Access Management", + "text": "Use Microsoft Entra ID tokens for blob access", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "WAF checklist", - "guid": "31b67c67-be59-4519-8083-845d587cb391", - "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", - "service": "PostgreSQL", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "services": [ - "WAF" + "RBAC", + "Storage", + "Entra" ], "severity": "Medium", - "text": "Leverage cross-region read replicas for BCDR", - "waf": "Reliability" + "subcategory": "Identity and Access Management", + "text": "Least privilege in IaM permissions", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", - "service": "Cognitive Services", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", "services": [ - "WAF" + "Storage", + "Entra" ], - "severity": "Medium", - "text": "Leverage FTA HandBook for Cognitive Services", - "waf": "Reliability" + "severity": "High", + "subcategory": "Identity and Access Management", + "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Cognitive Services", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", "services": [ - "WAF", - "Backup" + "AKV", + "Storage", + "Monitor", + "Entra" ], - "severity": "Medium", - "text": "Backup Your Prompts", - "waf": "Reliability" + "severity": "High", + "subcategory": "Identity and Access Management", + "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Cognitive Services", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", "services": [ - "WAF", - "ASR" + "AKV", + "Storage", + "AzurePolicy", + "Monitor" ], "severity": "High", - "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", - "waf": "Reliability" + "subcategory": "Monitoring", + "text": "Consider using Azure Monitor to audit control plane operations on the storage account", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", - "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", - "service": "Cognitive Services", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "services": [ - "WAF", - "Backup" + "AKV", + "Storage", + "AzurePolicy", + "Entra" ], "severity": "Medium", - "text": "Backup Your ChatGPT conversations", - "waf": "Reliability" + "subcategory": "Identity and Access Management", + "text": "When using storage account keys, consider enabling a 'key expiration policy'", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", - "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", - "service": "Cognitive Services", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "services": [ - "WAF" + "AzurePolicy", + "Storage", + "Entra" ], "severity": "Medium", - "text": "CI/CD for custom speech", - "waf": "Reliability" + "subcategory": "Identity and Access Management", + "text": "Consider configuring an SAS expiration policy", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "3687a046-7a1f-4893-9bda-43324f248116", - "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", - "service": "Cognitive Services", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", "services": [ - "WAF" + "AzurePolicy", + "Storage", + "AKV", + "Entra" ], - "severity": "Low", - "text": "Move a knowledge base using export-import", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity and Access Management", + "text": "Consider linking SAS to a stored access policy", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", "services": [ - "WAF" + "AKV", + "Storage" ], - "severity": "High", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "CI/CD", + "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", "services": [ - "WAF" + "Storage", + "Entra" ], "severity": "High", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "Reliability" + "subcategory": "Identity and Access Management", + "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "services": [ - "WAF" + "AzurePolicy", + "Storage", + "Entra" ], "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "subcategory": "Identity and Access Management", + "text": "Strive for short validity periods for ad-hoc SAS", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "services": [ - "WAF", - "AppSvc" + "Storage", + "Entra" ], - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity and Access Management", + "text": "Apply a narrow scope to a SAS", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", "services": [ - "WAF" + "Storage", + "Entra" ], "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" + "subcategory": "Identity and Access Management", + "text": "Consider scoping SAS to a specific client IP address, wherever possible", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", "services": [ - "WAF" + "Storage", + "Entra" ], - "severity": "High", - "text": "Select the right Function hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Identity and Access Management", + "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "services": [ - "WAF" + "RBAC", + "Storage", + "Entra" ], "severity": "High", - "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", - "waf": "Reliability" + "subcategory": "Identity and Access Management", + "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "services": [ - "WAF" + "Storage", + "Entra" ], "severity": "Medium", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "subcategory": "Identity and Access Management", + "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", "services": [ - "WAF", - "AppSvc" + "AzurePolicy", + "Storage" ], "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "subcategory": "Networking", + "text": "Avoid overly broad CORS policies", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", "services": [ - "WAF", - "AppSvc" + "Storage" ], "severity": "High", - "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", - "waf": "Reliability" + "subcategory": "Confidentiality and Encryption", + "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", "services": [ - "WAF", "Storage" ], "severity": "Medium", - "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", - "waf": "Reliability" + "subcategory": "Confidentiality and Encryption", + "text": "Determine which/if platform encryption should be used.", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", - "waf": "Operations" + "subcategory": "Confidentiality and Encryption", + "text": "Determine which/if client-side encryption should be used.", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", - "service": "CosmosDB", + "category": "Security", + "checklist": "Azure Storage Review Checklist", + "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", "services": [ - "WAF" + "Storage", + "Entra" ], - "severity": "Medium", - "text": "FTA Resiliency Playbook", - "waf": "Reliability" + "severity": "High", + "subcategory": "Identity and Access Management", + "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", + "category": "Operations Management", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], "severity": "High", - "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", + "subcategory": "Platform Version", + "text": "Leverage a storagev2 account type for better performance and reliability", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", - "service": "CosmosDB", + "category": "BC and DR", + "checklist": "Azure Storage Review Checklist", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], - "severity": "Medium", - "text": "Run multiple replicas of the database (>1 ) in Prod", + "severity": "High", + "subcategory": "Availablity", + "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", - "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", - "service": "CosmosDB", + "category": "BC and DR", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Azure Storage", "services": [ - "WAF", - "ACR" + "Storage" ], "severity": "Medium", - "text": "Leverage Multi-Region Writes", + "subcategory": "Failover", + "text": "For write operation after failover, use customer-Managed Failover ", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "description": "Span Cosmos account across two or more regions with multi-region writes", - "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", - "services": [ - "WAF", - "ACR" - ], - "severity": "Medium", - "text": "Distribute your data globally", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", - "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", - "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", - "service": "CosmosDB", + "category": "Operations Management", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Azure Storage", "services": [ - "WAF" + "Storage" ], - "severity": "High", - "text": "Choose from several well-defined consistency models", + "severity": "Medium", + "subcategory": "Failover", + "text": "Understand Microsoft-Managed Failover details", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", - "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", - "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", - "service": "CosmosDB", + "category": "Operations Management", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Azure Storage", "services": [ - "WAF", - "CosmosDB" + "Storage" ], "severity": "Medium", - "text": "Enable Service managed failover", + "subcategory": "Data Protection", + "text": "Enable Soft Delete", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", - "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", - "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", - "service": "CosmosDB", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "When you are creating a SQL Server on Azure VM, carefully consider the type of workload necessary. If you are migrating an existing environment, collect a performance baseline to determine your SQL Server on Azure VM requirements. If this is a new VM, then create your new SQL Server VM based on your vendor requirements.", + "guid": "1fc3fc14-eea6-4e69-b8d9-a3eec218e687", + "link": "https://learn.microsoft.com/sql/dma/dma-sku-recommend-sql-db?view=sql-server-ver16", "services": [ - "WAF", - "CosmosDB", - "Storage", - "Backup" + "VM", + "SQL" ], - "severity": "Medium", - "text": "Enable Automatic Backups", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Reliability" + "severity": "High", + "subcategory": "VM Size", + "text": "Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.", + "waf": "Performance" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", - "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", - "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", - "service": "CosmosDB", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "The memory optimized virtual machine sizes are a primary target for SQL Server VMs and the recommended choice by Microsoft. The memory optimized virtual machines offer stronger memory-to-CPU ratios and medium-to-large cache options.Consider Ebdsv5-series series first for most SQL Server workloads.", + "guid": "e04abe1f-8d39-4fda-9776-8424c116775c", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size?view=azuresql#memory-optimized", "services": [ - "WAF", - "Backup" + "VM", + "SQL" ], "severity": "Medium", - "text": "Perform Periodic Backups", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Reliability" + "subcategory": "VM Size", + "text": "Use memory optimized virtual machine sizes for the best performance of SQL Server workloads.", + "waf": "Performance" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "WAF checklist", - "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", - "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", - "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", - "service": "CosmosDB", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "To find the most effective configuration for SQL Server workloads on an Azure VM, start by measuring the storage performance of your business application. Once storage requirements are known, select a virtual machine that supports the necessary IOPS and throughput with the appropriate memory-to-vCore ratio.", + "guid": "2ea55b56-ad48-4408-be72-734b476ba18f", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance#counters-to-measure-application-performance-requirements", "services": [ - "WAF", - "CosmosDB", - "Backup" + "VM", + "Storage", + "SQL" ], "severity": "Medium", - "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", - "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", - "waf": "Reliability" + "subcategory": "Storage", + "text": "Determine storage bandwidth and latency requirements for SQL Server data, log, and tempdb files before choosing the disk type.", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "This provides more dedicated disk IOPS and throughput on the disk level and also allows you to configure the Azure disk host caching setting for each disk to the optimal setting for that data type.", + "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "WAF", - "EventHubs" + "Storage", + "SQL" ], - "severity": "Low", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Security" + "severity": "High", + "subcategory": "Storage", + "text": "Place data, log, and tempdb files on separate drives", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Premium SSD is always recommend as a minimum for SQL Server in order to obtain better performance and lower latency. P30 and P40 are recommended because disk caching is not supported for disks 4 TiB and larger ( P50 and above) and they provide the optimal price to performance ratio", + "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "WAF", - "EventHubs" + "Storage", + "SQL" ], - "severity": "Medium", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Security" + "severity": "High", + "subcategory": "Storage", + "text": "For the data drive, use premium P30 and P40 or smaller disks to ensure the availability of cache support", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Log files have primarily write-heavy operations. Therefore, they do not benefit from the ReadOnly cache. Hence evaluate your price vs performance vs capacity and chose the right storage disk.", + "guid": "25659d35-58fd-4772-99c9-31112d027fe4", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "TrafficManager", - "AzurePolicy", - "EventHubs", - "WAF", - "RBAC", - "Entra" + "Storage", + "SQL", + "Cost" ], - "severity": "Medium", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Security" + "severity": "High", + "subcategory": "Storage", + "text": "For the log drive plan for capacity and test performance versus cost while evaluating the premium P30 - P80 disks", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Placing TempDB on the D drive can help performance. Consider the size required and always test performance.", + "guid": "12f70983-f630-4472-8ee6-9d6b5c2622f5", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ "Storage", "VM", - "EventHubs", - "WAF", - "Entra", - "AKV" + "SQL" ], "severity": "Medium", - "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "subcategory": "Storage", + "text": "Place tempdb on the local ephemeral SSD (default D:\\) drive for most SQL Server workloads that are not part of Failover Cluster Instance (FCI) after choosing the optimal VM size.", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Striping Data and Log disk can increase bandwidth. Ensure that VM size also matches expected output", + "guid": "4b69bad3-4aad-45e8-a78e-1d76667313c4", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "WAF", - "RBAC", - "EventHubs" + "VM", + "Storage", + "SQL" ], "severity": "High", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" + "subcategory": "Storage", + "text": "Stripe multiple Azure data disks using Storage Spaces to increase I/O bandwidth", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Your storage caching policy varies depending on the type of SQL Server data files that are hosted on the drive.Enable Read-only caching for the disks hosting SQL Server data files.Reads from cache will be faster than the uncached reads from the data disk.Set the caching policy to None for disks hosting the transaction log. There is no performance benefit to enabling caching for the Transaction log disk.", + "guid": "05674b5e-985b-4859-a773-e7e261623b77", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "WAF", - "EventHubs", - "Monitor", - "VNet" + "AzurePolicy", + "Storage", + "SQL" ], - "severity": "Medium", - "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "severity": "High", + "subcategory": "Storage", + "text": "Set host caching to read-only for data file disks and none for log file disks.", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Check that you storage is in the same region as your VM. For exaplme if your VM is in EAST US 2 ensure your storage is in East US 2.", + "guid": "5a917e1f-348e-4f35-9c27-d42e8bbac868", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "WAF", - "VNet", - "PrivateLink", - "EventHubs" + "VM", + "Storage", + "SQL" ], - "severity": "Medium", - "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "severity": "High", + "subcategory": "Storage", + "text": "Provision the storage account in the same region as the SQL Server VM", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "SQL Server uses extents to store data. These are 64KB in size. Therefore, on a SQL Server machine, the NTFS allocation unit size for hosting SQL database files should be 64 KB.", + "guid": "155abb91-63e9-4908-ae28-c84c33b6b780", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "WAF", - "EventHubs" + "Storage", + "SQL" ], - "severity": "Medium", - "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "severity": "High", + "subcategory": "Storage", + "text": "Format your data disk to use 64 KB block size (allocation unit size) for all data files placed on a drive other than the temporary D:\\ drive", + "waf": "Performance" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "It is recommended that you determine BCDR needs and requirements ensuring that you are able to meet you SLAs of the environment.", + "guid": "8b9fe5c4-2049-4d41-9a92-3c3474d11028", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#azure-only-disaster-recovery-solutions", "services": [ - "WAF" + "VM", + "SQL" ], "severity": "Medium", - "text": "Leverage FTA Resillency HandBook", + "subcategory": "HADR", + "text": "Determine HA/DR requirements for each VM to be migrated.", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "When depoying High Availability you need to use availability sets or availability zones to avoid unexpected outages.", + "guid": "ac6aae01-e6a8-44de-9df4-3d1992481718", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#high-availability-nodes-in-an-availability-set", "services": [ - "WAF", - "ACR", - "EventHubs" + "VM", + "SQL" ], "severity": "High", - "text": "Leverage Availability Zones if regionally applicable", + "subcategory": "HADR", + "text": "Place your VMs in an availability set or different availability zones.", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Prefered option when deploying an Availability Group. The recommended solution is to use multi-subnets when deploying Always on Availability Groups.", + "guid": "d5d1e5f6-2565-49d3-958f-d77249c93111", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure?view=azuresql&tabs=azure-cli", "services": [ - "WAF" + "VM", + "SQL", + "LoadBalancer", + "VNet" ], "severity": "Medium", - "text": "Use the Premium or Dedicated SKUs for predicable performance", + "subcategory": "HADR", + "text": "Deploy your SQL Server VMs to multiple subnets whenever possible to avoid the dependency on an Azure Load Balancer or a distributed network name (DNN) to route traffic to your HADR solution. ( If one is implementing FCI or AG)", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "High availability and disaster recovery (HADR) features, such as the Always On availability group and the failover cluster instance rely on underlying Windows Server Failover Cluster technology. Review the best practices for modifying your HADR settings to better support the cloud environment.", + "guid": "2d027fe4-12f7-4098-9f63-04722ee69d6b", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#hadr-configuration", "services": [ - "WAF", "ASR", - "EventHubs" + "SQL" ], "severity": "High", - "text": "Plan for Geo Disaster Recovery using Active Passive configuration", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", - "services": [ - "WAF", - "ASR", - "EventHubs" - ], - "severity": "Medium", - "text": "For Business Critical Applications, use Active Active configuration", + "subcategory": "HADR", + "text": "Change the cluster to less aggressive parameters to avoid unexpected outages from transient network failures or Azure platform maintenance. ( If one is implementing FCI or AG)", "waf": "Reliability" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "WAF checklist", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Ensure that quorum is set correct for the number of instances deployed.", + "guid": "5c2622f5-4b69-4bad-94aa-d5e8c78e1d76", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/hadr-cluster-best-practices?view=azuresql-vm&tabs=windows2012#quorum-voting", "services": [ - "WAF", - "EventHubs" + "SQL" ], - "severity": "Medium", - "text": "Design Resilient Event Hubs", + "severity": "High", + "subcategory": "HADR", + "text": "Configure cluster quorum voting to use 3 or more odd number of votes. Don't assign votes to DR regions. ( If one is implementing FCI or AG)", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "On Azure virtual machines, clusters use a load balancer to hold an IP address that needs to be on one cluster node at a time. In this solution, the load balancer holds the IP address for the virtual network name (VNN) listener for the Always On availability group when the SQL Server VMs are in a single subnet.", + "guid": "667313c4-0567-44b5-b985-b859c773e7e2", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure?view=azuresql-vm&tabs=ilb", "services": [ - "WAF", - "AKS" + "VM", + "SQL", + "LoadBalancer", + "VNet" ], - "severity": "Low", - "text": "If required for AKS Windows workloads HostProcess containers can be used", + "severity": "High", + "subcategory": "HADR", + "text": "When using the virtual network name (VNN) and Azure Load Balancer to connect to your HADR solution, specify MultiSubnetFailover = true in the connection string, even if your cluster only spans one subnet. ( If one is implementing FCI or AG)", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "SQL Server, Azure SQL Database, and Azure SQL Managed Instance support row and page compression for rowstore tables and indexes, and support columnstore and columnstore archival compression for columnstore tables and indexes.", + "guid": "61623b77-5a91-47e1-b348-ef354c27d42e", + "link": "https://learn.microsoft.com/sql/relational-databases/data-compression/data-compression?view=sql-server-ver16", "services": [ - "WAF" + "Storage", + "SQL" ], "severity": "Low", - "text": "Use KEDA if running event-driven workloads", + "subcategory": "SQL Server", + "text": "Enable database page compression where appropriate.", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "By default, data and log files are initialized to overwrite any existing data left on the disk from previously deleted files. Data and log files are first initialized by zeroing the files (filling with zeros).In SQL Server, for data files only, instant file initialization (IFI) allows for faster execution of the previously mentioned file operations, since it reclaims used disk space without filling that space with zeros. Instead, disk content is overwritten as new data is written to the files.", + "guid": "8bbac868-155a-4bb9-863e-9908ae28c84c", + "link": "https://learn.microsoft.com/sql/relational-databases/databases/database-instant-file-initialization?view=sql-server-ver16", "services": [ - "WAF" + "Storage", + "SQL" ], - "severity": "Low", - "text": "Use Dapr to ease microservice development", + "severity": "High", + "subcategory": "SQL Server", + "text": "Enable instant file initialization for data files.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Recommended for best performance and availability migrate all databases to data and log disks", + "guid": "33b6b780-8b9f-4e5c-9204-9d413a923c34", + "link": "https://learn.microsoft.com/sql/relational-databases/databases/move-database-files?view=sql-server-ver16", "services": [ - "WAF", - "AKS" + "SQL" ], - "severity": "High", - "text": "Use the SLA-backed AKS offering", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "SQL Server", + "text": "Move all databases to data disks, including system databases.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", + "guid": "b824546c-e1ae-4e34-93ae-c8239248725d", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#sql-server-features", "services": [ - "WAF", - "Cost" + "VM", + "Storage", + "SQL" ], "severity": "Low", - "text": "Use Disruption Budgets in your pod and deployment definitions", - "waf": "Reliability" + "subcategory": "SQL Server", + "text": "Move SQL Server error log and trace file directories to data disks.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", - "services": [ - "WAF", - "ACR" + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", + "guid": "d68c5b5c-2925-4394-a69a-9d2799c42bb6", + "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/server-memory-server-configuration-options#use-", + "services": [ + "VM", + "SQL" ], "severity": "High", - "text": "If using a private registry, configure region replication to store images in multiple regions", - "waf": "Reliability" + "subcategory": "SQL Server", + "text": "Set max SQL Server memory limit to leave enough memory for the Operating System.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", + "guid": "8d1d7555-6246-4b43-a563-b4dc74a748b6", + "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows", "services": [ - "WAF", - "Cost" + "VM", + "SQL" ], - "severity": "Low", - "text": "Use an external application such as kubecost to allocate costs to different users", - "waf": "Cost" + "severity": "High", + "subcategory": "SQL Server", + "text": "Enable lock pages in memory.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", + "guid": "633ad2a0-916a-4664-a8fa-d0e278ee293c", + "link": "https://learn.microsoft.com/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store", "services": [ - "WAF" + "VM", + "SQL" ], "severity": "Low", - "text": "Use scale down mode to delete/deallocate nodes", - "waf": "Cost" + "subcategory": "SQL Server", + "text": "Enable Query Store on all production SQL Server databases following best practices.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", + "guid": "1bc352ba-aab7-4571-a49a-b8093dc9ec9d", + "link": "https://learn.microsoft.com/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server", "services": [ - "WAF", - "AKS" + "VM", + "SQL" ], - "severity": "Medium", - "text": "When required use multi-instance partitioning GPU on AKS Clusters", - "waf": "Cost" + "severity": "High", + "subcategory": "SQL Server", + "text": "Ensure that all tempdb best practices are followed.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", + "guid": "1bb73b36-a5a6-47fb-a9ed-5b35478c3479", + "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", "services": [ - "WAF" + "VM", + "SQL" ], - "severity": "Low", - "text": "If running a Dev/Test cluster use NodePool Start/Stop", - "waf": "Cost" + "severity": "High", + "subcategory": "SQL Server", + "text": "Schedule SQL Server Agent jobs to run DBCC CHECKDB, index reorganize, index rebuild, and update statistics jobs.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", + "guid": "816b2863-cffe-41ca-a599-ef0d5a73dd4c", + "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", "services": [ - "WAF", - "AKS", - "AzurePolicy" + "VM", + "SQL" ], "severity": "Medium", - "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", - "waf": "Security" + "subcategory": "SQL Server", + "text": "Limit autogrowth of the database and Disable autoshrink", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Constrained vCPU virtual machines (VMs) are a type of VM where the vCPU count can be constrained to a half or a quarter of the original VM size. This allows customers to reduce the cost of software licensing while maintaining the same memory, storage, and I/O bandwidth", + "guid": "e36c1c81-770a-4fbc-9c0d-43918648d285", + "link": "https://learn.microsoft.com/azure/virtual-machines/constrained-vcpu", "services": [ - "WAF" + "Storage", + "VM", + "SQL", + "Cost" ], - "severity": "Medium", - "text": "Separate applications from the control plane with user/system node pools", - "waf": "Security" + "severity": "Low", + "subcategory": "Cost Optimization", + "text": "Optimize SQL Server License cost with Constrained vCPU VM's", + "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Azure Hybrid Benefit allows you to exchange your existing licenses for discounted rates on Azure SQL Database and Azure SQL Managed Instance. Y", + "guid": "7ed67178-b824-4546-ae1a-ee3453aec823", + "link": "https://azure.microsoft.com/en-ca/pricing/hybrid-benefit/", "services": [ - "WAF" + "SQL", + "Cost" ], "severity": "Low", - "text": "Add taint to your system nodepool to make it dedicated", - "waf": "Security" + "subcategory": "Cost Optimization", + "text": "Leverage Azure Hybrid benefit to maximize the value of your on premises licenses in the cloud", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "The SQL Server IaaS Agent extension (SqlIaasExtension) runs on SQL Server on Azure Windows Virtual Machines (VMs) to automate management and administration tasks.", + "guid": "9248725d-d68c-45b5-a292-5394a69a9d27", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms?view=azuresql-vm&tabs=azure-cli", "services": [ - "WAF", - "ACR" + "VM", + "SQL" ], "severity": "Medium", - "text": "Use a private registry for your images, such as ACR", - "waf": "Security" + "subcategory": "Azure", + "text": "Register with the SQL IaaS Agent Extension to unlock a number of feature benefits.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "WAF checklist", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Accelerated Networking provides consistent ultra-low network latency via Azure's in-house programmable hardware and technologies", + "guid": "99c42bb6-8d1d-4755-9624-6b438563b4dc", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", "services": [ - "WAF" + "VM", + "SQL" ], - "severity": "Medium", - "text": "Scan your images for vulnerabilities", - "waf": "Security" + "severity": "High", + "subcategory": "Azure", + "text": "Ensure Accelerated Networking is enabled on the virtual machine.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", + "category": "SQL Server on Azure VM", + "checklist": "SQL Migration Review", + "description": "Microsoft Defender detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases on the SQL server.", + "guid": "74a748b6-633a-4d2a-8916-a66498fad0e2", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls", "services": [ - "WAF" + "VM", + "SQL", + "Defender" ], "severity": "High", - "text": "Define app separation requirements (namespace/nodepool/cluster)", + "subcategory": "Azure", + "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture of your virtual machine deployment.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "There are some PaaS limitations that are introduced in SQL Managed Instance and some behavior changes compared to SQL Server. It is important to review and understand these differences.", + "guid": "78ee293c-1bc3-452b-aaab-7571849ab809", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server?view=azuresql", "services": [ - "WAF", - "AKV" + "SQL", + "EventHubs" ], - "severity": "Medium", - "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", - "waf": "Security" + "severity": "High", + "subcategory": "Pre Migration", + "text": "Review the major differences between SQL Server and Managed Instance", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. It is important to review these limits.", + "guid": "3dc9ec9d-1bb7-43b3-9a5a-67fba9ed5b35", + "link": "https://docs.microsoft.com/azure/azure-sql/managed-instance/resource-limits", "services": [ - "WAF" + "SQL" ], "severity": "High", - "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", - "waf": "Security" + "subcategory": "Pre Migration", + "text": "Review capacity limits for SQL MI", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "The instance settings between managed instance and your source SQL Server can be different . It is important to review those differences that can impact performance.", + "guid": "8bc178bd-c5a0-46ca-9144-351e19dd3442", + "link": "https://medium.com/azure-sqldb-managed-instance/compare-environment-settings-on-sql-server-and-azure-sql-that-may-impact-performance-e90c21fa9b08", "services": [ - "WAF" + "SQL" ], - "severity": "Medium", - "text": "If required add Key Management Service etcd encryption", - "waf": "Security" + "severity": "High", + "subcategory": "Pre Migration", + "text": "Compare instance settings on SQL Server and Azure SQL MI that may impact performance", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "Assess on-premises SQL Server instance(s) migrating to Azure SQL Managed Instance. The assessment workflow helps you to detect issues that block the migration itself and also partially supported and unsupported features", + "guid": "9eb72281-37a1-451c-9bb4-e4f1814287d5", + "link": "https://docs.microsoft.com/azure/dms/ads-sku-recommend", "services": [ - "WAF", - "AKS" + "SQL" ], - "severity": "Low", - "text": "If required consider using Confidential Compute for AKS", - "waf": "Security" + "severity": "High", + "subcategory": "Pre Migration", + "text": "Run Data Migration assistant or Azure Data Studio Migration Extension to detect compatibility issues that can impact database functionality on Managed Instance", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "The SKU recommendation feature can evaluate the source SQL Server performance and utilization characteristics to recommend a right-sized Azure SQL Managed Instance to assist with your migration journey.", + "guid": "ca8c26c9-b32a-4b5b-afc6-898a135e3378", + "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend", "services": [ - "WAF", - "Defender" + "SQL" ], - "severity": "Medium", - "text": "Consider using Defender for Containers", - "waf": "Security" + "severity": "High", + "subcategory": "Pre Migration", + "text": "Select the right compute resources for your workload by leveraging the SKU recommendation tools.", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "Review Unsupported Features, Migration Blockers and Breaking Changes for each database from the Assessment", + "guid": "97e31c67-d68c-4b69-82ac-19f906d697c8", + "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend", "services": [ - "WAF", - "Entra" + "SQL" ], "severity": "High", - "text": "Use managed identities instead of Service Principals", - "waf": "Security" + "subcategory": "Pre Migration", + "text": "Review and address the issues highlighted in DMA/Azure Data Studio", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "The SQL Managed Instance default DNS zone .database.windows.net can be changed with your own. However, the managed instance hostname part of its FQDN should remain the same.", + "guid": "eaded26b-dd18-46f0-ac25-1b999a68af87", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/frequently-asked-questions-faq?view=azuresql-mi#can-a-managed-instance-have-the-same-name-as-a-sql-server-on-premises-instance", "services": [ - "WAF", - "Entra" + "DNS", + "SQL" ], - "severity": "Medium", - "text": "Integrate authentication with AAD (using the managed integration)", - "waf": "Security" + "severity": "High", + "subcategory": "Pre Migration", + "text": "Plan for connection string changes as changing a managed instance name is not supported", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "There are addional requirements in configuring a vnet and subnet hosting the managed instance.", + "guid": "c9a7f821-b8eb-48c0-aa77-e25e4d5aeaa8", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-existing-add-subnet?view=azuresql-mi", "services": [ - "WAF" + "SQL", + "VNet" ], "severity": "Medium", - "text": "Limit access to admin kubeconfig (get-credentials --admin)", - "waf": "Security" + "subcategory": "Pre Migration", + "text": "Review managed instance VNet requirements", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "Though it's possible to deploy managed instances to a subnet with a number of IP addresses that's less than the output of the subnet formula, always consider using bigger subnets instead. Using a bigger subnet can help avoid future issues stemming from a lack of IP addresses, such as the inability to create additional instances within the subnet or scale existing instances.", + "guid": "dc4e2436-bb33-46d7-85f1-7960eee0b9b5", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-subnet-determine-size?view=azuresql-mi", "services": [ - "WAF", - "Entra", - "RBAC" + "SQL", + "VNet" ], - "severity": "Medium", - "text": "Integrate authorization with AAD RBAC", - "waf": "Security" + "severity": "High", + "subcategory": "Deployment", + "text": "Ensure managed instance subnet has sufficient IP addresses available", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. SQL Managed Instance can be deployed on multiple hardware configurations.", + "guid": "c8defc4d-721d-431d-850f-b707ae9eab40", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/resource-limits?view=azuresql-mi#service-tier-characteristics", "services": [ - "WAF", - "AKS", - "RBAC" + "SQL" ], "severity": "High", - "text": "Use namespaces for restricting RBAC privilege in Kubernetes", - "waf": "Security" + "subcategory": "Pre Migration", + "text": "Plan between General Purpose and Business Critical tiers of MI", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "The auto-failover groups feature allows you to manage the replication and failover of user databases in a managed instance to a managed instance in another Azure region. Auto-failover groups are designed to simplify deployment and management of geo-replicated databases at scale.", + "guid": "ed329079-8bc1-478b-bc5a-06ca7144351e", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-sql-mi?view=azuresql-mi&tabs=azure-powershell", "services": [ - "WAF", - "Entra" + "SQL" ], - "severity": "Medium", - "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", - "waf": "Security" + "severity": "High", + "subcategory": "Pre Migration", + "text": "Based on your RPO/RTO's , determine if Auto failover Group needs to be implemented. If so, plan for the deployment attributes of the second instance.", + "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "There are multiple ways to connect your application to the managed instance. Review and understand the pros and cons and decide on the best approach for your application.", + "guid": "5d226886-d30b-466c-97be-595190f83845", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi", "services": [ - "WAF", - "AKS" + "SQL" ], - "severity": "Medium", - "text": "For AKS non-interactive logins use kubelogin (preview)", - "waf": "Security" + "severity": "Low", + "subcategory": "Pre Migration", + "text": "Review the Connectivity Design between Database and Application, test & validate it", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "Compare migration options to choose the path that's appropriate to your business needs.", + "guid": "c586cb29-1ec1-46a1-b076-ef9f141acdce", + "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview?view=azuresql-mi#migration-tools", "services": [ - "WAF", - "AKS" + "SQL" ], "severity": "Medium", - "text": "Disable AKS local accounts", - "waf": "Security" + "subcategory": "Pre Migration", + "text": "Plan for the Migration Method. Depending on the DB Size and Application downtime window, select the preferred Migration Method.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "After you verify that data is the same on both source and target, you can cut over from the source to the target environment. It's important to plan the cutover process with business / application teams to ensure minimal interruption during cutover doesn't affect business continuity.", + "guid": "579377bc-db37-451a-a2ac-1fad66e15d4d", + "link": "https://learn.microsoft.com/azure/dms/tutorial-sql-server-managed-instance-online#performing-migration-cutover", "services": [ - "WAF" + "SQL" ], - "severity": "Low", - "text": "Configure if required Just-in-time cluster access", - "waf": "Security" + "severity": "Medium", + "subcategory": "Pre Migration", + "text": "Plan the cutover process with business / application teams to ensure minimal interruption during cutover and it does not affect business continuity.", + "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", - "services": [ - "WAF", - "AKS", - "Entra" - ], - "severity": "Low", - "text": "Configure if required AAD conditional access for AKS", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", - "services": [ - "WAF", - "AKS" - ], - "severity": "Low", - "text": "If required for Windows AKS workloads configure gMSA ", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", - "services": [ - "WAF", - "Entra" - ], - "severity": "Medium", - "text": "For finer control consider using a managed Kubelet Identity", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "A time zone of a managed instance can be set during instance creation only. The default time zone is UTC", + "guid": "4a2adb1c-3d23-426a-b225-ca44e1695fdd", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/timezones-overview?view=azuresql#set-a-time-zone", "services": [ - "WAF", - "ACR", - "AppGW" + "SQL" ], - "severity": "Medium", - "text": "If using AGIC, do not share an AppGW across clusters", - "waf": "Reliability" + "severity": "High", + "subcategory": "Deployment", + "text": "Ensure you customize your time zone setting at the instance creation time. One cannot change it later.", + "training": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "Server-level collation in Azure SQL Managed Instance can be specified when the instance is created and cannot be changed later.Default server-level collation is SQL_Latin1_General_CP1_CI_AS.", + "guid": "deace4cb-1deb-44c6-90c3-fc14eebb3693", + "link": "https://learn.microsoft.com/sql/relational-databases/collations/set-or-change-the-server-collation?view=sql-server-ver16", "services": [ - "WAF", - "AKS" + "SQL" ], "severity": "High", - "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", - "waf": "Reliability" + "subcategory": "Deployment", + "text": "Ensure you select the right collation setting at the instance creation time. One cannot change it later", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "When you're migrating a database protected by Transparent Data Encryption (TDE) to Azure SQL Managed Instance using the native restore option, the corresponding certificate from the SQL Server instance needs to be migrated before database restore.", + "guid": "829e3eec-2183-4687-a007-7a2b5945bda4", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/tde-certificate-migrate?view=azuresql-mi&tabs=azure-powershell", "services": [ - "WAF" + "VM", + "SQL" ], "severity": "Medium", - "text": "For Windows workloads use Accelerated Networking", - "waf": "Performance" + "subcategory": "Deployment", + "text": "For TDE Enabled Database, corresponding certificate from the on-premises or Azure VM SQL Server needs to be migrated before database restore", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "System databases can be restored only from backups that are created on the version of SQL Server that the server instance is currently running. This is not the case when you are migrating to SQL Managed Instance.Azure PowerShell and DBATools PowerShell libraries enable you to easily script and automate and customize all parts of the migration process.", + "guid": "3334fdf9-1c23-4418-8b65-275269440b4b", + "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide?view=azuresql-mi#backup-and-restore", "services": [ - "WAF", - "LoadBalancer" + "SQL", + "Backup" ], - "severity": "High", - "text": "Use the standard ALB (as opposed to the basic one)", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Migration", + "text": "Restore of system databases is not supported. To migrate instance-level objects (stored in master or msdb databases), we recommend to script them out and run T-SQL scripts on the destination instance.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "When using migration options that continuously replicate / sync data changes from source to the target, the source data and schema can change and drift from the target. During data sync, ensure that all changes on the source are captured and applied to the target during the migration process.", + "guid": "e3d3e084-3276-4d4b-bc01-5bcf219e4a1e", "services": [ - "WAF", - "VNet" + "SQL" ], - "severity": "Medium", - "text": "If using Azure CNI, consider using different Subnets for NodePools", - "waf": "Security" + "severity": "High", + "subcategory": "Migration", + "text": "Ensure that all changes on the source are captured and applied to the target during the migration process.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "Ensure that the application is able to succesffuly connect to the managed instance post migration of the databases.", + "guid": "b5887952-5d22-4688-9d30-b66c57be5951", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi", "services": [ - "WAF", - "PrivateLink", - "VNet" + "SQL" ], "severity": "Medium", - "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", - "waf": "Security" + "subcategory": "Migration", + "text": "Test Application Connectivity to MI and Databases", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "High availability is a fundamental part of SQL Managed Instance platform that works transparently for your database applications. Failovers from primary to secondary nodes in case of node degradation or fault detection, or during regular monthly software updates are an expected occurrence for all applications using SQL Managed Instance in Azure.", + "guid": "90f83845-c586-4cb2-a1ec-16a1d076ef9f", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/user-initiated-failover?view=azuresql", "services": [ - "WAF" + "SQL" ], "severity": "High", - "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", + "subcategory": "Post Migration", + "text": "Consider executing a manual failover on SQL Managed Instance to test for fault and failover resiliency.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "Ensuring that your applications are failover resilient prior to deploying to production will help mitigate the risk of application faults in production and will contribute to application availability for your customers.", + "guid": "141acdce-5793-477b-adb3-751ab2ac1fad", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-configure-sql-mi?view=azuresql&tabs=azure-portal#test-failover", "services": [ - "WAF", - "VNet" + "EventHubs", + "SQL", + "LoadBalancer" ], "severity": "High", - "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", - "waf": "Performance" + "subcategory": "Post Migration", + "text": "If failover groups have been implemented, Test Manual Failover and Failback and test application connectivity behavior during failover/failback", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "This provides more dedicated disk IOPS and throughput", + "guid": "aa359272-8e6e-4205-8726-76ae46691e88", + "link": "https://techcommunity.microsoft.com/t5/azure-sql-blog/storage-performance-best-practices-and-considerations-for-azure/ba-p/305525", "services": [ - "WAF" + "Storage", + "SQL" ], "severity": "High", - "text": "If using Azure CNI, check the maximum pods/node (default 30)", + "subcategory": "Post Migration", + "text": "Optimize Storage Performance for General Purpose Managed Instance", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "Many organizations have policies that require that certificates or encryption keys be created and managed internally. If your organization has a similar policy, this architecture might apply to you. If your customers require internal management of these items, the architecture also might apply to you.", + "guid": "35ad9422-23e1-4381-8523-081a94174158", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/data/sql-managed-instance-cmk", "services": [ - "WAF", - "AKS", - "VNet" + "AKV", + "AzurePolicy", + "SQL", + "Backup" ], "severity": "Low", - "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", + "subcategory": "Post Migration", + "text": "Enable Customer managed TDE for taking your own copy only full backups", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "The maintenance window feature provides you with the ability to onboard Azure SQL resource to prescheduled time blocks outside of business hours.", + "guid": "33ef7ad7-c6d3-4733-865c-7acbe44bbe60", + "link": "https://learn.microsoft.com/azure/azure-sql/database/planned-maintenance?view=azuresql", "services": [ - "WAF" + "SQL" ], - "severity": "High", - "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Post Migration", + "text": "Plan for Azure maintenance events", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "By using the long-term retention (LTR) feature, you can store specified SQL Database and SQL Managed Instance full backups in Azure Blob storage with configured redundancy for up to 10 years.", + "guid": "9d89f2e8-7778-4424-b516-785c6fa96b96", + "link": "https://learn.microsoft.com/azure/azure-sql/database/long-term-retention-overview?view=azuresql-mi", "services": [ - "WAF" + "Storage", + "SQL", + "Backup", + "ARS" ], "severity": "Low", - "text": "If required add your own CNI plugin", - "waf": "Security" + "subcategory": "Post Migration", + "text": "Configure Long Term backup retention, view backups and restore from backups", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "By using Azure Hybrid Benefit, you can achieve cost savings, modernise and maintain a flexible hybrid environment while optimising business applications.", + "guid": "ad88408f-3727-434c-a76b-a28021459014", + "link": "https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/#overview", "services": [ - "WAF", - "AKS" + "SQL", + "Cost" ], "severity": "Low", - "text": "If required configure Public IP per node in AKS", - "waf": "Performance" + "subcategory": "Post Migration", + "text": "Take advantage of Azure Hybrid Benefit and Azure Reservations where applicable.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", + "category": "SQL Managed Instance", + "checklist": "SQL Migration Review", + "description": "If you don't have threat protection Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities.", + "guid": "65d38e53-f9cc-4bd8-9926-6acca274faa1", + "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview?view=azuresql", "services": [ - "WAF" + "SQL", + "Defender" ], "severity": "Medium", - "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", - "waf": "Reliability" + "subcategory": "Post Migration", + "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", + "category": "Automation", + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", "services": [ - "WAF" + "SAP" ], - "severity": "Low", - "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "ACSS", + "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", + "category": "Automation", + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", "services": [ - "WAF" + "SAP" ], "severity": "Medium", - "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", - "waf": "Reliability" + "subcategory": "SDAF", + "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", + "training": "https://github.com/Azure/sap-automation", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", "services": [ - "WAF", - "NVA" + "Backup", + "ASR", + "SAP" ], - "severity": "High", - "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", - "waf": "Security" + "severity": "Medium", + "subcategory": "Backup and restore", + "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", "services": [ - "WAF" + "ASR", + "Backup", + "SAP" ], "severity": "Medium", - "text": "If using a public API endpoint, restrict the IP addresses that can access it", - "waf": "Security" + "subcategory": "Disaster recovery", + "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", "services": [ - "WAF" + "SQL", + "Storage", + "ASR", + "Backup", + "SAP" ], "severity": "High", - "text": "Use private clusters if your requirements mandate it", - "waf": "Security" + "subcategory": "Disaster recovery", + "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "services": [ - "WAF", - "AKS", - "AzurePolicy" + "ASR", + "SAP" ], "severity": "Medium", - "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", - "services": [ - "WAF", - "AKS", - "AzurePolicy" - ], - "severity": "High", - "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", - "waf": "Security" + "subcategory": "Disaster recovery", + "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", "services": [ - "WAF", - "AKS", - "AzurePolicy" + "ExpressRoute", + "ASR", + "VPN", + "SAP" ], "severity": "High", - "text": "Use Kubernetes network policies to increase intra-cluster security", - "waf": "Security" + "subcategory": "Disaster recovery", + "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", "services": [ - "WAF" + "AKV", + "ASR", + "SAP", + "ACR" ], - "severity": "High", - "text": "Use a WAF for web workloads (UIs or APIs)", - "waf": "Security" + "severity": "Low", + "subcategory": "Disaster recovery", + "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", "services": [ - "WAF", - "DDoS", - "AKS", + "ASR", + "SAP", "VNet" ], "severity": "Medium", - "text": "Use DDoS Standard in the AKS Virtual Network", - "waf": "Security" + "subcategory": "Disaster recovery", + "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", "services": [ - "WAF" + "Storage", + "ASR", + "SAP" ], "severity": "Low", - "text": "If required add company HTTP Proxy", - "waf": "Security" + "subcategory": "Disaster recovery", + "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "services": [ - "WAF" + "ASR", + "SAP" ], - "severity": "Medium", - "text": "Consider using a service mesh for advanced microservice communication management", - "waf": "Security" + "severity": "High", + "subcategory": "Disaster recovery", + "text": "Native database replication technology should be used to synchronize the database in a HA pair.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", "services": [ - "WAF", - "Monitor" + "ASR", + "VNet", + "SAP" ], "severity": "High", - "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", - "waf": "Operations" + "subcategory": "Disaster recovery", + "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", "services": [ - "WAF", + "VM", + "ASR", + "SAP", "Entra" ], - "severity": "Low", - "text": "Check regularly Azure Advisor for recommendations on your cluster", - "waf": "Operations" + "severity": "High", + "subcategory": "Disaster recovery", + "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "services": [ - "WAF", - "AKS" + "ASR", + "SAP" ], - "severity": "Low", - "text": "Enable AKS auto-certificate rotation", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", "services": [ - "WAF", - "AKS" + "ASR", + "SAP" ], "severity": "High", - "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", - "waf": "Operations" + "subcategory": "High availability", + "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "services": [ - "WAF" + "VM", + "Storage", + "ASR", + "SAP" ], "severity": "High", - "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", - "waf": "Operations" + "subcategory": "High availability", + "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", "services": [ - "WAF" + "Storage", + "ASR", + "SAP" ], "severity": "High", - "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", - "waf": "Operations" + "subcategory": "High availability", + "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", "services": [ - "WAF" + "ASR", + "SAP" ], - "severity": "Low", - "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", "services": [ - "WAF", - "AKS" + "ASR", + "LoadBalancer", + "SAP" ], - "severity": "Low", - "text": "Consider using AKS command invoke on private clusters", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", "services": [ - "WAF" + "ASR", + "LoadBalancer", + "SAP" ], - "severity": "Low", - "text": "For planned events consider using Node Auto Drain", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "Make sure the Floating IP is enabled on the Load balancer", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", "services": [ - "WAF" + "ASR", + "SAP" ], "severity": "High", - "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", - "waf": "Operations" + "subcategory": "High availability", + "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", "services": [ - "WAF" + "VM", + "ASR", + "SAP", + "Entra" ], - "severity": "Low", - "text": "Use custom Node RG (aka 'Infra RG') name", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "services": [ - "WAF", - "AKS" + "VM", + "Entra", + "ASR", + "RBAC", + "SAP" ], - "severity": "Medium", - "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", "services": [ - "WAF" + "ASR", + "SAP" ], - "severity": "Low", - "text": "Taint Windows nodes", - "waf": "Operations" + "severity": "Medium", + "subcategory": "High availability", + "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "services": [ - "WAF" + "VM", + "ASR", + "SAP" ], - "severity": "Low", - "text": "Keep windows containers patch level in sync with host patch level", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "description": "Via Diagnostic Settings at the cluster level", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "services": [ - "WAF", - "Monitor" + "ASR", + "SAP", + "Entra" ], - "severity": "Low", - "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "services": [ - "WAF" + "ASR", + "SAP", + "ACR" ], - "severity": "Low", - "text": "If required use nodePool snapshots", - "waf": "Cost" + "severity": "High", + "subcategory": "High availability", + "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "services": [ - "WAF" + "ASR", + "SAP", + "Entra" ], - "severity": "Low", - "text": "Consider spot node pools for non time-sensitive workloads", - "waf": "Operations" + "severity": "High", + "subcategory": "High availability", + "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", "services": [ - "WAF", - "AKS" + "VM", + "ASR", + "SAP", + "Entra" ], - "severity": "Low", - "text": "Consider AKS virtual node for quick bursting", - "waf": "Operations" + "severity": "Medium", + "subcategory": "High availability", + "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "services": [ - "WAF", - "Monitor" + "VM", + "Storage", + "ASR", + "SAP" ], - "severity": "High", - "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", - "waf": "Operations" + "severity": "Medium", + "subcategory": "High availability", + "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", "services": [ - "WAF" + "ASR", + "SAP" ], - "severity": "High", - "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", - "waf": "Operations" + "severity": "Medium", + "subcategory": "High availability", + "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "services": [ - "WAF", - "Monitor" + "Storage", + "ASR", + "SAP" ], - "severity": "Medium", - "text": "Monitor CPU and memory utilization of the nodes", - "waf": "Operations" + "severity": "High", + "subcategory": "Storage", + "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", "services": [ - "WAF", - "Monitor" + "Storage", + "ASR", + "SAP" ], - "severity": "Medium", - "text": "If using Azure CNI, monitor % of pod IPs consumed per node", - "waf": "Operations" + "severity": "High", + "subcategory": "Storage", + "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", "services": [ "Storage", - "ServiceBus", - "EventHubs", - "WAF", - "Monitor" + "ASR", + "SAP" ], - "severity": "Medium", - "text": "Monitor OS disk queue depth in nodes", - "waf": "Operations" + "severity": "High", + "subcategory": "Storage", + "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "category": "Business Continuity and Disaster Recovery", + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", "services": [ - "WAF", - "Monitor", - "NVA", - "LoadBalancer" + "Storage", + "ASR", + "SAP" ], - "severity": "Medium", - "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", - "waf": "Operations" + "severity": "High", + "subcategory": "Storage", + "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "category": "Cost Optimization", + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", "services": [ - "WAF", - "AKS" + "Cost", + "SAP" ], "severity": "Medium", - "text": "Subscribe to resource health notifications for your AKS cluster", - "waf": "Operations" + "subcategory": " ", + "text": "Automate SAP System Start-Stop to manage costs.", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "category": "Cost Optimization", + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "services": [ - "WAF" + "VM", + "Storage", + "Cost", + "SAP" ], - "severity": "High", - "text": "Configure requests and limits in your pod specs", - "waf": "Operations" + "severity": "Low", + "subcategory": " ", + "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "category": "Cost Optimization", + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "services": [ - "WAF" + "VM", + "Storage", + "Cost", + "SAP" ], - "severity": "Medium", - "text": "Enforce resource quotas for namespaces", - "waf": "Operations" + "severity": "Low", + "subcategory": " ", + "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", "services": [ - "WAF", - "Subscriptions" + "RBAC", + "Subscriptions", + "SAP", + "Entra" ], "severity": "High", - "text": "Ensure your subscription has enough quota to scale out your nodepools", - "waf": "Operations" + "subcategory": "Identity", + "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", - "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "services": [ - "WAF" + "SAP", + "Entra" ], - "severity": "High", - "text": "Configure Liveness and Readiness probes for all deployments", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Identity", + "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "services": [ - "WAF" + "SAP", + "Entra" ], "severity": "Medium", - "text": "Use the Cluster Autoscaler", - "waf": "Performance" + "subcategory": "Identity", + "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "services": [ - "WAF", - "AKS" + "SAP", + "Entra" ], - "severity": "Low", - "text": "Customize node configuration for AKS node pools", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", "services": [ - "WAF" + "SAP", + "Entra" ], "severity": "Medium", - "text": "Use the Horizontal Pod Autoscaler when required", - "waf": "Performance" + "subcategory": "Identity", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "services": [ - "WAF" + "SAP", + "Entra" ], - "severity": "High", - "text": "Consider an appropriate node size, not too large or too small", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", "services": [ - "WAF", - "AKS" + "AKV", + "SAP", + "Entra" ], - "severity": "Low", - "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", "services": [ - "WAF", - "AKS" + "AKV", + "SAP", + "Entra" ], - "severity": "Low", - "text": "Consider subscribing to EventGrid Events for AKS automation", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", "services": [ - "WAF", - "AKS" + "SAP", + "Entra" ], - "severity": "Low", - "text": "For long running operation on an AKS cluster consider event termination", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", "services": [ - "WAF", - "AKS" + "SAP", + "Entra" ], - "severity": "Low", - "text": "If required consider using Azure Dedicated Hosts for AKS nodes", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "Implement SSO to SAP HANA", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", "services": [ - "WAF" + "SAP", + "Entra" ], - "severity": "High", - "text": "Use ephemeral OS disks", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", "services": [ - "WAF", - "AKS" + "SAP", + "Entra" ], - "severity": "High", - "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", "services": [ - "WAF", - "AKS", - "Storage" + "SAP", + "Entra" ], - "severity": "Low", - "text": "For hyper performance storage option use Ultra Disks on AKS", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity", + "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", "services": [ - "WAF", - "SQL", - "Storage" + "SAP", + "Entra" ], "severity": "Medium", - "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", - "waf": "Performance" + "subcategory": "Identity", + "text": "Implement SSO to SAP BTP", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", + "category": "Identity and Access", + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", "services": [ - "WAF", - "Storage" + "SAP", + "Entra" ], "severity": "Medium", - "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", - "waf": "Performance" + "subcategory": "Identity", + "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", + "category": "Management Group and Subscriptions", + "checklist": "SAP Checklist", + "description": "Keep your management group hierarchy reasonably flat, no more than four.", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", "services": [ - "WAF", - "Storage" + "AzurePolicy", + "Subscriptions", + "SAP" ], "severity": "Medium", - "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", - "waf": "Performance" + "subcategory": "Subscriptions", + "text": "enforce existing Management Group policies to SAP Subscriptions", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", - "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", - "service": "Purview", + "category": "Management Group and Subscriptions", + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "services": [ - "WAF" + "Subscriptions", + "SAP" ], - "severity": "Medium", - "text": "Leverage FTA Resillency Handbook", - "waf": "Reliability" + "severity": "High", + "subcategory": "Subscriptions", + "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "category": "Management Group and Subscriptions", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "services": [ - "WAF" + "Subscriptions", + "SAP" ], "severity": "High", - "text": "Plan for Data Center level outage", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", - "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "services": [ - "WAF" - ], - "severity": "Medium", - "text": "Practice Failover for BCDR", - "waf": "Reliability" + "subcategory": "Subscriptions", + "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "97b15b8a-219a-44ab-bb57-879024d22678", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "category": "Management Group and Subscriptions", + "checklist": "SAP Checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", "services": [ - "WAF", - "Backup" + "VM", + "Subscriptions", + "SAP" ], "severity": "High", - "text": "Plan a backup strategy and take regular backups", - "waf": "Reliability" + "subcategory": "Subscriptions", + "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", - "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", - "service": "Purview", + "category": "Management Group and Subscriptions", + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", "services": [ - "WAF", - "EventHubs" + "Subscriptions", + "SAP" ], "severity": "Low", - "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", - "waf": "Reliability" + "subcategory": "Subscriptions", + "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", - "link": "https://learn.microsoft.com/purview/deployment-best-practices", - "service": "Purview", + "category": "Management Group and Subscriptions", + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", "services": [ - "WAF" + "VM", + "Subscriptions", + "SAP" ], - "severity": "Medium", - "text": "Follow Purview accounts architectures and deployment best practices", - "waf": "Reliability" + "severity": "High", + "subcategory": "Subscriptions", + "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", - "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", - "service": "Purview", + "category": "Management Group and Subscriptions", + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", "services": [ - "WAF" + "Subscriptions", + "SAP" ], - "severity": "Medium", - "text": "Follow Collection Architectures and best practices", - "waf": "Reliability" + "severity": "High", + "subcategory": "Subscriptions", + "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", - "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", - "service": "Purview", + "category": "Management Group and Subscriptions", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", "services": [ - "WAF" + "TrafficManager", + "Cost", + "Subscriptions", + "SAP" ], "severity": "Medium", - "text": "Follow Assest lifecycle best practices", - "waf": "Reliability" + "subcategory": "Subscriptions", + "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "services": [ - "WAF" + "Backup", + "Monitor", + "SAP" ], - "severity": "Medium", - "text": "Follow automation best practices", + "severity": "High", + "subcategory": "BCDR", + "text": "Help protect your HANA database by using the Azure Backup service.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", "services": [ - "WAF", - "Backup" + "VM", + "Entra", + "Storage", + "Monitor", + "SAP" ], "severity": "Medium", - "text": "Follow Backup and Migration Best practices", + "subcategory": "BCDR", + "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", - "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "services": [ - "WAF" + "Monitor", + "SAP" + ], + "severity": "High", + "subcategory": "Management", + "text": "Ensure time-zone matches between the operating system and the SAP system.", + "waf": "Operations" + }, + { + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", + "services": [ + "Monitor", + "SAP", + "Entra" ], "severity": "Medium", - "text": "Follow Purview Glossary Best Practices", + "subcategory": "Management", + "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", - "link": "https://learn.microsoft.com/purview/concept-workflow", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", "services": [ - "WAF" + "Cost", + "Monitor", + "SAP" ], "severity": "Low", - "text": "Leverage Workflows ", - "waf": "Reliability" + "subcategory": "Management", + "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", - "link": "https://learn.microsoft.com/purview/concept-best-practices-security", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", "services": [ - "WAF" + "Monitor", + "SAP", + "Entra" ], "severity": "Medium", - "text": "Follow Purview Security Best Practices", - "waf": "Reliability" + "subcategory": "Management", + "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", - "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", "services": [ - "WAF" + "VM", + "Monitor", + "SAP" ], "severity": "Medium", - "text": "Follow Purview Data Lineage Best Practices", - "waf": "Reliability" + "subcategory": "Management", + "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", - "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", "services": [ - "WAF" + "Monitor", + "SAP" ], - "severity": "Medium", - "text": "Follow Best Practices for Scanning Registered Sources", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Management", + "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", "services": [ - "WAF" + "SQL", + "Monitor", + "SAP" ], "severity": "Medium", - "text": "Follow Classification Best Practices in Governance Portal", - "waf": "Reliability" + "subcategory": "Monitoring", + "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", - "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", "services": [ - "WAF" + "VM", + "Monitor", + "SAP", + "Entra" ], - "severity": "Medium", - "text": "Perform Sensitivity Labelling in the Purview Data Map", - "waf": "Reliability" + "severity": "High", + "subcategory": "Monitoring", + "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", - "link": "https://learn.microsoft.com/purview/concept-data-share", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", "services": [ - "WAF", - "Storage" + "AzurePolicy", + "Monitor", + "SAP" ], - "severity": "Low", - "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Monitoring", + "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", "services": [ - "WAF" + "NetworkWatcher", + "Monitor", + "SAP" ], - "severity": "Low", - "text": "Leverage Data Estate Insights", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Monitoring", + "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", - "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", "services": [ - "WAF" + "VM", + "Monitor", + "SAP" ], - "severity": "Low", - "text": "Use Data stewardship and Catalog adoption", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Monitoring", + "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "services": [ - "WAF" + "Subscriptions", + "Monitor", + "SAP" ], - "severity": "Low", - "text": "Use Inventory and Ownership", - "waf": "Reliability" + "severity": "High", + "subcategory": "Monitoring", + "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "Performance" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", - "link": "https://learn.microsoft.com/purview/glossary-insights", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", "services": [ - "WAF" + "Storage", + "ASR", + "Monitor", + "SAP" ], - "severity": "Low", - "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", + "severity": "Medium", + "subcategory": "Monitoring", + "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "b130a888-9579-4e76-a896-e710a7da7be9", - "link": "https://learn.microsoft.com/purview/compliance-manager", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", "services": [ - "WAF" + "Sentinel", + "Monitor", + "SAP" ], "severity": "Medium", - "text": "Generate assessment scores", - "waf": "Reliability" + "subcategory": "Monitoring", + "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", - "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", "services": [ - "WAF" + "Cost", + "Monitor", + "SAP" ], "severity": "Medium", - "text": "Profiling- get summaries of data content", - "waf": "Reliability" + "subcategory": "Monitoring", + "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", - "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", "services": [ - "WAF", - "AzurePolicy" + "VM", + "Monitor", + "SAP" ], "severity": "Low", - "text": "Follow Microsoft Purview Data Owner access policies", - "waf": "Reliability" + "subcategory": "Performance", + "text": "Use inter-VM latency monitoring for latency-sensitive applications.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", - "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", - "service": "Purview", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "services": [ - "WAF", - "AzurePolicy" + "ASR", + "Monitor", + "SAP" ], - "severity": "Low", - "text": "Follow Self-service access policies", + "severity": "Medium", + "subcategory": "Performance", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "WAF checklist", - "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", - "link": "https://learn.microsoft.com/purview/concept-policies-devops", - "service": "Purview", - "services": [ - "WAF", - "AzurePolicy" + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "services": [ + "Storage", + "Monitor", + "SAP" ], - "severity": "Low", - "text": "Follow DevOps policies", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Performance", + "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", + "waf": "Performance" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "WAF checklist", - "guid": "af416482-663c-4ed6-b195-b44c7068e09c", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", - "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", - "service": "Container Apps", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", "services": [ - "WAF" + "Monitor", + "SAP" ], - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Performance", + "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", + "waf": "Performance" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "WAF checklist", - "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", - "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", - "service": "Container Apps", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", "services": [ - "WAF" + "Storage", + "Monitor", + "SAP" ], - "severity": "High", - "text": "Use more than one replica and enable Zone Redundancy.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Performance", + "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "WAF checklist", - "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", "services": [ - "WAF" + "SQL", + "Monitor", + "SAP" ], - "severity": "High", - "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Performance", + "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "Performance" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "WAF checklist", - "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", + "category": "Management and Monitoring", + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "services": [ - "WAF", - "TrafficManager", - "FrontDoor" + "ASR", + "Monitor", + "SAP" ], "severity": "High", - "text": "Use Front Door or Traffic Manager to route traffic to the closest region", - "waf": "Reliability" + "subcategory": "Reliability", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", "services": [ + "AppGW", + "AzurePolicy", "WAF", - "Entra" + "SAP" ], "severity": "Medium", - "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", - "waf": "Reliability" + "subcategory": "App delivery", + "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "services": [ - "WAF" + "VM", + "DNS", + "SAP" ], "severity": "Medium", - "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", - "waf": "Reliability" + "subcategory": "DNS", + "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "services": [ - "WAF" + "DNS", + "VNet", + "SAP" ], "severity": "Medium", - "text": "Custom brand assets should be hosted on a CDN", - "waf": "Performance" - }, - { - "checklist": "WAF checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", - "services": [ - "WAF" - ], - "severity": "Low", - "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", - "waf": "Reliability" + "subcategory": "DNS", + "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", "services": [ - "WAF", - "VM" + "VNet", + "SAP", + "ACR" ], "severity": "Medium", - "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", + "subcategory": "Hybrid", + "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "services": [ - "WAF" + "NVA", + "SAP" ], - "severity": "Medium", - "text": "Don't replicate! Replication can create issues with directory synchronization", - "waf": "Reliability" + "severity": "High", + "subcategory": "Hybrid", + "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", + "training": "https://me.sap.com/notes/2731110", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", "services": [ - "WAF" + "VWAN", + "SAP", + "ACR" ], "severity": "Medium", - "text": "Have active-active for multi-regions", - "waf": "Reliability" + "subcategory": "Hybrid", + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", "services": [ - "WAF", - "Entra" + "NVA", + "VNet", + "SAP" ], "severity": "Medium", - "text": "Add Azure AD Domain service stamps to additional regions and locations", - "waf": "Reliability" + "subcategory": "Hybrid", + "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", "services": [ - "WAF" + "NVA", + "VWAN", + "VNet", + "SAP" ], "severity": "Medium", - "text": "Use Replica Sets for DR", - "waf": "Reliability" + "subcategory": "Hybrid", + "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "services": [ - "WAF", - "Entra", - "Subscriptions" + "VM", + "VNet", + "SAP" ], "severity": "High", - "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", + "subcategory": "IP plan", + "text": "Public IP assignment to VM running SAP Workload is not recommended.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "75089c20-990d-4927-b105-885576f76fc2", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", "services": [ - "WAF", - "AVS" + "ASR", + "SAP", + "VNet" ], - "severity": "Medium", - "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", - "waf": "Security" + "severity": "High", + "subcategory": "IP plan", + "text": "Consider reserving IP address on DR side when configuring ASR", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "services": [ - "WAF" + "VNet", + "SAP" ], "severity": "High", - "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", - "waf": "Security" + "subcategory": "IP plan", + "text": "Avoid using overlapping IP address ranges for production and DR sites.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", "services": [ - "WAF" + "Storage", + "VNet", + "SAP" ], "severity": "Medium", - "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", - "waf": "Security" + "subcategory": "IP plan", + "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", "services": [ - "WAF" + "Firewall", + "SAP" ], "severity": "Medium", - "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", + "subcategory": "Internet", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", "services": [ + "AppGW", "WAF", - "Entra" + "SAP" ], - "severity": "High", - "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", + "severity": "Medium", + "subcategory": "Internet", + "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "services": [ + "SAP", + "ACR", + "AzurePolicy", "WAF", - "AVS", - "RBAC" + "FrontDoor" ], "severity": "Medium", - "text": "Has an RBAC model been created for use within VMware vSphere", + "subcategory": "Internet", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", "services": [ + "AppGW", + "FrontDoor", + "AzurePolicy", "WAF", - "RBAC" + "SAP" ], "severity": "Medium", - "text": "RBAC permissions should be granted on ADDS groups and not on specific users", + "subcategory": "Internet", + "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "services": [ + "AppGW", + "LoadBalancer", "WAF", - "AVS", - "RBAC" + "SAP" ], - "severity": "High", - "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "severity": "Medium", + "subcategory": "Internet", + "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", "services": [ - "WAF", - "RBAC" + "VWAN", + "SAP", + "ACR" ], - "severity": "High", - "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", - "waf": "Security" + "severity": "Medium", + "subcategory": "Internet", + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", "services": [ - "WAF", - "AVS" + "ACR", + "Storage", + "PrivateLink", + "VNet", + "Backup", + "SAP" ], - "severity": "High", - "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Internet", + "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", "services": [ - "VPN", - "WAF", - "Monitor", - "ExpressRoute", - "NetworkWatcher" + "VM", + "SAP" ], "severity": "High", - "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", - "waf": "Operations" + "subcategory": "Segmentation", + "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", "services": [ - "VM", - "WAF", - "Monitor", - "AVS", - "ExpressRoute", - "NetworkWatcher" + "LoadBalancer", + "SAP" ], "severity": "Medium", - "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", - "waf": "Operations" + "subcategory": "Segmentation", + "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", "services": [ "VM", - "WAF", - "Monitor", - "AVS", - "NetworkWatcher" + "VNet", + "SAP" ], "severity": "Medium", - "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", - "waf": "Operations" + "subcategory": "Segmentation", + "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "services": [ - "WAF", - "ARS" + "VNet", + "SAP" ], "severity": "High", - "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", - "waf": "Operations" + "subcategory": "Segmentation", + "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "services": [ - "WAF", - "Entra", - "AVS", - "RBAC" + "SAP" ], - "severity": "High", - "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", - "waf": "Security" + "severity": "Medium", + "subcategory": "Segmentation", + "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "services": [ - "WAF", - "Entra", - "AVS", - "RBAC" + "SAP" ], "severity": "High", - "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", - "waf": "Security" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", - "service": "AVS", - "services": [ - "WAF", - "Entra", - "AVS" - ], - "severity": "Medium", - "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", - "waf": "Security" + "subcategory": "Segmentation", + "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "services": [ - "WAF" + "Cost", + "VNet", + "SAP" ], "severity": "High", - "text": "Limit use of CloudAdmin account to emergency access only", - "waf": "Security" + "subcategory": "Segmentation", + "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", "services": [ - "WAF", - "RBAC" + "LoadBalancer", + "SAP" ], - "severity": "Medium", - "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", - "waf": "Security" + "severity": "High", + "subcategory": "Segmentation", + "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", - "service": "AVS", + "category": "Network Topology and Connectivity", + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", "services": [ - "WAF" + "VNet", + "SAP" ], "severity": "Medium", - "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "subcategory": "Segmentation", + "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", - "service": "AVS", + "category": "Operational Excellence", + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "services": [ - "WAF", - "Entra", - "AVS", - "VM" + "VM", + "Backup", + "SAP" ], "severity": "High", - "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", - "waf": "Security" + "subcategory": " ", + "text": "Review SAP HANA database backups for Azure VMs.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", - "service": "AVS", + "category": "Operational Excellence", + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "services": [ - "WAF" + "ASR", + "Monitor", + "SAP" ], "severity": "Medium", - "text": "Is East-West traffic filtering implemented within NSX-T", - "waf": "Security" + "subcategory": " ", + "text": "Review Site Recovery built-in monitoring, where used for SAP.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", - "service": "AVS", + "category": "Operational Excellence", + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", "services": [ - "WAF", - "AppGW", - "AVS", - "Firewall" + "Monitor", + "SAP" ], "severity": "High", - "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", - "waf": "Security" + "subcategory": " ", + "text": "Review the Monitoring the SAP HANA System Landscape guidance.", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", - "service": "AVS", + "category": "Operational Excellence", + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", "services": [ - "WAF", - "AVS" + "VM", + "Backup", + "SAP" ], - "severity": "High", - "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", - "waf": "Security" + "severity": "Medium", + "subcategory": " ", + "text": "Review Oracle Database in Azure Linux VM backup strategies.", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", - "service": "AVS", + "category": "Operational Excellence", + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", "services": [ - "WAF", - "Monitor", - "AVS" + "Storage", + "SQL", + "SAP" ], "severity": "Medium", - "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", - "waf": "Security" + "subcategory": " ", + "text": "Review the use of Azure Blob Storage with SQL Server 2016.", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", - "guid": "334fdf91-c234-4182-a652-75269440b4be", - "service": "AVS", + "category": "Operational Excellence", + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", "services": [ - "VPN", - "WAF", - "ExpressRoute", - "DDoS", - "VNet" + "VM", + "Backup", + "SAP" ], "severity": "Medium", - "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", - "waf": "Security" + "subcategory": " ", + "text": "Review the use of Automated Backup v2 for Azure VMs.", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", - "service": "AVS", + "category": "Operational Excellence", + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", "services": [ - "WAF", - "AVS" + "SAP" ], - "severity": "Medium", - "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", - "waf": "Security" + "severity": "High", + "subcategory": " ", + "text": "Enabling Write accelerator for M series when using premium disks(V1)", + "waf": "Operations" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", - "service": "AVS", + "category": "Performant", + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", "services": [ - "WAF", - "AVS", - "Defender" + "SAP" ], "severity": "Medium", - "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", - "waf": "Security" + "subcategory": " ", + "text": "Test availability zone latency.", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", - "service": "AVS", + "category": "Performant", + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", "services": [ - "WAF", - "Arc", - "AVS" + "SAP" ], "severity": "Medium", - "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", - "waf": "Security" + "subcategory": " ", + "text": "Activate SAP EarlyWatch Alert for all SAP components.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", - "service": "AVS", + "category": "Performant", + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", "services": [ - "WAF", - "SQL", - "AVS" + "SAP" ], - "severity": "Low", - "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", - "waf": "Security" + "severity": "Medium", + "subcategory": " ", + "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", + "training": "https://me.sap.com/notes/0002879613", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", - "service": "AVS", + "category": "Performant", + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", "services": [ - "WAF", - "AKV" + "SQL", + "Monitor", + "SAP" ], - "severity": "Low", - "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", - "waf": "Security" + "severity": "Medium", + "subcategory": " ", + "text": "Review SQL Server performance monitoring using CCMS.", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "5ac94222-3e13-4810-9230-81a941741583", - "service": "AVS", + "category": "Performant", + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", "services": [ - "WAF", - "AVS" + "VM", + "SAP" ], "severity": "Medium", - "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", - "waf": "Security" + "subcategory": " ", + "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", - "service": "AVS", + "category": "Performant", + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", "services": [ - "WAF" + "Monitor", + "SAP" ], - "severity": "High", - "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", - "waf": "Reliability" + "severity": "Medium", + "subcategory": " ", + "text": "Review SAP HANA studio alerts.", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "service": "AVS", + "category": "Performant", + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", "services": [ - "WAF", - "Storage", - "AzurePolicy" + "SAP" ], - "severity": "High", - "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", - "waf": "Reliability" + "severity": "Medium", + "subcategory": " ", + "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", + "waf": "Performance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", "services": [ - "WAF", - "ASR" + "VM", + "SAP" ], - "severity": "High", - "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Governance", + "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", "services": [ - "WAF" + "SAP" ], "severity": "Medium", - "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", - "waf": "Operations" + "subcategory": "Governance", + "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "services": [ - "WAF", - "AzurePolicy" + "SQL", + "SAP" ], - "severity": "Medium", - "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", - "waf": "Operations" + "severity": "Low", + "subcategory": "Governance", + "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "services": [ - "WAF", - "AVS", - "Cost" + "SQL", + "SAP" ], - "severity": "Medium", - "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", - "waf": "Cost" + "severity": "High", + "subcategory": "Governance", + "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", + "training": "https://me.sap.com/notes/3019299/E", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "services": [ - "WAF", - "AVS", - "Cost" + "SQL", + "Storage", + "Backup", + "AKV", + "SAP" ], - "severity": "Low", - "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", - "waf": "Cost" + "severity": "High", + "subcategory": "Secrets", + "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", "services": [ - "WAF" + "AKV", + "Storage", + "SAP" ], "severity": "Medium", - "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "subcategory": "Secrets", + "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", "services": [ - "WAF" + "AKV", + "SAP" ], "severity": "High", - "text": "Ensure all required resource reside within the same Azure availability zone(s)", - "waf": "Performance" + "subcategory": "Secrets", + "text": "Use Azure Key Vault to store your secrets and credentials", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "services": [ - "WAF", - "AVS", - "VM", - "Defender" + "AKV", + "AzurePolicy", + "RBAC", + "Subscriptions", + "SAP" ], "severity": "Medium", - "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "subcategory": "Secrets", + "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", "services": [ - "WAF", - "Arc", - "AVS", - "VM" + "AKV", + "AzurePolicy", + "SAP" ], "severity": "Medium", - "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "subcategory": "Secrets", + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", "services": [ - "WAF", - "AVS" + "AzurePolicy", + "RBAC", + "AKV", + "SAP" ], "severity": "High", - "text": "Enable Diagnostic and metric logging on Azure VMware Solution", - "waf": "Operations" + "subcategory": "Secrets", + "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "services": [ - "WAF", - "Monitor", - "AVS", - "VM" + "AKV", + "Storage", + "SAP", + "Defender" ], - "severity": "Medium", - "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", - "waf": "Operations" + "severity": "High", + "subcategory": "Secrets", + "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", "services": [ - "AzurePolicy", - "VM", - "WAF", - "AVS", - "Backup" + "AKV", + "RBAC", + "SAP", + "Defender" ], - "severity": "Medium", - "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", - "waf": "Operations" + "severity": "High", + "subcategory": "Secrets", + "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "services": [ - "WAF", - "Monitor", - "AVS", - "Defender" + "AKV", + "SAP" ], - "severity": "Medium", - "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", + "severity": "Low", + "subcategory": "Secrets", + "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "services": [ - "WAF", - "Defender" + "AKV", + "SAP" ], "severity": "Medium", - "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "subcategory": "Secrets", + "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", "services": [ - "WAF", - "AVS" + "AKV", + "SAP" ], "severity": "High", - "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "subcategory": "Secrets", + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", "services": [ - "WAF" + "AKV", + "SAP" ], "severity": "High", - "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "subcategory": "Secrets", + "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", "services": [ - "WAF" + "RBAC", + "Subscriptions", + "SAP" ], - "severity": "Medium", - "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", + "severity": "High", + "subcategory": "Security", + "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", "services": [ - "WAF", - "Monitor", - "AVS" + "NVA", + "PrivateLink", + "SAP" ], "severity": "High", - "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", - "waf": "Operations" + "subcategory": "Security", + "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", "services": [ - "WAF", - "Monitor", - "AVS" + "VM", + "Storage", + "SAP" ], - "severity": "High", - "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "waf": "Operations" + "severity": "Low", + "subcategory": "Security", + "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", "services": [ - "WAF", - "Monitor", - "AVS" + "SAP", + "Defender" ], - "severity": "High", - "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", - "waf": "Operations" + "severity": "Low", + "subcategory": "Security", + "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "services": [ - "WAF", - "Monitor" + "VNet", + "SAP" ], "severity": "High", - "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", - "service": "AVS", - "services": [ - "WAF", - "AVS", - "Storage" - ], - "severity": "Medium", - "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", - "waf": "Operations" + "subcategory": "Security", + "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "services": [ "WAF", - "AVS" + "SAP" ], "severity": "Low", - "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", - "waf": "Operations" + "subcategory": "Security", + "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", + "category": "Security, Governance and Compliance", + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "services": [ - "WAF", - "Storage", - "AzurePolicy", - "VM" + "AKV", + "Monitor", + "SAP" ], - "severity": "High", - "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Security", + "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", - "service": "AVS", + "category": "BC and DR", + "checklist": "Azure App Service Review", + "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", "services": [ - "WAF" + "AppSvc" ], - "severity": "Medium", - "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", - "waf": "Operations" + "severity": "Low", + "subcategory": "High Availability", + "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", - "service": "AVS", + "category": "BC and DR", + "checklist": "Azure App Service Review", + "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", + "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", "services": [ - "WAF", - "Storage", + "AppSvc", + "ASR", "Backup" ], "severity": "Medium", - "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", - "waf": "Operations" + "subcategory": "High Availability", + "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", - "service": "AVS", + "category": "BC and DR", + "checklist": "Azure App Service Review", + "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", + "service": "App Services", "services": [ - "WAF", - "Arc", - "AVS" + "AppSvc", + "ACR" ], - "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", - "waf": "Operations" + "severity": "High", + "subcategory": "High Availability", + "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", - "service": "AVS", + "category": "Operations", + "checklist": "Azure App Service Review", + "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Services", "services": [ - "WAF", - "Monitor", - "AVS" + "AppSvc", + "Monitor" ], "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", - "waf": "Operations" + "subcategory": "Monitoring", + "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", - "service": "AVS", + "category": "Operations", + "checklist": "Azure App Service Review", + "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/azure/app-service/manage-backup", + "service": "App Services", "services": [ - "WAF", - "AVS" + "AppSvc", + "Backup" ], - "severity": "Medium", - "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", - "waf": "Operations" + "severity": "High", + "subcategory": "Multi-tenant service", + "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", - "service": "AVS", + "category": "BC and DR", + "checklist": "Azure App Service Review", + "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", "services": [ - "WAF", - "Monitor", - "AVS", - "AzurePolicy" + "AppSvc", + "Monitor" ], - "severity": "Medium", - "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", - "waf": "Operations" + "severity": "High", + "subcategory": "High Availability", + "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", - "service": "AVS", + "category": "BC and DR", + "checklist": "Azure App Service Review", + "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", "services": [ - "WAF", - "AVS", - "Defender" + "AppSvc", + "ASR" ], - "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", - "waf": "Security" + "severity": "Low", + "subcategory": "High Availability", + "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", - "service": "AVS", + "category": "BC and DR", + "checklist": "Azure App Service Review", + "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", + "service": "App Services", "services": [ - "WAF", - "Backup" + "AppSvc" ], - "severity": "Medium", - "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", + "severity": "High", + "subcategory": "High Availability", + "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", - "service": "AVS", + "category": "BC and DR", + "checklist": "Azure App Service Review", + "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", "services": [ - "WAF" + "AppSvc" ], "severity": "Medium", - "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", + "subcategory": "High Availability", + "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", - "service": "AVS", + "category": "Operations", + "checklist": "Azure App Service Review", + "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Services", "services": [ - "WAF", - "ASR" + "AppSvc", + "Monitor" ], "severity": "Medium", - "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", + "subcategory": "Monitoring", + "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "service": "AVS", + "category": "Operations", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "Monitor" ], - "severity": "High", - "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", + "severity": "Medium", + "subcategory": "Monitoring", + "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", + "category": "Operations", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", "services": [ - "WAF", - "ASR" + "AppSvc", + "Monitor" ], - "severity": "Medium", - "text": "Use the geopolitical region pair as the secondary disaster recovery environment", + "severity": "Low", + "subcategory": "Monitoring", + "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "AKV" ], "severity": "High", - "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", - "waf": "Reliability" + "subcategory": "Data Protection", + "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "services": [ - "WAF", - "ExpressRoute", - "AVS", - "NVA" + "AppSvc", + "AKV", + "Entra" ], - "severity": "Medium", - "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", - "waf": "Reliability" + "severity": "High", + "subcategory": "Data Protection", + "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", "services": [ - "WAF", - "Backup" + "AppSvc", + "AKV", + "Entra" ], - "severity": "Medium", - "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", - "waf": "Reliability" + "severity": "High", + "subcategory": "Data Protection", + "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", "services": [ - "WAF", - "AVS", - "Backup" + "AppSvc", + "Subscriptions" ], "severity": "Medium", - "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", - "waf": "Reliability" + "subcategory": "Data Protection", + "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", "services": [ - "WAF", - "Backup" + "AppSvc", + "TrafficManager" ], "severity": "Medium", - "text": "Deploy your backup solution outside of vSan, on Azure native components", - "waf": "Reliability" + "subcategory": "Data Protection", + "text": "Do not store sensitive data on local disk", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", "services": [ - "WAF", - "AVS" + "AppSvc", + "ACR", + "Entra" ], - "severity": "Low", - "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity and Access Control", + "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "Entra" ], - "severity": "Low", - "text": "For manual deployments, all configuration and deployments must be documented", - "waf": "Operations" + "severity": "High", + "subcategory": "Identity and Access Control", + "text": "Deploy code to App Service from a trusted and secure environment.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", "services": [ - "WAF", - "AVS" + "AppSvc", + "Entra" ], - "severity": "Low", - "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", - "waf": "Operations" + "severity": "High", + "subcategory": "Identity and Access Control", + "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "AKV", + "Entra" ], - "severity": "Low", - "text": "For automated deployments, deploy a minimal private cloud and scale as needed", - "waf": "Operations" + "severity": "High", + "subcategory": "Identity and Access Control", + "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "ACR", + "Entra" ], - "severity": "Low", - "text": "For automated deployments, request or reserve quota prior to starting the deployment", - "waf": "Operations" + "severity": "High", + "subcategory": "Identity and Access Control", + "text": "Pull container images from Azure Container Registry using a Managed Identity.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", "services": [ - "WAF", - "AzurePolicy" + "AppSvc", + "Monitor", + "Entra" ], - "severity": "Low", - "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Logging and Monitoring", + "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", "services": [ - "WAF", - "AKV" + "AppSvc", + "Monitor", + "Entra" ], - "severity": "Low", - "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Logging and Monitoring", + "text": "Send App Service activity logs to Log Analytics", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", "services": [ - "WAF", - "AKV", - "ExpressRoute", - "AVS" + "AppSvc", + "NVA", + "Firewall", + "VNet", + "Monitor" ], - "severity": "Low", - "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Network Security", + "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", "services": [ - "WAF", - "AVS" + "AppSvc", + "NVA", + "Storage", + "Firewall", + "VNet", + "PrivateLink" ], "severity": "Low", - "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", - "waf": "Operations" + "subcategory": "Network Security", + "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "PrivateLink" ], - "severity": "Low", - "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", - "waf": "Operations" + "severity": "High", + "subcategory": "Network Security", + "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", "services": [ + "AppSvc", + "AppGW", + "Monitor", "WAF", - "AVS", - "Subscriptions" + "FrontDoor" ], - "severity": "Medium", - "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", - "waf": "Performance" + "severity": "High", + "subcategory": "Network Security", + "text": "Use a Web Application Firewall (WAF) in front of App Service.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "services": [ - "WAF", - "Storage", - "AzurePolicy" + "AppSvc", + "PrivateLink", + "WAF" ], - "severity": "Medium", - "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", - "waf": "Performance" + "severity": "High", + "subcategory": "Network Security", + "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "AzurePolicy" ], "severity": "Medium", - "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", - "waf": "Performance" + "subcategory": "Network Security", + "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", "services": [ + "AppSvc", "WAF" ], - "severity": "Medium", - "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", - "waf": "Performance" + "severity": "High", + "subcategory": "Network Security", + "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "Storage" ], - "severity": "Medium", - "text": "Define and enforce scale in/out maximum limits for your environment in the automations", - "waf": "Performance" + "severity": "High", + "subcategory": "Network Security", + "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", "services": [ - "WAF", - "Monitor" + "AppSvc" ], - "severity": "Medium", - "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", - "waf": "Operations" + "severity": "High", + "subcategory": "Network Security", + "text": "Turn off remote debugging in production environments.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", "services": [ - "WAF", - "VM" + "AppSvc", + "Defender" ], - "severity": "High", - "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Network Security", + "text": "Enable Defender for Cloud - Defender for App Service", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", "services": [ + "AppSvc", + "AppGW", + "DDoS", + "NVA", + "VNet", + "EventHubs", "WAF" ], - "severity": "High", - "text": "When using MON, you cannot enable MON on more than 100 Network extensions", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Network Security", + "text": "Enable DDOS Protection Standard on the WAF VNet", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", "services": [ - "WAF", - "VPN" + "AppSvc", + "PrivateLink", + "VNet", + "ACR" ], "severity": "Medium", - "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", - "waf": "Performance" + "subcategory": "Network Security", + "text": "Pull container images over a Virtual Network from Azure Container Registry.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", "services": [ - "WAF" + "AppSvc" ], "severity": "Medium", - "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", - "waf": "Performance" + "subcategory": "Penetration Testing", + "text": "Conduct a penetration test on the web application.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", "services": [ - "WAF" + "AppSvc" ], "severity": "Medium", - "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", - "waf": "Reliability" + "subcategory": "Vulnerability Management", + "text": "Deploy validated and vulnerability-scanned code.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "AVS", + "category": "Security", + "checklist": "Azure App Service Review", + "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", "services": [ - "WAF", - "AVS", - "VM", - "Storage" + "AppSvc" ], - "severity": "Medium", - "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Vulnerability Management", + "text": "Use up-to-date platforms, languages, protocols and frameworks", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "AVS", + "category": "Operations", + "checklist": "Azure App Service Review", + "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", + "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", + "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", + "service": "App Services", "services": [ - "WAF", - "ExpressRoute", - "Storage" + "AppSvc" ], "severity": "Medium", - "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", + "subcategory": "High Availability", + "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "AVS", + "category": "Operations", + "checklist": "Azure App Service Review", + "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", + "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", + "service": "App Services", "services": [ - "WAF", - "ExpressRoute", - "Storage" + "AppSvc", + "Monitor" ], "severity": "Medium", - "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", + "subcategory": "Monitoring", + "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "AVS", + "category": "Governance and Security", + "checklist": "Azure App Service Review", + "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", + "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "App Services", "services": [ - "WAF", - "ASR" + "AppSvc", + "AzurePolicy", + "Backup", + "ACR" ], "severity": "High", - "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Apply Azure Policy to enforce compliance across App Service configurations.", + "waf": "Governance" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "AVS", + "category": "Cost Governance", + "checklist": "Azure App Service Review", + "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", + "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", + "link": "https://learn.microsoft.com/azure/cost-management-billing/", + "service": "App Services", "services": [ - "WAF" + "AppSvc", + "Monitor", + "Cost" ], - "severity": "High", - "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Cost Monitoring", + "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "AVS", + "category": "Cost Governance", + "checklist": "Azure App Service Review", + "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", + "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", + "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", + "service": "App Services", "services": [ - "WAF", - "ExpressRoute" + "AppSvc", + "Storage", + "Cost", + "ARS" ], - "severity": "High", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Cost Optimization", + "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "AVS", + "category": "Identity and Access Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "d7e47431-76c8-4bdb-b55b-ce619e8a03f9", + "link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli", "services": [ - "WAF", - "ExpressRoute" + "RBAC", + "Entra" ], "severity": "High", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Create a service principal and its role assignments before creating the ARO clusters.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "WAF checklist", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "AVS", + "category": "Identity and Access Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "7879424d-6267-486d-90b9-6c97be985190", + "link": "https://learn.microsoft.com/azure/openshift/configure-azure-ad-ui", "services": [ - "WAF" + "Entra" ], "severity": "High", - "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Use AAD to authenticate users in your ARO cluster.", + "waf": "Security" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "WAF checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", + "category": "Identity and Access Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "adfec5f9-a82d-46e9-a8d1-5a0c7fed5d15", + "link": "https://docs.openshift.com/container-platform/4.14/authentication/remove-kubeadmin.html", "services": [ - "WAF", - "ACR" + "Entra" ], - "severity": "High", - "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "When using AAD authentication, remove kubeadmin user from the cluster.", + "waf": "Security" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "WAF checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", + "category": "Identity and Access Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "483835c9-86bb-4291-8155-a11475e39f54", + "link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html", "services": [ - "WAF", - "Storage" + "RBAC", + "Entra" ], - "severity": "Medium", - "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Identity", + "text": "Define OpenShift projects to restrict RBAC privilege and isolate workloads in your cluster.", + "waf": "Security" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "WAF checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", + "category": "Identity and Access Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "0acccd97-9376-4bcd-a375-0ab2ab039da6", + "link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html", "services": [ - "WAF", - "Storage" + "RBAC", + "Entra" ], "severity": "Medium", - "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Define the required RBAC roles in OpenShift are scoped to either a project or a cluster.", + "waf": "Security" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "WAF checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", + "category": "Identity and Access Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "d54d7c89-29db-4107-b532-5ae625ca44e4", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", "services": [ - "WAF", - "ASR" + "AKV", + "Entra" ], "severity": "Medium", - "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Minimize the number of users who have administrator rights and secrets access.", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "WAF checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", - "service": "Azure Data Factory", + "category": "Identity and Access Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "685e2223-ace8-4bb1-8307-ca5f16f154e3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "services": [ - "WAF" + "RBAC", + "Entra" ], "severity": "Medium", - "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Use Privileged Identity Management in AAD for ARO users with privileged roles.", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "WAF checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "category": "Network topology and connectivity", + "checklist": "Azure Red Hat OpenShift", + "guid": "aa369282-9e7e-4216-8836-87af467a1f89", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "services": [ + "Entra", + "DDoS", + "Firewall", + "VNet", + "Subscriptions", "WAF" ], + "severity": "Low", + "subcategory": "DDoS", + "text": "Use Azure DDoS Network/IP Protection to protect the virtual network you use for the ARO cluster unless you use Azure Firewall or WAF in a centralized subscription", + "waf": "Security" + }, + { + "category": "Network topology and connectivity", + "checklist": "Azure Red Hat OpenShift", + "guid": "35bda433-24f1-4481-8533-182aa5174269", + "link": "https://docs.openshift.com/container-platform/4.13/networking/routes/secured-routes.html", + "services": [], "severity": "High", - "text": "Use zone redundant pipelines in regions that support Availability Zones", - "waf": "Reliability" + "subcategory": "Encryption", + "text": "All web applications you configure to use an ingress should use TLS encryption and shouldn't allow access over unencrypted HTTP.", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "WAF checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", - "service": "Azure Data Factory", + "category": "Network topology and connectivity", + "checklist": "Azure Red Hat OpenShift", + "guid": "44008ae7-d7e4-4743-876c-8bdbf55bce61", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", "services": [ "WAF", - "Backup" + "FrontDoor" ], "severity": "Medium", - "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", - "waf": "Reliability" + "subcategory": "Internet", + "text": "Use Azure Front Door with WAF to securely publish ARO applications to the internet, especially in multi-region environments.", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "WAF checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "category": "Network topology and connectivity", + "checklist": "Azure Red Hat OpenShift", + "guid": "9e8a03f9-7879-4424-b626-786d60b96c97", + "link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door", "services": [ - "WAF", - "VM" + "PrivateLink", + "FrontDoor" ], "severity": "Medium", - "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", - "waf": "Reliability" + "subcategory": "Internet", + "text": "If exposing an app on ARO with Azure Front Door, use private link to connect Front Door with the ARO router.", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "WAF checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", - "services": [ - "WAF", - "VNet" - ], - "severity": "Medium", - "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "WAF checklist", - "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Azure Data Factory", + "category": "Network topology and connectivity", + "checklist": "Azure Red Hat OpenShift", + "guid": "be985190-4838-435c-a86b-b2912155a114", + "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress", "services": [ - "WAF", - "AKV" + "AzurePolicy", + "NVA", + "Firewall" ], - "severity": "Low", - "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Internet", + "text": "If your security policy requires you to inspect all outbound internet traffic that's generated in the ARO cluster, secure egress network traffic by using Azure Firewall or an NVA.", + "waf": "Security" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "WAF checklist", - "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", + "category": "Network topology and connectivity", + "checklist": "Azure Red Hat OpenShift", + "guid": "75e39f54-0acc-4cd9-9937-6bcda3750ab2", + "link": "https://learn.microsoft.com/azure/openshift/howto-create-private-cluster-4x", "services": [ - "WAF", - "ServiceBus" + "AzurePolicy" ], - "severity": "Low", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "severity": "High", + "subcategory": "Private access", + "text": "If your security policy requires you to use a private IP address for the OpenShift API, deploy a private ARO cluster.", "waf": "Security" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "WAF checklist", - "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", + "category": "Network topology and connectivity", + "checklist": "Azure Red Hat OpenShift", + "guid": "ab039da6-d54d-47c8-a29d-b107d5325ae6", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", "services": [ - "WAF", - "ServiceBus" + "PrivateLink", + "ACR" ], "severity": "Medium", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "subcategory": "Private access", + "text": "Use Azure Private Link to secure network connections to managed Azure services, including to Azure Container Registry.", "waf": "Security" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "WAF checklist", - "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "25ca44e4-685e-4222-9ace-8bb12307ca5f", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-enable-arc-enabled-clusters", "services": [ - "TrafficManager", - "ServiceBus", - "AzurePolicy", - "WAF", - "RBAC", - "Entra" + "Monitor" ], - "severity": "Medium", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Security" + "severity": "High", + "subcategory": "Operations", + "text": "Establish a monitoring process using the inbuilt Prometheus, OpenShift Logging or Container Insights integration.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "WAF checklist", - "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", - "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", - "service": "Service Bus", - "services": [ - "WAF", - "ServiceBus", - "Entra" - ], + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "16f154e3-aa36-4928-89e7-e216183687af", + "link": "https://docs.openshift.com/container-platform/4.13/cicd/pipelines/understanding-openshift-pipelines.html", + "services": [], "severity": "Medium", - "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "subcategory": "Operations", + "text": "Automate the application delivery process through DevOps practices and CI/CD solutions, such as Pipelines/GitOps provided by OpenShift.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "WAF checklist", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", - "services": [ - "Storage", - "ServiceBus", - "WAF", - "RBAC", - "Subscriptions" - ], - "severity": "High", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "467a1f89-35bd-4a43-924f-14811533182a", + "link": "https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services", + "services": [], + "severity": "Low", + "subcategory": "Operations", + "text": "Whenever possible, remove the service state from inside containers. Instead, use an Azure platform as a service (PaaS) that supports multiregion replication.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "WAF checklist", - "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "1b7da8cf-aa66-4e15-b4d5-ada97dc3e232", + "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-storageclass", "services": [ - "WAF", - "ServiceBus", - "Monitor", - "VNet" + "Storage" ], - "severity": "Medium", - "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "severity": "Low", + "subcategory": "Operations", + "text": "Use RWX storage with inbuilt Azure Files storage class.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "WAF checklist", - "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", - "services": [ - "WAF", - "ServiceBus", - "PrivateLink", - "VNet" - ], + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "6bb235c7-05e1-4696-bded-fa8a4c8cdec4", + "link": "https://docs.openshift.com/container-platform/4.13/nodes/clusters/nodes-cluster-limit-ranges.html", + "services": [], "severity": "Medium", - "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "subcategory": "Performance", + "text": "Use pod requests and limits to manage the compute resources within a cluster.", + "waf": "Performance" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "WAF checklist", - "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", - "services": [ - "WAF", - "ServiceBus" - ], + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "c620c30c-14ee-4b7f-9ae8-d9b3fec228e7", + "link": "https://docs.openshift.com/container-platform/4.13/applications/quotas/quotas-setting-per-project.html", + "services": [], "severity": "Medium", - "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "subcategory": "Performance", + "text": "Enforce resource quotas on projects.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "WAF checklist", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "87ab177a-db59-4f6b-a613-334fd09dc234", + "link": "https://docs.openshift.com/container-platform/4.13/machine_management/applying-autoscaling.html", + "services": [], + "severity": "High", + "subcategory": "Performance", + "text": "Define ClusterAutoScaler and MachineAutoScaler to scale machines when your cluster runs out of resources to support more deployments.", + "waf": "Performance" + }, + { + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "19db6128-1269-4040-a4ba-4d3e0804276d", + "link": "https://learn.microsoft.com/azure/openshift/support-policies-v4#supported-virtual-machine-sizes", "services": [ - "WAF" + "VM" ], "severity": "High", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "subcategory": "Reliability", + "text": "Use virtual machine sizes that are large enough to contain multiple container instances so you get the benefits of increased density, but not so large that your cluster can't handle the workload of a failing node.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "WAF checklist", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", - "services": [ - "WAF" - ], + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "4b98b15c-8b31-4aa5-aceb-58889135e227", + "link": "https://docs.openshift.com/container-platform/4.13/machine_management/deploying-machine-health-checks.html", + "services": [], "severity": "High", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "subcategory": "Reliability", + "text": "Deploy machine health checks to automatically repair damaged machines in a machine pool.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "WAF checklist", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "896d31b6-6c67-4ba5-a119-c08e8f5d587c", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-metric-alerts", "services": [ - "WAF" + "Monitor" ], "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", + "subcategory": "Reliability", + "text": "Use an alerting system to provide notifications when things need direct action: Container Insights metric alerts or in-built Alerting UI.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "WAF checklist", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", - "services": [ - "WAF", - "AppSvc" - ], + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "7e9ced16-acd1-476e-b9b2-41a998a57ae7", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones", + "services": [], "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "subcategory": "Reliability", + "text": "Ensure that the cluster is created in a region that supports AZs and create a machine set for each AZ.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "WAF checklist", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "7b997e71-1b7d-4a8c-baa6-6e15d4d5ada9", + "link": "https://docs.openshift.com/container-platform/4.13/machine_management/creating-infrastructure-machinesets.html", "services": [ - "WAF" + "AKS" ], - "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" + "severity": "Low", + "subcategory": "Reliability", + "text": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "7dc3e232-6bb2-435c-905e-1696fdedfa8a", + "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup#create-a-backup-with-velero-to-include-snapshots", "services": [ - "WAF", - "Storage" + "Backup" ], "severity": "Medium", - "text": "Consider the 'Azure security baseline for storage'", - "waf": "Security" + "subcategory": "Reliability", + "text": "Create application backup and plan for restore and include persistent volumes in the backup.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", - "services": [ - "WAF", - "PrivateLink", - "Storage" - ], - "severity": "High", - "text": "Consider using private endpoints for Azure Storage", - "waf": "Security" + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "81c12318-1a64-4174-8583-3fb4ae3c2df7", + "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-priority.html", + "services": [], + "severity": "Low", + "subcategory": "Reliability", + "text": "Use pod priorities, so that in case of limited resources the most critical pods will run.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "43166c3b-cbe0-45bb-b209-d4a0da577784", + "link": "https://docs.openshift.com/container-platform/4.13/architecture/admission-plug-ins.html", "services": [ - "WAF", - "Storage", - "Subscriptions", - "RBAC" + "AzurePolicy" ], - "severity": "Medium", - "text": "Ensure older storage accounts are not using 'classic deployment model'", + "severity": "Low", + "subcategory": "Security", + "text": "Regulate cluster functions using admission plug-ins, which are commonly used to enforce security policy, resource limitations, or configuration requirements.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "24d21678-5d2f-4a56-a56a-d48408fe8273", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", "services": [ - "WAF", - "Storage", - "Defender" + "ACR" ], - "severity": "High", - "text": "Enable Microsoft Defender for all of your storage accounts", + "severity": "Low", + "subcategory": "Security", + "text": "Store your container images in Azure Container Registry and geo-replicate the registry to each region.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", - "services": [ - "WAF", - "Storage" - ], + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "4c486ba2-80dc-4059-8cf7-5ee8e1309ccc", + "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-vertical-autoscaler.html", + "services": [], "severity": "Medium", - "text": "Enable 'soft delete' for blobs", - "waf": "Security" + "subcategory": "Workload", + "text": "Optimize the CPU and memory request values, and maximize the efficiency of the cluster resources using vertical pod autoscaler.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "d579366b-cda2-4750-aa1a-bfe9d55d14c3", + "link": "https://docs.openshift.com/container-platform/4.13/applications/application-health.html", "services": [ - "WAF", - "Storage" + "Monitor" ], "severity": "Medium", - "text": "Disable 'soft delete' for blobs", - "waf": "Security" + "subcategory": "Workload", + "text": "Add health probes to your pods to monitor application health. Make sure pods contain livenessProbe and readinessProbe. Use Startup probes to determine the point at which the application has started up.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", - "services": [ - "WAF" - ], - "severity": "High", - "text": "Enable 'soft delete' for containers", - "waf": "Security" + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "c4929cb1-b3d1-4325-ae12-4ba34d0685ed", + "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-autoscaling.html", + "services": [], + "severity": "Medium", + "subcategory": "Workload", + "text": "Scale pods to meet demand using horizontal pod autoscaler.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "dce9be3b-b0dd-4b3b-95fb-2ec14eeaa359", + "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-configuring.html#nodes-pods-pod-distruption-about_nodes-pods-configuring", "services": [ - "WAF", - "Storage" + "Cost" ], "severity": "Medium", - "text": "Disable 'soft delete' for containers", - "waf": "Security" + "subcategory": "Workload", + "text": "Use disruption budgets to ensure the required number of pod replicas exist to handle expected application load.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", - "services": [ - "WAF", - "Storage" - ], - "severity": "High", - "text": "Enable resource locks on storage accounts", - "waf": "Security" + "category": "Operations management", + "checklist": "Azure Red Hat OpenShift", + "guid": "2829e2ed-b217-4367-9aff-6791b4935ada", + "link": "https://docs.openshift.com/container-platform/4.13/nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.html", + "services": [], + "severity": "Medium", + "subcategory": "Workload", + "text": "Use pod topology constraints to automatically schedule pods on nodes throughout the cluster.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", - "services": [ - "WAF", - "Subscriptions", - "Storage", - "AzurePolicy" - ], + "category": "Operations Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "fea1dbf3-dd95-4d48-a7c8-91dcb1f7d575", + "link": "https://learn.microsoft.com/azure/openshift/intro-openshift#service-level-agreement", + "services": [], + "severity": "Medium", + "subcategory": "Availablity", + "text": "Leverage Current ARO SLA - 99.95 into BCDR planning", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "b95e06e1-58e2-4ea3-a92c-2de6e2065b3a", + "link": "https://www.redhat.com/rhdc/managed-files/pa-getting-started-azure-openshift-ebook-f20686-201911-en_0.pdf", + "services": [], "severity": "High", - "text": "Consider immutable blobs", - "waf": "Security" + "subcategory": "Cluster Design", + "text": "Run user workloads on the worker nodes, not the control plane nodes", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "category": "Operations Management", + "checklist": "Azure Red Hat OpenShift", + "description": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines", + "guid": "76af4a69-1e88-439a-ba46-667e13c10567", + "link": "https://learn.microsoft.com/azure/openshift/howto-segregate-machinesets", "services": [ - "WAF", - "Storage" + "AKS", + "VNet" ], - "severity": "High", - "text": "Require HTTPS, i.e. disable port 80 on the storage account", - "waf": "Security" + "severity": "Medium", + "subcategory": "Cluster Design", + "text": "Isolate workloads into worker nodes running in individual subnets as needed", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", + "category": "Operations Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "785c6fe9-6c96-4ad8-a44c-f3b2b38c886b", + "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup", "services": [ - "WAF", - "Storage" + "Backup" ], - "severity": "High", - "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Backup", + "text": "Backup a cluster state for stateful workload scenarios to a paired region", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "category": "Operations Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "a2c02149-9014-4a5d-9ce5-74dccbd9792a", + "link": "https://access.redhat.com/documentation/red_hat_openshift_container_storage/4.4/html/deploying_and_managing_openshift_container_storage_on_microsoft_azure/deploying-openshift-container-storage-on-microsoft-azure_rhocs", "services": [ - "WAF", - "Storage" + "Storage", + "ACR" ], "severity": "Medium", - "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", - "waf": "Security" + "subcategory": "Data Store", + "text": "If container storage is required, ensure availability across regions if needed: Using RWX storage with inbuilt Azure Files storage class. Using CSI Drivers for storage provisioning", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Azure Storage", - "services": [ - "WAF", - "Storage" - ], - "severity": "High", - "text": "Enforce the latest TLS version for a storage account", - "waf": "Security" + "category": "Operations Management", + "checklist": "Azure Red Hat OpenShift", + "guid": "6bcca2b4-fea1-4dbf-9dd9-5d48c7c891dc", + "link": "https://docs.openshift.com/aro/3/dev_guide/persistent_volumes.html", + "services": [], + "severity": "Medium", + "subcategory": "Data Store", + "text": "Whenever possible, move state out of containers and into external databases that support multi-region replication. Avoid Persistent Volumes", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", - "services": [ - "WAF", - "Entra", - "Storage" - ], - "severity": "High", - "text": "Use Microsoft Entra ID tokens for blob access", - "waf": "Security" + "category": "Platform Automation", + "checklist": "Azure Red Hat OpenShift", + "guid": "42324ece-81c1-4231-a1a6-417415833fb4", + "link": "https://docs.openshift.com/container-platform/4.13/applications/deployments/route-based-deployment-strategies.html", + "services": [], + "severity": "Low", + "subcategory": "Workload", + "text": "Consider blue/green or canary strategies to deploy new releases of application.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", - "services": [ - "WAF", - "RBAC" - ], - "severity": "Medium", - "text": "Least privilege in IaM permissions", - "waf": "Security" + "category": "Platform Automation", + "checklist": "Azure Red Hat OpenShift", + "guid": "ae3c2df7-4316-46c3-acbe-05bbe209d4a0", + "link": "https://docs.openshift.com/container-platform/4.13/cicd/gitops/understanding-openshift-gitops.html", + "services": [], + "severity": "Low", + "subcategory": "Workload", + "text": "Consider using Red Hat OpenShift GitOps. Red Hat OpenShift GitOps uses Argo CD to maintain cluster resources and support application CI/CD.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "services": [ - "WAF", - "Entra", - "Storage" - ], + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "da577784-24d2-4167-a5d2-fa56c56ad484", + "link": "https://learn.microsoft.com/azure/openshift/support-lifecycle", + "services": [], "severity": "High", - "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", + "subcategory": "Control plane", + "text": "Keep your clusters on the latest OpenShift version to avoid potential security or upgrade issues.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "08fe8273-4c48-46ba-880d-c0591cf75ee8", + "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster", "services": [ - "Storage", - "WAF", - "Monitor", - "Entra", - "AKV" + "AKS", + "Arc" ], "severity": "High", - "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", + "subcategory": "Control plane", + "text": "Connect Azure Red Hat OpenShift clusters to Azure Arc-enabled Kubernetes.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", - "services": [ - "Storage", - "AzurePolicy", - "WAF", - "Monitor", - "AKV" - ], - "severity": "High", - "text": "Consider using Azure Monitor to audit control plane operations on the storage account", + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "e1309ccc-d579-4366-acda-2750aa1abfe9", + "link": "https://docs.openshift.com/container-platform/4.10/security/encrypting-etcd.html", + "services": [], + "severity": "Low", + "subcategory": "Encryption", + "text": "For Azure Red Hat OpenShift 4 clusters, etcd data isn't encrypted by default, but it's recommended to enable etcd encryption to provide another layer of data security.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "d55d14c3-c492-49cb-8b3d-1325ae124ba3", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", "services": [ - "WAF", - "AKV", - "Storage", - "AzurePolicy" + "AKS", + "Defender", + "Arc" ], "severity": "Medium", - "text": "When using storage account keys, consider enabling a 'key expiration policy'", + "subcategory": "Posture", + "text": "Use Microsoft Defender for Containers supported via Arc-enabled Kubernetes to secure clusters, containers, and applications.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "4d0685ed-dce9-4be3-ab0d-db3b55fb2ec1", + "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider", "services": [ - "WAF", - "AzurePolicy" + "AKV", + "AKS", + "Arc" ], "severity": "Medium", - "text": "Consider configuring an SAS expiration policy", + "subcategory": "Secrets", + "text": "For applications that require access to sensitive information, use a service principal and the AKV Secrets Provider with the extension for Arc-enabled Kubernetes clusters.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", - "services": [ - "WAF", - "AKV", - "Storage", - "AzurePolicy" - ], + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "4eeaa359-2829-4e2e-bb21-73676aff6791", + "link": "https://learn.microsoft.com/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources", + "services": [], "severity": "Medium", - "text": "Consider linking SAS to a stored access policy", + "subcategory": "Workload", + "text": "Secure pod access to resources. Provide the least number of permissions, and avoid using root or privileged escalation.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "b4935ada-4232-44ec-b81c-123181a64174", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes", "services": [ - "WAF", - "AKV", - "Storage" + "AzurePolicy", + "Monitor" ], "severity": "Medium", - "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", + "subcategory": "Workload", + "text": "Monitor and enforce configuration by using the Azure Policy Extension.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "15833fb4-ae3c-42df-9431-66c3bcbe05bb", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", "services": [ - "WAF", - "Entra", - "Storage" + "Defender" ], "severity": "High", - "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", + "subcategory": "Workload", + "text": "Scan your images for vulnerabilities with Microsoft Defender or any other image scanning solution.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "category": "Security", + "checklist": "Azure Red Hat OpenShift", + "guid": "e209d4a0-da57-4778-924d-216785d2fa56", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", "services": [ - "WAF", - "Storage", - "AzurePolicy" + "Subscriptions", + "ACR" ], - "severity": "High", - "text": "Strive for short validity periods for ad-hoc SAS", + "severity": "Low", + "subcategory": "Workload", + "text": "Deploy a dedicated and private instance of Azure Container Registry to each landing zone subscription.", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "9f519499-5820-4060-88fe-cab4538c9dd0", + "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "Apply a narrow scope to a SAS", - "waf": "Security" + "subcategory": "Physical", + "text": "All planned storage pools should use direct-attached storage (SATA, SAS, NVMe)", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "f7c015e0-7d97-4283-b006-567afeb2b5ca", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/drive-symmetry-considerations#understand-capacity-imbalance", "services": [ - "WAF" + "Storage", + "ACR" ], "severity": "Medium", - "text": "Consider scoping SAS to a specific client IP address, wherever possible", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "services": [ - "WAF", - "Storage" - ], - "severity": "Low", - "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", - "waf": "Security" + "subcategory": "Physical", + "text": "Disks are symmetrical across all nodes", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "f785b143-2c1e-4466-9baa-dde8ba4c7aaa", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/fault-tolerance#parity", "services": [ - "WAF", - "Entra", "Storage", - "RBAC" + "Backup" ], - "severity": "High", - "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", - "waf": "Security" + "severity": "Medium", + "subcategory": "S2D", + "text": "Parity type disk redundancy should only be used for low I/O volumes (backup/archive)", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "8a705965-9840-43cc-93b3-06d089406bb4", + "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements#physical-deployments", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", - "waf": "Security" + "subcategory": "S2D", + "text": "Ensure there at least 2 capacity disks with available capacity in the Storage Pool", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "2a4f629a-d623-4610-a8e3-d6fd66057d8e", + "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/delimit-volume-allocation", "services": [ - "WAF", - "Storage", - "AzurePolicy" + "Storage" ], - "severity": "High", - "text": "Avoid overly broad CORS policies", - "waf": "Security" + "severity": "Low", + "subcategory": "S2D", + "text": "'Delimited allocation' has been considered to improve volume resiliency in a multi-node failure", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "960eb9be-1f0f-4fc1-9b31-fcf1cf9e34e6", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#choosing-how-many-volumes-to-create", "services": [ - "WAF", "Storage" ], - "severity": "High", - "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", - "waf": "Security" + "severity": "Medium", + "subcategory": "S2D", + "text": "CSVs are created in multiples of node count", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "859ba2b9-a3a8-4ca1-bb61-165effbf1c03", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/cache", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "Determine which/if platform encryption should be used.", - "waf": "Security" + "subcategory": "S2D", + "text": "If a cache tier is implemented, the number of capacity drives is a multiple of the number of cache drives", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "d8a65f05-db06-461d-81dc-7899ad3f8f1e", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#reserve-capacity", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "Determine which/if client-side encryption should be used.", - "waf": "Security" + "subcategory": "S2D", + "text": "A minimum of 1 type of each disk type per node has been factored as a reserve disk", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "description": "VMFleet is a tool that can be used to measure the performance of a storage subsystem, best used to baseline performance prior to workload deployment", + "guid": "9d138f1d-5363-476e-bbd7-acfa500bdc0c", + "link": "https://github.com/microsoft/diskspd/wiki/VMFleet", "services": [ - "WAF", "Storage" ], - "severity": "High", - "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", - "waf": "Security" + "severity": "Low", + "subcategory": "S2D", + "text": "VMFleet has been run prior to workload deployment to baseline storage performance", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "13c12e2a-c938-4dd1-9223-507d5e17f9c5", "services": [ - "WAF", "Storage" ], - "severity": "High", - "text": "Leverage a storagev2 account type for better performance and reliability", + "severity": "Medium", + "subcategory": "Host OS", + "text": "OS drives use a dedicated storage controller", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "category": "Storage", + "checklist": "Azure Stack HCI Review", + "guid": "a631e7dc-8879-45bd-b0a7-e5927b805428", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-csv-cache", "services": [ - "WAF", "Storage" ], - "severity": "High", - "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Host OS", + "text": "CSV in-memory read caching is enabled and properly configured", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Azure Storage", - "services": [ - "WAF" - ], - "severity": "Medium", - "text": "For write operation after failover, use customer-Managed Failover ", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Azure Storage", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "c062cd9a-f1db-4f83-aab3-9cb03f56c140", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements#switch-embedded-teaming-set", "services": [ - "WAF" + "ACR" ], "severity": "Medium", - "text": "Understand Microsoft-Managed Failover details", + "subcategory": "Host", + "text": "NICs are symmetrical across nodes", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Azure Storage", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "ea8054db-a558-4533-80c8-5d9cf447ba19", "services": [ - "WAF" + "Storage" ], - "severity": "Medium", - "text": "Enable Soft Delete", + "severity": "High", + "subcategory": "Host", + "text": "Storage networking is redundant", "waf": "Reliability" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "WAF checklist", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", - "services": [ - "WAF" - ], + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "15d976c5-e267-49a1-8b00-62010bfa5188", + "link": "https://learn.microsoft.com/azure-stack/hci/deploy/network-atc", + "services": [], "severity": "Medium", - "text": "Follow reliability support recommendations in Azure Bot Service", + "subcategory": "Host", + "text": "Host networking configuration is managed by Network ATC and intents are healthy", "waf": "Reliability" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "WAF checklist", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", - "services": [ - "WAF" - ], - "severity": "Medium", - "text": "Deploying bots with local data residency and regional compliance", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "676c53ad-b29a-4de1-9d03-d7d2674405b8", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/network-hud-overview", + "services": [], + "severity": "Low", + "subcategory": "Host", + "text": "Network HUD has been configured", "waf": "Reliability" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "WAF checklist", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "8f6d58d9-6c1a-4ec1-b2d7-b2c6ba8f3949", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements", "services": [ - "WAF" + "Storage", + "VNet" ], "severity": "Medium", - "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", + "subcategory": "Host", + "text": "Storage NICs are assigned static IP addresses on separate subnets and VLANs", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "WAF checklist", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", - "services": [ - "WAF" - ], + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "824e53ec-953e-40c2-a6b8-52970b5b0f74", + "link": "https://learn.microsoft.com/azure-stack/hci/plan/two-node-switched-converged", + "services": [], "severity": "Medium", - "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", + "subcategory": "Host", + "text": "For switchless designs, dual link full mesh connectivity has been implemented", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "WAF checklist", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "dbc85d0e-0ebd-4589-a789-0fa8ceb1d0f0", + "link": "https://learn.microsoft.com/azure-stack/hci/concepts/physical-network-requirements#using-switchless", "services": [ - "WAF", - "TrafficManager", - "FrontDoor" + "Storage" ], "severity": "Medium", - "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "subcategory": "Host", + "text": "If the cluster is made up of more than 3 nodes, a switched storage network has been implemented", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "WAF checklist", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "603c6d71-59d2-419c-a312-8edc6e799c6a", "services": [ - "WAF", - "ACR" + "Storage" ], - "severity": "Medium", - "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Host", + "text": "RDMA is enabled on the Storage networking", + "waf": "Performance" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "WAF checklist", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", - "services": [ - "WAF" - ], + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "9e260eae-bca1-4827-a259-76ee63fda8d6", + "link": "https://github.com/microsoft/SDN/blob/master/Diagnostics/Test-Rdma.ps1", + "services": [], "severity": "Medium", - "text": "Use more than 1 app instance for your apps", - "waf": "Reliability" + "subcategory": "Host", + "text": "Test-RDMA.ps1 has been run to validate the RDMA configuration", + "waf": "Performance" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "WAF checklist", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "description": "This ensures that Management traffic is not exposed to the VM traffic", + "guid": "abc85d0e-0ebd-4589-a777-0fa8ceb1d0f0", + "link": "", "services": [ - "WAF", - "Monitor" + "VM" ], "severity": "Medium", - "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", - "waf": "Reliability" + "subcategory": "Host", + "text": "If a VMSwitch is shared for Compute and Management traffic, require that Management traffic is tagged with a VLAN ID", + "waf": "Security" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "WAF checklist", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "description": "This ensures you have at least 3 NCs active at all times during NC upgrades.", + "guid": "eb36f5f4-0fa7-4a2c-85f3-1b1c7c7817c0", "services": [ - "WAF" + "VM" ], "severity": "Medium", - "text": "Set up autoscaling in Spring Cloud Gateway", + "subcategory": "SDN", + "text": "There are at least 3 Network Controller VMs deployed", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "WAF checklist", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "8bc78c85-6028-4a43-af2d-082a0a344909", + "link": "https://learn.microsoft.com/windows-server/networking/sdn/manage/update-backup-restore", "services": [ - "WAF" + "Backup" ], - "severity": "Low", - "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", - "waf": "Reliability" + "severity": "High", + "subcategory": "SDN", + "text": "Backups of SDN infrastructure are configured and tested", + "waf": "Operations" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "WAF checklist", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", + "category": "Management and Monitoring", + "checklist": "Azure Stack HCI Review", + "guid": "51eaa4b6-b9a7-43e1-a7dc-634d3107bc6d", "services": [ - "WAF" + "Monitor" ], "severity": "Medium", - "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", - "waf": "Reliability" + "subcategory": "Cluster", + "text": "SCOM Managed Instance has been considered for more complex monitoring and alerting scenarios", + "waf": "Operations" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "WAF checklist", - "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", + "category": "Management and Monitoring", + "checklist": "Azure Stack HCI Review", + "guid": "831f5aca-99ef-41e7-8263-9509f5093b43", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/setup-hci-system-alerts", "services": [ - "WAF" + "Monitor" ], "severity": "High", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", - "waf": "Reliability" + "subcategory": "Cluster", + "text": "Alerts have been configured for the cluster, either using Azure Monitor, SCOM, or a third-party solution", + "waf": "Operations" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "WAF checklist", - "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", + "category": "Management and Monitoring", + "checklist": "Azure Stack HCI Review", + "guid": "f95d0e7e-9f61-476d-bf65-59f2454d1d39", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later", "services": [ - "WAF" + "Monitor" ], - "severity": "High", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Cluster", + "text": "Insights has been enabled at the cluster level and all nodes are reporting data", + "waf": "Operations" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "WAF checklist", - "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Device Update for IoT Hub", + "category": "Management and Monitoring", + "checklist": "Azure Stack HCI Review", + "guid": "f4250fcb-ff53-40c9-b304-3560464fd90c", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later", "services": [ - "WAF" + "Monitor" ], - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Cluster", + "text": "Azure Monitoring Agent has been deployed to hosts and an appropriate Data Collection Rule has been configured", + "waf": "Operations" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "WAF checklist", - "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Device Update for IoT Hub", + "category": "Management and Monitoring", + "checklist": "Azure Stack HCI Review", + "guid": "6143af1d-0d1a-4163-b1c9-662f7459bb98", "services": [ - "WAF", - "AppSvc" + "Monitor" ], - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Hardware", + "text": "Relevant hardware monitoring has been configured", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", + "category": "Management and Monitoring", + "checklist": "Azure Stack HCI Review", + "guid": "9cbdf225-549a-41cf-9c97-794766a6f2b0", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/health-service-overview", "services": [ - "WAF", - "ASR" + "Monitor" ], "severity": "Medium", - "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "subcategory": "Hardware", + "text": "Relevant hardware alerting has been configured", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "c0da5bbd-0f0d-4a26-98ec-38c9cc42b323", "services": [ - "WAF", - "Entra" + "VM" ], - "severity": "Medium", - "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "severity": "Low", + "subcategory": "VM Management - Resource Bridge", + "text": "The Azure CLI has been installed on every node to enable RB management from WAC", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "a8ecf23c-c048-4fa9-b87b-51ebfb409863", "services": [ - "WAF", - "Entra" + "VM" ], "severity": "Low", - "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "subcategory": "VM Management - Resource Bridge", + "text": "DHCP is available in the cluster to support Guest Configuration at VM deployment from Azure", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", + "category": "Backup and Disaster Recovery", + "checklist": "Azure Stack HCI Review", + "guid": "074541e3-fe08-458a-8062-32d13dcc10c6", + "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines", "services": [ - "WAF" + "VM", + "ASR", + "Backup" ], "severity": "High", - "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "subcategory": "VM", + "text": "Backups of HCI VMs have been configured using MABS or a third-party solution", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", - "services": [ - "WAF" - ], + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "48f7ae57-1035-4101-8a38-fbe163d03e8a", + "services": [], "severity": "High", - "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "Cost" + "subcategory": "Cluster Configuration", + "text": "Cluster configuration or a configuration script has been documented and maintained", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", - "services": [ - "WAF", - "ACR", - "RBAC", - "Subscriptions" - ], + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "f2a6a19a-ffe6-444d-badb-cb336c8e7b50", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/witness", + "services": [], "severity": "High", - "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "subcategory": "Cluster Configuration", + "text": "A cluster witness has been configured for clusters with less than 5 nodes", + "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", - "services": [ - "WAF" - ], + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "a47339fe-62c5-44a0-bb83-3d46ef16292f", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/update-cluster", + "services": [], "severity": "Medium", - "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" + "subcategory": "Cluster Configuration", + "text": "Cluster-Aware Updating has been configured for Windows and hardware updates (if available)", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "7f1d6fe8-3079-44ea-8ea6-14494d1aa470", + "link": "https://learn.microsoft.com/azure-stack/hci/deploy/validate", + "services": [], + "severity": "High", + "subcategory": "Cluster Configuration", + "text": "Cluster validation has been run against the configured cluster", + "waf": "Reliability" + }, + { + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "81693af0-5638-4aa2-a153-1d6189df30a7", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits", "services": [ - "WAF", - "Entra" + "VM" ], "severity": "Medium", - "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "subcategory": "Cluster Configuration", + "text": "Azure Benefits has been enabled at the cluster and VM levels", + "waf": "Cost" }, { - "checklist": "WAF checklist", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "8c967ee8-8170-4537-a28d-33431cd3632a", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-environment-checker", + "services": [], + "severity": "Medium", + "subcategory": "Cluster Configuration", + "text": "The Environment Checker module has been run to validate the environment", + "waf": "Reliability" + }, + { + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "43ffbfab-766e-4950-a102-78b479136e4d", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits", "services": [ - "WAF", - "Entra", "AzurePolicy" ], - "severity": "High", - "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Cluster Configuration", + "text": "Group Policy inheritance on the HCI cluster and node Active Directory organizational unit has been blocked or applied policies have been evaluated for compatibility issues (usually WinRM and PowerShell execution policy)", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", - "services": [ - "WAF" - ], - "severity": "High", - "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", - "waf": "Security" + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "e6a3f3a7-4a7d-49e2-985a-6e39dd284027", + "services": [], + "severity": "Medium", + "subcategory": "Cluster Configuration", + "text": "WAC is on the latest release and configured to automatically upgrade extensions", + "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "d1caa31f-cc26-42b2-b92f-2b667c0e6020", + "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr", "services": [ - "WAF", "Entra" ], "severity": "Medium", - "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "subcategory": "Stretch Clustering", + "text": "There is sub 5ms latency between each site if synchronous replication is being configured AAD", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "3277558e-3155-4088-b49a-78594cb4ce1a", "services": [ - "WAF", - "Entra" + "Storage", + "VNet" ], - "severity": "Medium", - "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", - "waf": "Security" + "severity": "High", + "subcategory": "Stretch Clustering", + "text": "Management, Replication and Storage networks excluded from stretched VLANs configurations, are routed, and in different subnets", + "waf": "Reliability" }, { - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "baed6066-8531-44ba-bd94-38cbabbf4099", + "services": [], + "severity": "High", + "subcategory": "Stretch Clustering", + "text": "There is a plan detailed for site failure and recovery", + "waf": "Operations" + }, + { + "category": "Networking", + "checklist": "Azure Stack HCI Review", + "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b4", "services": [ - "WAF", - "Entra" + "ACR" ], "severity": "Medium", - "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "subcategory": "Stretch Clustering", + "text": "Separate vLANs and networks are used for each replication network across both sites", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b5", + "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization", "services": [ - "WAF", - "Monitor", - "Entra" + "Storage" ], - "severity": "Medium", - "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", - "waf": "Security" + "severity": "High", + "subcategory": "Stretch Clustering", + "text": "Use either a cloud witness or a file share witness in a third site for cluster quorum for clusters with less than 5 nodes", + "waf": "Reliability" }, { - "ammp": true, - "checklist": "WAF checklist", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b6", + "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization", + "services": [], + "severity": "High", + "subcategory": "Stretch Clustering", + "text": "When using data deduplication, only enable it on the primary/source volumes", + "waf": "Reliability" + }, + { + "category": "Operations", + "checklist": "Azure Stack HCI Review", + "guid": "ac527887-f6f4-40a3-b883-e04d704f013b", + "link": "https://learn.microsoft.com/windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage#provision-operating-system-features-roles-storage-and-network", "services": [ - "WAF", - "Entra" + "Storage" ], "severity": "High", - "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", - "waf": "Security" + "subcategory": "Stretch Clustering", + "text": "Storage backing log volumes must be faster (ideally) or at least as fast as capacity storage", + "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", + "category": "Backup and Disaster Recovery", + "checklist": "Azure Stack HCI Review", + "guid": "8ea49f70-1038-4283-b0c4-230165d3eabc", + "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-site-recovery", "services": [ - "WAF", - "Entra", - "RBAC" + "ASR", + "Backup" ], "severity": "Medium", - "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", - "waf": "Security" + "subcategory": "Disaster Recovery", + "text": "Azure Site Recovery has been considered for DR purposes", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", - "services": [ - "WAF", - "Entra" - ], + "category": "Security", + "checklist": "Azure Stack HCI Review", + "guid": "03e65fdc-2628-4a1a-ba2e-a5174340ba52", + "link": "https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker", + "services": [], "severity": "Medium", - "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "subcategory": "Host", + "text": "BitLocker has been enabled on CSVs for volume encryption, where appropriate", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", - "services": [ - "WAF", - "VNet" - ], + "category": "Security", + "checklist": "Azure Stack HCI Review", + "guid": "9645d2e6-ba28-453c-b6d5-d9ef29fc34be", + "link": "https://learn.microsoft.com/windows-server/storage/file-server/smb-security", + "services": [], "severity": "Medium", - "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "subcategory": "Host", + "text": "SMB encryption has been enabled, where appropriate", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", + "category": "Security", + "checklist": "Azure Stack HCI Review", + "guid": "8f03437a-5068-4486-9a78-0402ce771298", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server", "services": [ - "VPN", - "DNS", - "NVA", - "Firewall", - "WAF", - "ExpressRoute", - "Entra", - "VNet" + "Defender" ], - "severity": "High", - "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Cost" + "severity": "Medium", + "subcategory": "Host", + "text": "Microsoft Defender Antivirus has been enabled on all nodes", + "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", - "services": [ - "WAF", - "DDoS" - ], - "severity": "High", - "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "category": "Security", + "checklist": "Azure Stack HCI Review", + "guid": "dba6b211-fc02-43b3-b7c8-f163c188332e", + "link": "https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage", + "services": [], + "severity": "Medium", + "subcategory": "Host", + "text": "Credential Guard has been configured, where appropriate", "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", - "services": [ - "WAF", - "NVA" - ], - "severity": "Medium", - "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", + "category": "BC and DR", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", + "services": [], + "severity": "High", + "subcategory": "High Availability", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", - "services": [ - "WAF", - "ExpressRoute", - "ARS", - "VPN" - ], - "severity": "Low", - "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", - "waf": "Security" + "category": "BC and DR", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", + "services": [], + "severity": "High", + "subcategory": "High Availability", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualHubs", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", - "services": [ - "WAF", - "ARS", - "VNet" - ], - "severity": "Low", - "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", - "waf": "Security" + "category": "BC and DR", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", + "services": [], + "severity": "High", + "subcategory": "High Availability", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", + "category": "BC and DR", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", "services": [ - "WAF", - "ACR", - "VNet" + "AppSvc" ], - "severity": "Medium", - "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", - "waf": "Performance" + "severity": "High", + "subcategory": "High Availability", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", - "services": [ - "WAF", - "Monitor" - ], + "category": "Application Deployment", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", + "services": [], "severity": "Medium", - "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "subcategory": "CI/CD", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", - "services": [ - "WAF", - "ExpressRoute", - "VNet" - ], - "severity": "Medium", - "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "category": "BC and DR", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", + "services": [], + "severity": "High", + "subcategory": "High Availability", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", - "services": [ - "WAF", - "Storage" - ], + "category": "BC and DR", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "services": [], "severity": "Medium", - "text": "Limit the number of routes per route table to 400.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "subcategory": "High Availability", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", - "services": [ - "WAF", - "VNet" - ], + "category": "BC and DR", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", + "services": [], "severity": "High", - "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "subcategory": "High Availability", + "text": "Consider a Cross-Region DR strategy for critical workloads", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "services": [ - "WAF", - "LoadBalancer" - ], + "category": "BC and DR", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "services": [], "severity": "High", - "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", + "subcategory": "High Availability", + "text": "Learn how to trigger a manual failover.", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "services": [ - "WAF", - "LoadBalancer" - ], + "category": "BC and DR", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", + "services": [], "severity": "High", - "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", + "subcategory": "High Availability", + "text": "Learn how to fail back after a failover.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", - "services": [ - "WAF", - "ExpressRoute" - ], + "category": "Operations Management", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "services": [], + "severity": "High", + "subcategory": "High Availablity", + "text": "Enable 2 replicas to have 99.9% availability for read operations", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "services": [], "severity": "Medium", - "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Security" + "subcategory": "High Availablity", + "text": "Enable 3 replicas to have 99.9% availability for read/write operations", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "category": "Operations Management", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", + "services": [], + "severity": "High", + "subcategory": "High Availablity", + "text": "Leverage Availability Zones by enabling read and/or write replicas", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "services": [ - "WAF", - "ExpressRoute", - "VPN" + "ACR" ], "severity": "Medium", - "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" + "subcategory": "Georeplication", + "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", + "category": "Operations Management", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", "services": [ - "WAF", "ACR" ], - "severity": "High", - "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Georeplication", + "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "category": "Operations Management", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", "services": [ - "WAF" + "TrafficManager" ], "severity": "Medium", - "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" + "subcategory": "Georeplication", + "text": "Use Azure Traffic Manager to coordinate requests", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "category": "Operations Management", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", "services": [ - "WAF", - "VNet" + "Storage", + "ASR", + "Backup" ], "severity": "High", - "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Performance" + "subcategory": "Disaster Recovery", + "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", - "services": [ - "WAF", - "ASR" - ], - "severity": "High", - "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "category": "Operations management", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", + "services": [], + "severity": "Medium", + "subcategory": "High Availablity", + "text": "Follow reliability support recommendations in Azure Bot Service", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", - "services": [ - "WAF", - "ACR" - ], - "severity": "High", - "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "category": "Operations management", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", + "services": [], + "severity": "Medium", + "subcategory": "High Availablity", + "text": "Deploying bots with local data residency and regional compliance", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "WAF checklist", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", - "services": [ - "WAF", - "DNS" - ], + "category": "Operations management", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", + "services": [], "severity": "Medium", - "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Operations" + "subcategory": "High Availablity", + "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "WAF checklist", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", "services": [ - "WAF", - "ACR", - "DNS" + "Monitor", + "Cost" ], "severity": "Medium", - "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "Security" + "subcategory": "Azure Monitor - enforce data collection rules", + "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "WAF checklist", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", "services": [ - "WAF", - "DNS" + "Backup", + "Cost" ], - "severity": "Low", - "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", - "training": "https://learn.microsoft.com/training/courses/az-700t00", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Backup", + "text": "check backup instances with the underlying datasource not found", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "WAF checklist", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", "services": [ - "WAF", - "DNS", - "VM", - "VNet" + "Cost" ], - "severity": "High", - "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Delete/archive", + "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "WAF checklist", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "659d3958-fd77-4289-a835-556df2bfe456", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "WAF", - "DNS" + "Cost" ], "severity": "Medium", - "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Reliability" + "subcategory": "Delete/archive", + "text": "Consider snooze and stop technique (snooze a service after x days, stop after 2x, delete/deallocate after 3x)", + "waf": "Cost" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "WAF checklist", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "3b0d834a-3487-426d-b69c-6b5c2a26494b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "WAF", - "Bastion" + "Storage", + "Backup", + "Cost" ], "severity": "Medium", - "text": "Use Azure Bastion to securely connect to your network.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Security" + "subcategory": "Delete/archive", + "text": "Delete or archive unused resources (old backups, logs, storage accounts, etc...)", + "waf": "Cost" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", "services": [ - "WAF", - "Bastion", - "VNet" + "Backup", + "Storage", + "ASR", + "Cost" ], "severity": "Medium", - "text": "Use Azure Bastion in a subnet /26 or larger.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Security" + "subcategory": "Delete/archive", + "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", + "waf": "Cost" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "WAF checklist", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", "services": [ - "WAF", - "ACR", - "FrontDoor", - "AzurePolicy" + "Monitor", + "Cost" ], "severity": "Medium", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "subcategory": "Log Analytics retention for workspaces", + "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "Cost" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "WAF checklist", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", "services": [ - "WAF", - "AppGW", "AzurePolicy", - "FrontDoor" - ], - "severity": "Low", - "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "WAF checklist", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "services": [ - "WAF", - "VNet" + "Storage", + "Cost" ], - "severity": "High", - "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Policy", + "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "59bb91a3-ed90-4cae-8cc8-4c37b6b780cb", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "WAF", - "DDoS", - "VNet" + "Cost" ], - "severity": "High", - "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Run orphaned resources workbook - delete or snooze ghost items", + "text": "https://github.com/dolevshor/azure-orphan-resources", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "9fe5c464-89d4-457a-a27c-3874d0102cac", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "WAF" + "Cost" ], - "severity": "High", - "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Shutdown/deallocate", + "text": "Shutdown underutilized instances", + "training": "https://learn.microsoft.com/azure/cost-management-billing/understand/analyze-unexpected-charges", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", "services": [ - "WAF", - "DDoS" + "VM", + "Storage", + "Backup", + "Cost" ], - "severity": "High", - "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "Medium", + "subcategory": "stopped/deallocated VMs: check disks", + "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", "services": [ - "WAF", "AzurePolicy", - "VM" + "Storage", + "Cost" ], - "severity": "High", - "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "severity": "Medium", + "subcategory": "storage accounts lifecycle policy", + "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "category": "Cleanup", + "checklist": "Cost Optimization Checklist", + "guid": "f2bfe456-3b0d-4834-a348-726de69c6b5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "WAF", - "ExpressRoute", - "VPN", - "Backup" + "Cost" ], "severity": "Medium", - "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "subcategory": "Tagging", + "text": "Use specific tags for temporary items with 'delete by DATE' format - and automate monthly cleanup", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", + "category": "DB/App tuning", + "checklist": "Cost Optimization Checklist", + "guid": "2a26494b-69ba-4d37-aad5-3cc78e1d7666", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice", "services": [ - "WAF", - "ExpressRoute" + "Cost" ], "severity": "Medium", - "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "subcategory": "DB optimization", + "text": "Plan for db optimization with the intent of downsizing the related services (and improve performance)", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", + "category": "DB/APP tuning", + "checklist": "Cost Optimization Checklist", + "guid": "7357c449-674b-45ed-a5a8-59c7733be2a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "WAF", - "ExpressRoute", - "VPN" + "Cost" ], "severity": "Medium", - "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "subcategory": "App modernization", + "text": "Modernizing the app towards a microservices architecture will have the effect of letting the app scale according to the single service and not the entire stack", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", + "category": "DB/APP tuning", + "checklist": "Cost Optimization Checklist", + "guid": "a27b765a-91be-41f3-a8ef-394c2bd463cb", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "WAF", - "ExpressRoute", + "VM", + "Storage", "Cost" ], - "severity": "High", - "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "severity": "Medium", + "subcategory": "DB optimization", + "text": "optimizing the DB queries will increase performance and allow better right-sizing of storage and VMs", "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", + "category": "DB/APP tuning", + "checklist": "Cost Optimization Checklist", + "guid": "bac75819-59bb-491a-9ed9-0cae2cc84c37", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "WAF", - "ExpressRoute", "Cost" ], - "severity": "High", - "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "severity": "Medium", + "subcategory": "Demand shaping", + "text": "Using demand shaping on PaaS services will optimize costs and performances", "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "b6b780cb-9fe5-4c46-989d-457a927c3874", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging", "services": [ - "WAF", - "ExpressRoute" + "Cost", + "Entra" ], "severity": "Medium", - "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "subcategory": "Advisor", + "text": "Start from the Azure Advisor page suggestions.", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", "services": [ - "WAF", - "ExpressRoute" + "VM", + "Cost" ], "severity": "Medium", - "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "subcategory": "Advisor", + "text": "Make sure advisor is configured for VM right sizing ", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "881a1bd5-d1e4-44a1-a659-d3958fd77289", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "WAF", - "ExpressRoute" + "Cost" ], "severity": "Medium", - "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "subcategory": "Automation", + "text": "Consider implementing IaC scripts or devops pipelines to match the cost governance process", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "b835556d-f2bf-4e45-93b0-d834a348726d", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "WAF", - "VPN" + "Monitor", + "Cost" ], "severity": "Medium", - "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Reliability" + "subcategory": "Automation", + "text": "Set up cost alerts for applications that have variable costs (ideally for all of them)", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "WAF checklist", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "e69c6b5c-2a26-4494-a69b-ad37aad53cc7", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", "services": [ - "WAF", - "VPN" + "Cost" ], "severity": "Medium", - "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Reliability" + "subcategory": "Automation", + "text": "Use Azure Automation: Automate repetitive tasks can help you save time and resources, reducing costs in the process. ", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "8e1d7666-7357-4c44-a674-b5ed85a859c7", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "WAF", - "ExpressRoute", "Cost" ], - "severity": "High", - "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "severity": "Medium", + "subcategory": "Automation", + "text": "Run orphaned resources workbook", "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "733be2a1-a27b-4765-a91b-e1f388ef394c", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", "services": [ - "WAF", - "ExpressRoute" + "Storage", + "Cost" ], "severity": "Medium", - "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Security" + "subcategory": "Baseline", + "text": "Try and establish a baseline of monthly spending and an acceptable saving target against the baseline (new services will not be optimized at this stage)", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "2bd463cb-bac7-4581-a59b-b91a3ed90cae", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "WAF", - "Monitor", - "ExpressRoute" + "AzurePolicy", + "Cost" ], "severity": "Medium", - "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "subcategory": "Baseline", + "text": "Establish a cost optimization baseline by using a policy that tags every new resource as #NEW", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "2cc84c37-b6b7-480c-a9fe-5c46489d457a", + "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config", "services": [ - "WAF", - "ACR", - "Monitor", - "NetworkWatcher" + "Cost" ], "severity": "Medium", - "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "subcategory": "Baseline", + "text": "Organize resources to maximize cost insights and accountability", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "927c3874-d010-42ca-a6aa-e01e6a84de5d", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json", "services": [ - "WAF", - "ExpressRoute" + "Cost" ], "severity": "Medium", - "text": "Use ExpressRoute circuits from different peering locations for redundancy.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "subcategory": "Budgets", + "text": "Create budgets", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "e36d1d92-881a-41bd-9d1e-44a19659d395", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator", "services": [ - "WAF", - "ExpressRoute", - "VPN" + "Cost" ], "severity": "Medium", - "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "subcategory": "Cost Analysis", + "text": "In cost analysis - use daily granularity, grouped by service name to analyze the spending of the past 3 months and identify the top 3 spenders", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "8fd77289-b835-4556-bf2b-fe4563b0d834", + "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server", "services": [ - "WAF", - "Storage", - "VNet" + "Cost" ], - "severity": "High", - "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Cost Analysis", + "text": "Check daily for cost spikes and anomalies (ideally with automatic billing exports)", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "a348726d-e69c-46b5-a2a2-6494b69bad37", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", "services": [ - "WAF", - "ACR", - "ExpressRoute" + "Cost" ], - "severity": "High", - "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Cost Analysis", + "text": "Automate cost retrieval for deep analysis or integration", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "aad53cc7-8e1d-4766-9735-7c449674b5ed", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", "services": [ - "WAF", - "ExpressRoute" + "Cost", + "ACR" ], "severity": "Medium", - "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "subcategory": "Free services", + "text": "Take advantage of Azure free services: Azure offers a number of free services, such as DevOps, Azure Container Registry, and Azure Logic Apps, that can help you save costs on development and operations. ", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "96c96ad8-844c-4f3b-8b38-c886ba2c0214", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", "services": [ - "WAF" + "Cost" ], "severity": "Medium", - "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "subcategory": "Tagging", + "text": "Tag shared resources", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", + "category": "Process Administration", + "checklist": "Cost Optimization Checklist", + "guid": "99014a5d-3ce5-474d-acbd-9792a6bcca2b", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", "services": [ - "WAF", - "ExpressRoute" + "Cost" ], - "severity": "High", - "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Tagging", + "text": "Consider using tags to all services for cost allocation", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", + "category": "reservations", + "checklist": "Cost Optimization Checklist", + "guid": "4fea1dbf-3dd9-45d4-ac7c-891dcb1f7d57", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", "services": [ - "WAF", - "Monitor", - "ExpressRoute", - "VNet" + "Cost" ], "severity": "Medium", - "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "subcategory": "automation", + "text": "Consider Reservation automation to track and promptly react to changes", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "description": "check by searching the Meter Category Licenses in the Cost analysys", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", "services": [ - "WAF", - "ExpressRoute", - "VNet" + "AzurePolicy", + "VM", + "SQL", + "Cost" ], "severity": "Medium", - "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL", + "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", + "waf": "Cost" }, { - "checklist": "WAF checklist", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", "services": [ - "WAF", - "ACR" + "LoadBalancer", + "Cost" ], - "severity": "Low", - "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Check Red Hat Licences if applicable", + "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "a76af4a6-91e8-4839-ada4-6667e13c1056", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", "services": [ - "WAF", - "Firewall" + "AppSvc", + "Cost" ], - "severity": "High", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Functions", + "text": "Saving plans will provide 17% on select app service plans", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", "services": [ - "ACR", - "AzurePolicy", - "Firewall", - "WAF", - "RBAC" + "VM", + "Cost" ], "severity": "Medium", - "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "subcategory": "Planning", + "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", "services": [ - "WAF", - "Firewall" + "VM", + "Cost", + "ARS" ], - "severity": "Low", - "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Reservations/savings plans", + "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "a785c6fe-96c9-46ad-a844-cf3b2b38c886", + "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/", "services": [ - "WAF", - "DNS", - "Firewall" + "Cost" ], - "severity": "High", - "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Reservations/savings plans", + "text": "Plan for Azure Savings Plans for all the workloads that are dynamic and need maximum flexibility", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "ba2c0214-9901-44a5-b3ce-574dccbd9792", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", "services": [ - "WAF", - "Firewall" + "Cost" ], - "severity": "High", - "text": "Use Azure Firewall Premium to enable additional security features.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Reservations/savings plans", + "text": "Plan for Azure Reservations for all the workloads that are less dynamic and won't change much", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", "services": [ - "WAF", - "Firewall" + "Storage", + "Cost" ], - "severity": "High", - "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Reserve storage", + "text": "Only larger disks can be reserved => 1 TiB -", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", "services": [ - "WAF", - "Firewall" + "VM", + "Cost" ], - "severity": "High", - "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Reserve VMs with normalized and rationalized sizes", + "text": "After the right-sizing optimization", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", "services": [ - "Storage", - "NVA", - "Firewall", - "WAF", - "VWAN", - "VNet" + "AzurePolicy", + "SQL", + "Cost" ], - "severity": "High", - "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", - "waf": "Security" + "severity": "Medium", + "subcategory": "SQL Database AHUB", + "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", "services": [ - "WAF", - "Storage", - "Firewall" + "VM", + "SQL", + "Cost" ], "severity": "Medium", - "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" - }, + "subcategory": "SQL Database Reservations", + "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", + "waf": "Cost" + }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "e13c1056-75c1-4e94-9b45-9837ff7ae7c6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities", "services": [ - "WAF", - "AzurePolicy", - "Firewall" + "Cost" ], - "severity": "Important", - "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Tracking", + "text": "Make sure you Azure Reservations and Savings plans are close to 100% utilization or make the necessary changes to reach it.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", + "category": "Reservations", + "checklist": "Cost Optimization Checklist", + "guid": "d3b475a5-c7ac-4be4-abbe-64dd89f2e877", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations", "services": [ - "WAF", - "Firewall", - "VNet" + "AzurePolicy", + "Cost" ], - "severity": "High", - "text": "Use a /26 prefix for your Azure Firewall subnets.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Tracking", + "text": "Make sure that your reservations usage is close to 100%. If not, either enforce an allowed SKU policy or exchange the reservation", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "78468d55-a785-4c6f-b96c-96ad8844cf3b", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review", "services": [ - "WAF", - "AzurePolicy" + "AzurePolicy", + "Cost" ], "severity": "Medium", - "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "Performance" + "subcategory": "Automation", + "text": "Plan and enforce a On/Off policy for production services, where possible", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "2b38c886-ba2c-4021-9990-14a5d3ce574d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", "services": [ - "WAF", - "Storage" + "AzurePolicy", + "Cost" ], "severity": "Medium", - "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", - "waf": "Performance" + "subcategory": "Automation", + "text": "Plan and enforce a On-Demand policy with auto-shutdown for non-production services, where possible", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", "services": [ - "WAF" + "VM", + "Cost" ], "severity": "Medium", - "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "subcategory": "Autoscale", + "text": "Consider using a VMSS to match demand rather than flat sizing", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", "services": [ - "WAF", - "Monitor" + "AKS", + "Cost" ], "severity": "Medium", - "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "subcategory": "Autoscale", + "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "93665720-2bff-4456-9b0d-934a359c363e", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", "services": [ - "WAF", - "Firewall" + "Cost" ], - "severity": "High", - "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Autoscale", + "text": "Right-size PaaS service according to average use and accomodate spikes with auto or manual scaling", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "7dd61623-a364-4a90-9eba-e38ead53cc7d", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ - "WAF", - "ServiceBus" + "Cost" ], - "severity": "Low", - "text": "Use web categories to allow or deny outbound access to specific topics.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Autoscale", + "text": "Plan for demand shaping where applicable", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "e2e8aaab-3571-4549-ab91-53d89f89dc7b", "services": [ - "WAF" + "Cost" ], "severity": "Medium", - "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "Performance" + "subcategory": "Autoscale", + "text": "Consider implementing a service re-scaling logic within the application", + "training": "https://learn.microsoft.com/azure/cost-management-billing/savings-plan/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", "services": [ - "WAF", - "DNS", - "Firewall" + "Backup", + "Cost" ], "severity": "Medium", - "text": "Enable Azure Firewall DNS proxy configuration.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Security" + "subcategory": "Backup", + "text": "Move recovery points to vault-archive where applicable (Validate)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", "services": [ - "WAF", - "Monitor", - "Firewall" + "VM", + "LoadBalancer", + "Cost" ], - "severity": "High", - "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Databricks", + "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", "services": [ - "WAF", - "Backup" + "Cost" ], - "severity": "Low", - "text": "Implement backups for your firewall rules", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Functions", + "text": "Functions - Reuse connections", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", "services": [ - "WAF", - "ACR", - "Firewall" + "Cost" ], - "severity": "High", - "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Functions", + "text": "Functions - Cache data locally", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", "services": [ - "WAF", - "DDoS", - "Firewall", - "VNet" + "Storage", + "Cost" ], - "severity": "High", - "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Functions", + "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Cost" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "WAF checklist", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", "services": [ - "WAF", - "VNet" + "Cost" ], - "severity": "High", - "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Security" + "severity": "Medium", + "subcategory": "Functions", + "text": "Functions - Keep your functions warm", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", "services": [ - "WAF", - "ExpressRoute", - "PrivateLink" + "Cost" ], "severity": "Medium", - "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Security" + "subcategory": "Functions", + "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", "services": [ - "WAF", - "VNet" + "Cost" ], - "severity": "High", - "text": "Don't enable virtual network service endpoints by default on all subnets.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Security" + "severity": "Medium", + "subcategory": "Functions", + "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "WAF checklist", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", "services": [ - "DNS", - "NVA", - "Firewall", - "WAF", - "PrivateLink" + "Cost" ], "severity": "Medium", - "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Security" + "subcategory": "Functions", + "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "Cost" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "df03a822-cd46-43cb-abc8-ac299ebc91a4", + "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard", "services": [ - "WAF", - "ExpressRoute", - "VPN", - "VNet" + "Cost" ], - "severity": "High", - "text": "Use at least a /27 prefix for your Gateway subnets.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Networking", + "text": "Evaluate your network topology against networking costs and where applicable reduce the egress and peering data", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", "services": [ - "WAF", - "VNet" + "FrontDoor", + "EventHubs", + "Cost" ], - "severity": "High", - "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Networking", + "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", "services": [ - "WAF", - "ACR", - "VNet" + "AppSvc", + "FrontDoor", + "Cost" ], "severity": "Medium", - "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" + "subcategory": "Networking", + "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "WAF checklist", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "f843e52f-4722-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview", "services": [ - "WAF", - "Entra", - "NVA", - "VNet" + "Cost" ], "severity": "Medium", - "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" + "subcategory": "PaaS", + "text": "Consider using free tiers where applicable for all non-production environments", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "b9de39ac-0e7c-428d-a936-657202bff456", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", "services": [ - "WAF", - "NetworkWatcher", - "VNet" + "Cost" ], "severity": "Medium", - "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Security" + "subcategory": "Serverless", + "text": "Using serverless patterns for spikes can help keeping costs down", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", "services": [ - "WAF", - "VNet" + "Storage", + "Cost" ], "severity": "Medium", - "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "waf": "Reliability" + "subcategory": "Storage", + "text": "Consider archiving tiers for less used data", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", "services": [ - "WAF", - "VWAN" + "Storage", + "Cost" ], "severity": "Medium", - "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "subcategory": "Storage", + "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", "services": [ - "WAF", - "ACR", - "VWAN" + "Storage", + "Cost" ], "severity": "Medium", - "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Performance" + "subcategory": "Storage", + "text": "Consider using standard SSD rather than Premium or Ultra where possible", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", "services": [ - "WAF", - "Firewall" + "Storage", + "Cost" ], "severity": "Medium", - "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "subcategory": "Storage", + "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", "services": [ - "WAF", - "VWAN" + "Storage", + "ASR", + "Cost" ], "severity": "Medium", - "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "subcategory": "Storage", + "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", "services": [ - "WAF", - "VWAN", - "Monitor" + "Storage", + "Cost" ], "severity": "Medium", - "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "subcategory": "storage", + "text": "Storage accounts: check hot tier and/or GRS necessary", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", "services": [ - "WAF", - "VWAN" + "Storage", + "Cost" ], "severity": "Medium", - "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "subcategory": "Storage", + "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", "services": [ - "WAF", - "ExpressRoute", - "VPN" + "EventHubs", + "Cost", + "Monitor" ], "severity": "Medium", - "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "subcategory": "Synapse", + "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", "services": [ - "WAF", - "VWAN" + "Storage", + "Cost" ], "severity": "Medium", - "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "subcategory": "Synapse", + "text": "Export cost data to a storage account for additional data analysis.", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", "services": [ - "WAF" + "SQL", + "Cost" ], - "severity": "High", - "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Synapse", + "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", "services": [ - "WAF", - "AzurePolicy" + "Cost" ], - "severity": "High", - "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Synapse", + "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", "services": [ - "WAF", - "RBAC", - "AzurePolicy" + "Cost" ], "severity": "Medium", - "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", - "training": "https://learn.microsoft.com/training/modules/governance-security/", - "waf": "Security" + "subcategory": "Synapse", + "text": "Create multiple Apache Spark pool definitions of various sizes.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", "services": [ - "WAF", - "Subscriptions", - "AzurePolicy" + "Cost" ], "severity": "Medium", - "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "subcategory": "Synapse", + "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", "services": [ - "WAF", - "AzurePolicy" + "VM", + "Cost" ], - "severity": "High", - "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "severity": "Medium", + "subcategory": "VM", + "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", "services": [ - "WAF", - "Subscriptions", - "AzurePolicy" + "VM", + "Cost" ], - "severity": "Low", - "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "severity": "Medium", + "subcategory": "VM", + "text": "Right-sizing all VMs", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", "services": [ - "WAF", - "AzurePolicy" + "VM", + "Cost" ], - "severity": "High", - "text": "Use built-in policies where possible to minimize operational overhead.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "severity": "Medium", + "subcategory": "VM", + "text": "Swap VM sized with normalized and most recent sizes", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", "services": [ - "AzurePolicy", - "WAF", - "RBAC", - "Entra", - "Subscriptions" + "VM", + "Monitor", + "Cost" ], "severity": "Medium", - "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "subcategory": "VM", + "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Right-sizing", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", "services": [ - "WAF", - "Subscriptions", - "AzurePolicy" + "VM", + "Cost" ], "severity": "Medium", - "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "subcategory": "VM", + "text": "Containerizing an application can improve VM density and save money on scaling it", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", + "category": "BC and DR", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", "services": [ - "WAF", - "AzurePolicy" + "ACR" ], - "severity": "Medium", - "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "Security" + "severity": "High", + "subcategory": "High Availability", + "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", + "category": "BC and DR", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", "services": [ - "WAF", - "Subscriptions", - "AzurePolicy" + "Storage" ], "severity": "Medium", - "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", - "waf": "Security" + "subcategory": "High Availability", + "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", + "category": "BC and DR", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", "services": [ - "WAF", - "AzurePolicy" + "Storage" ], "severity": "Medium", - "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", - "waf": "Security" + "subcategory": "High Availability", + "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "WAF checklist", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", + "category": "BC and DR", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "services": [ - "WAF", - "AzurePolicy" + "ASR" ], "severity": "Medium", - "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", - "waf": "Security" + "subcategory": "High Availability", + "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", "services": [ - "AzurePolicy", - "WAF", - "Monitor", - "RBAC", - "Entra" + "AKV", + "FrontDoor" ], "severity": "Medium", - "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "subcategory": "Front Door", + "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", "waf": "Operations" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", "services": [ + "AzurePolicy", "WAF", - "Monitor" + "FrontDoor" ], "severity": "Medium", - "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Reliability" + "subcategory": "Front Door", + "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", + "service": "Front Door", "services": [ - "WAF", - "ARS", + "AppGW", "AzurePolicy", - "Storage" + "WAF", + "FrontDoor" ], - "severity": "High", - "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Front Door", + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", "services": [ - "WAF", - "Monitor", "AzurePolicy", - "VM" + "WAF", + "FrontDoor" ], - "severity": "Medium", - "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "severity": "High", + "subcategory": "Front Door", + "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", "services": [ - "WAF", - "VM" + "TrafficManager", + "EventHubs", + "FrontDoor" ], - "severity": "Medium", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operations" + "severity": "High", + "subcategory": "Front Door", + "text": "Avoid placing Traffic Manager behind Front Door.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", "services": [ - "WAF", - "VM" + "FrontDoor" ], - "severity": "Medium", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operations" + "severity": "High", + "subcategory": "Front Door", + "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", + "waf": "Security" }, { - "arm-service": "microsoft.network/networkWatchers", - "checklist": "WAF checklist", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", "services": [ - "WAF", - "Monitor", - "NetworkWatcher" + "FrontDoor" ], - "severity": "Medium", - "text": "Use Network Watcher to proactively monitor traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Operations" + "severity": "Low", + "subcategory": "Front Door", + "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", "services": [ - "WAF", - "Monitor" + "FrontDoor" ], "severity": "Medium", - "text": "Use Azure Monitor Logs for insights and reporting.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "Operations" + "subcategory": "Front Door", + "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", "services": [ - "WAF", - "Monitor" + "FrontDoor" ], - "severity": "Medium", - "text": "Use Azure Monitor alerts for the generation of operational alerts.", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "Operations" + "severity": "Low", + "subcategory": "Front Door", + "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "Front Door", "services": [ - "WAF", - "Monitor" + "AKV", + "FrontDoor", + "Cost" ], - "severity": "Medium", - "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "severity": "High", + "subcategory": "Front Door", + "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", "waf": "Operations" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", "services": [ "WAF", - "Backup" + "FrontDoor" ], - "severity": "Low", - "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Front Door", + "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", "services": [ - "WAF", - "AzurePolicy", - "VM" + "FrontDoor" ], - "severity": "Medium", - "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "severity": "High", + "subcategory": "Front Door", + "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", "services": [ - "WAF", - "Monitor", - "AzurePolicy", - "VM" + "FrontDoor" ], "severity": "Medium", - "text": "Monitor VM security configuration drift via Azure Policy.", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "subcategory": "Front Door", + "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=~'Enabled') and (mode=~'Prevention')), enabledState, mode", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", "services": [ "WAF", - "ACR", - "ASR", - "VM" + "FrontDoor" ], - "severity": "Medium", - "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", - "waf": "Operations" + "severity": "High", + "subcategory": "Front Door", + "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", + "waf": "Security" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", "services": [ "WAF", - "Backup" + "FrontDoor" ], - "severity": "Medium", - "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Operations" + "severity": "High", + "subcategory": "Front Door", + "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "WAF checklist", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", "services": [ + "AzurePolicy", "WAF", - "AppGW", "FrontDoor" ], "severity": "High", - "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", - "waf": "Operations" + "subcategory": "Front Door", + "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "WAF checklist", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", "services": [ "WAF", - "Sentinel", - "AppGW", "FrontDoor" ], - "severity": "Medium", - "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", - "waf": "Operations" + "severity": "High", + "subcategory": "Front Door", + "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", "services": [ "WAF", - "AKV" + "FrontDoor" ], "severity": "High", - "text": "Use Azure Key Vault to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "subcategory": "Front Door", + "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", "services": [ "WAF", - "AKV" + "FrontDoor" ], "severity": "Medium", - "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "subcategory": "Front Door", + "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", "services": [ "WAF", - "AKV", - "AzurePolicy" + "FrontDoor" ], "severity": "Medium", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "subcategory": "Front Door", + "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", "services": [ "WAF", - "AKV", - "RBAC", - "Entra" + "FrontDoor" ], "severity": "Medium", - "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "subcategory": "Front Door", + "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", "services": [ - "WAF" + "FrontDoor" ], - "severity": "Medium", - "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "severity": "Low", + "subcategory": "Front Door", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", "services": [ - "WAF" + "WAF", + "FrontDoor" ], "severity": "Medium", - "text": "Establish an automated process for key and certificate rotation.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "subcategory": "Front Door", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", "services": [ "WAF", - "AKV", - "PrivateLink", - "VNet" + "FrontDoor", + "Monitor" ], "severity": "Medium", - "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", - "waf": "Security" + "subcategory": "Front Door", + "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", "services": [ + "Sentinel", "WAF", - "AKV", - "Monitor", - "Entra" + "FrontDoor" ], "severity": "Medium", - "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "Security" + "subcategory": "Front Door", + "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", + "service": "Front Door", "services": [ - "WAF", - "AKV", - "AzurePolicy" + "FrontDoor", + "Backup" ], "severity": "Medium", - "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", - "waf": "Security" + "subcategory": "Front Door", + "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", + "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", + "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", + "service": "Front Door", "services": [ - "WAF", - "AKV" + "FrontDoor" ], - "severity": "Medium", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Security" + "severity": "High", + "subcategory": "Front Door", + "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", + "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", + "service": "Front Door", "services": [ - "WAF", - "ACR", - "AKV", - "ASR" + "FrontDoor" ], "severity": "Medium", - "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "subcategory": "Front Door", + "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", - "services": [ - "WAF", - "AKV" + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", + "service": "Front Door", + "services": [ + "FrontDoor" ], "severity": "Medium", - "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "subcategory": "Front Door", + "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", + "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", + "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", + "service": "Front Door", "services": [ - "WAF", - "Entra" + "FrontDoor" ], "severity": "Medium", - "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "subcategory": "Front Door", + "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "services": [ - "WAF", - "Subscriptions", - "Defender" + "FrontDoor" ], - "severity": "High", - "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Front Door", + "text": "Use caching for endpoints that support it.", + "waf": "Cost" }, { - "checklist": "WAF checklist", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", + "guid": "34069d73-e4de-46c5-a36f-625f87575a56", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", "services": [ - "WAF", - "Subscriptions", - "Defender" + "FrontDoor" ], - "severity": "High", - "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "Security" + "severity": "Low", + "subcategory": "Front Door", + "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", + "waf": "Cost" }, { - "checklist": "WAF checklist", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", + "service": "Front Door", "services": [ - "WAF", - "Subscriptions", - "Defender" + "Storage", + "FrontDoor" ], - "severity": "High", - "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Front Door", + "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", + "service": "Front Door", "services": [ - "WAF" + "AKV", + "FrontDoor" ], - "severity": "High", - "text": "Enable Endpoint Protection on IaaS Servers.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", - "waf": "Security" + "severity": "Medium", + "subcategory": "Front Door", + "text": "Use wildcard TLS certificates when possible.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "services": [ - "WAF", - "Monitor", - "Defender" + "FrontDoor" ], "severity": "Medium", - "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", - "waf": "Security" + "subcategory": "Front Door", + "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", + "service": "Front Door", "services": [ - "WAF", - "Monitor", - "Entra" + "Storage", + "FrontDoor" ], "severity": "Medium", - "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "Security" + "subcategory": "Front Door", + "text": "Use file compression when you're accessing downloadable content.", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", + "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", + "link": "https://learn.microsoft.com/azure/cdn/tier-migration", + "service": "Front Door", "services": [ - "WAF", - "ACR", - "Entra" + "FrontDoor" ], "severity": "High", - "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", - "waf": "Security" - }, - { - "checklist": "WAF checklist", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", - "services": [ - "WAF", - "Entra" - ], - "severity": "Medium", - "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", - "waf": "Security" + "subcategory": "Front Door", + "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", + "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", + "service": "Front Door", "services": [ - "WAF", - "Entra" + "TrafficManager", + "Storage", + "FrontDoor" ], "severity": "Medium", - "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", - "waf": "Security" + "subcategory": "Front Door", + "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", + "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", + "service": "Front Door", "services": [ - "WAF", - "Storage" + "AppSvc", + "FrontDoor" ], "severity": "High", - "text": "Enable secure transfer to storage accounts.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "subcategory": "Front Door", + "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", + "category": "BCDR", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can also choose to encrypt the backup using a customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.", + "guid": "676f6951-0368-49e9-808d-c33a692c9a64", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data", "services": [ - "WAF", - "Storage" + "AKV", + "SQL", + "Backup" ], - "severity": "High", - "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "severity": "Medium", + "subcategory": "Azure Key Vault", + "text": "Protect your backup data with encryption and store keys safely in Azure Key Vault", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", + "category": "BCDR", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.", + "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups", "services": [ - "WAF", - "AKV", - "VM" + "Storage", + "SQL", + "Backup" ], - "severity": "High", - "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Backup", + "text": "Configure Azure SQL Database automated backups", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", + "category": "BCDR", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region. For SQL Database, the backup storage redundancy can be configured at the time of database creation or can be updated for an existing database; the changes made to an existing database apply to future backups only.", + "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4", + "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy", "services": [ - "WAF" + "Storage", + "SQL", + "Backup" ], "severity": "Low", - "text": "Refer to baseline highly available zone-redundant web application architecture for best practices", - "waf": "Reliability" + "subcategory": "Backup", + "text": "Enable geo-redundant backup storage to protect against single region failure and data loss", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", - "service": "App Services", + "category": "Code", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Malicious code can potentially circumvent security controls. Before deploying custom code to production, it is essential to review what's being deployed. Use a database tool like Azure Data Studio that supports source control. Implement tools and logic for code analysis, vulnerability and credential scanning.", + "guid": "7ca9f006-d2a9-4652-951c-de8e4ac5e76e", + "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server", "services": [ - "WAF", - "Backup" + "SQL" ], "severity": "Medium", - "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.", - "waf": "Reliability" + "subcategory": "Source Control and Code Review", + "text": "Use Source Control systems to store, maintain and review application code deployed inside Azure SQLDB Database", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", - "service": "App Services", + "category": "Data Discovery and Classification", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "In case of classification requirements Purview is the preferred option. Only use SQL Data Discovery & Classification in case Purview is not an option. Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.", + "guid": "d401509b-2629-4484-9a7f-af0d29a7778f", + "link": "https://learn.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql#faq---advanced-classification-capabilities", "services": [ - "WAF" + "SQL" ], - "severity": "High", - "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Data Discovery and Classification", + "text": "Plan and configure Data Discovery & Classification to protect the sensitive data", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "category": "Data Masking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Usage of this feature is recommended only if column encryption is not an option and there is a specific requirement to preserve data types and formats. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer.", + "guid": "9391fd50-135e-453e-90a7-c1a23f88cc13", + "link": "https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview", "services": [ - "WAF" + "SQL" ], - "severity": "Medium", - "text": "Implement health checks", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Data Masking", + "text": "Use Data Masking to prevent unauthorized non-admin users data access if no encryption is possible", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", - "service": "App Services", + "category": "Defender", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "SQL Advanced Threat Detection (ATP) provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat.", + "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979", + "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure", "services": [ - "WAF", - "AppSvc", - "Backup" + "SQL", + "EventHubs", + "Defender" ], "severity": "High", - "text": "Refer to backup and restore best practices for Azure App Service", - "waf": "Reliability" + "subcategory": "Advanced Threat Protection", + "text": "Review and complete Advanced Threat Protection (ATP) configuration", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", + "category": "Defender", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.", + "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1", + "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql ", "services": [ - "WAF", - "AppSvc" + "SQL", + "Subscriptions", + "Defender" ], "severity": "High", - "text": "Implement Azure App Service reliability best practices", - "waf": "Reliability" + "subcategory": "Defender for Azure SQL", + "text": "Enable Microsoft Defender for Azure SQL", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", + "category": "Defender", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Microsoft Defender for Azure SQL ATP detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Alerts can be configured and generated and will be reported in the Defender for console.", + "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea", + "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure", "services": [ - "WAF", - "AppSvc" + "SQL", + "Monitor", + "Defender" ], - "severity": "Low", - "text": "Familiarize with how to move an App Service app to another region During a disaster", - "waf": "Reliability" + "severity": "High", + "subcategory": "Defender for Azure SQL", + "text": "Prepare a security response plan to promptly react to Microsoft Defender for Azure SQL alerts", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", - "service": "App Services", + "category": "Defender", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.", + "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview", "services": [ - "WAF", - "AppSvc" + "SQL", + "Monitor", + "Defender" ], "severity": "High", - "text": "Familiarize with reliability support in Azure App Service", - "waf": "Reliability" + "subcategory": "Vulnerability Assessment", + "text": "Configure Vulnerability Assessment (VA) findings and review recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", + "category": "Defender", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL Databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.", + "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql", "services": [ - "WAF", - "AppSvc" + "SQL", + "Defender" ], - "severity": "Medium", - "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan", - "waf": "Reliability" + "severity": "High", + "subcategory": "Vulnerability Assessment", + "text": "Regularly review of Vulnerability Assessment (VA) findings and recommendations and prepare a plan to fix", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "category": "Encryption", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Always Encrypted with Secure Enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with Secure Enclaves addresses these limitations by allowing some computations on plaintext data inside a secure enclave on the server side. Usage of this feature is recommended for the cases where you need to limit administrator access and need your queries to support more than equality matching of encrypted columns.", + "guid": "65d7e54a-10a6-4094-b673-9ff3809c9277", + "link": "https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves", "services": [ - "WAF", - "AppSvc", - "Monitor" + "SQL" ], "severity": "Medium", - "text": "Monitor App Service instances using Health checks", - "waf": "Reliability" + "subcategory": "Always Encrypted", + "text": "If protecting sensitive PII data from admin users is a key requirement, but Column Encryption limitations cannot be tolerated, consider the adoption of Always Encrypted with Secure Enclaves", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", - "service": "App Services", + "category": "Encryption", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This approach is called column encryption, because you can use it to encrypt specific columns with different encryption keys. Doing so gives you more granular encryption capability than TDE, which encrypts data in pages. Using Always Encrypted to ensure sensitive data isn't exposed in plaintext in Azure SQL Database or SQL Managed Instance, even in memory/in use. Always Encrypted protects the data from Database Administrators (DBAs) and cloud admins (or bad actors who can impersonate high-privileged but unauthorized users) and gives you more control over who can access your data.", + "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3", + "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption", "services": [ - "WAF", - "Monitor" + "AKV", + "Storage", + "SQL" ], - "severity": "Medium", - "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Column Encryption", + "text": "To protect sensitive PII data from non-admin users in specific table columns, consider using Column Encryption", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", + "category": "Encryption", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Enabled by default, Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application.", + "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d", + "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server", "services": [ - "WAF", - "Monitor" + "Storage", + "SQL", + "Backup" ], - "severity": "Low", - "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", - "waf": "Reliability" + "severity": "High", + "subcategory": "Transparent Data Encryption", + "text": "Ensure Transparent Data Encryption (TDE) is kept enabled", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "category": "Encryption", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "If separation of duties in the management of keys and data within the organization is required, leverage Customer Managed Keys (CMK) for Transparent Data Encryption (TDE) for your Azure SQLDB and use Azure Key Vault to store (refer to its checklist). Leverage this feature when you have strict security requirements which cannot be met by the managed service keys.", + "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25", + "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview", "services": [ - "WAF", - "AppSvc", - "AKV" + "AKV", + "SQL" ], - "severity": "High", - "text": "Use Key Vault to store secrets", + "severity": "Medium", + "subcategory": "Transparent Data Encryption", + "text": "Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increased transparency and granular control over the TDE protection", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "category": "Encryption", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.", + "guid": "7754b605-57fd-4bcb-8213-52c39d8e8225", + "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?source=recommendations&view=azuresql&tabs=azure-portal#minimal-tls-version", "services": [ - "WAF", - "AppSvc", - "AKV", - "Entra" + "SQL" ], "severity": "High", - "text": "Use Managed Identity to connect to Key Vault", + "subcategory": "Transport Layer Security", + "text": "Enforce minimum TLS version to the latest available", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Store the App Service TLS certificate in Key Vault.", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", + "category": "Identity", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Use Azure Active Directory (Azure AD) authentication for centralized identity management. Use SQL Authentication only if really necessary and document as exceptions.", + "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7", + "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview", "services": [ - "WAF", - "AppSvc", - "AKV" + "SQL", + "Entra" ], - "severity": "High", - "text": "Use Key Vault to store TLS certificate.", + "severity": "Medium", + "subcategory": "Azure Active Directory", + "text": "Leverage Azure AD authentication for connections to Azure SQL Databases", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "category": "Identity", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.", + "guid": "29820254-1d14-4778-ae90-ff4aeba504a3", + "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities", "services": [ - "WAF", - "AppSvc", - "Subscriptions" + "SQL", + "Monitor", + "Entra" ], "severity": "Medium", - "text": "Isolate systems that process sensitive information", + "subcategory": "Azure Active Directory", + "text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", + "category": "Identity", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Ensure that distinct system and user assigned managed identities, that are dedicated to the function, with least permissions assigned, are used for communication from Azure services and applications to the Azure SQLDB databases.", + "guid": "df3a09ee-03bb-4198-8637-d141acf5f289", + "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications", "services": [ - "WAF", - "TrafficManager", - "AppSvc" + "SQL", + "Entra" ], "severity": "Medium", - "text": "Do not store sensitive data on local disk", + "subcategory": "Azure Active Directory", + "text": "Minimize the use of password-based authentication for applications", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", + "category": "Identity", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "System or User assigned managed identities enable Azure SQLDB to authenticate to other cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control to the specific Azure SQLDB instance. Do not share user assigned managed identities across multiple services if not strictly required.", + "guid": "69891194-5074-4e30-8f69-4efc3c580900", + "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", "services": [ - "WAF", - "AppSvc", - "Entra" + "SQL", + "ACR", + "Entra", + "AKV", + "RBAC" ], - "severity": "Medium", - "text": "Use an established Identity Provider for authentication", + "severity": "Low", + "subcategory": "Managed Identities", + "text": "Assign Azure SQL Database a managed identity for outbound resource access", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", + "category": "Identity", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Use an Azure AD integrated authentication that eliminates the use of passwords. Password-based authentication methods are a weaker form of authentication. Credentials can be compromised or mistakenly given away. Use single sign-on authentication using Windows credentials. Federate the on-premises AD domain with Azure AD and use integrated Windows authentication (for domain-joined machines with Azure AD).", + "guid": "88287d4a-8bb8-4640-ad78-03f51354d003", + "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication", "services": [ - "WAF", - "AppSvc" + "SQL", + "Entra" ], - "severity": "High", - "text": "Deploy from a trusted environment", + "severity": "Medium", + "subcategory": "Passwords", + "text": "Minimize the use of password-based authentication for users", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", + "category": "Ledger", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Confidential Ledger is one of the supported store, it can be used and supports automatic generation and storage of database digests. Azure Ledger provides advanced security features like Blockchain Ledger Proof and Confidential Hardware Enclaves. Use it only if advanced security features are required, otherwise revert to Azure storage.", + "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc", + "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage", "services": [ - "WAF", - "Entra" + "Storage", + "SQL" ], - "severity": "High", - "text": "Disable basic authentication", + "severity": "Medium", + "subcategory": "Database Digest", + "text": "Use Azure Confidential Ledger to store database digests only if advanced security features are required", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", + "category": "Ledger", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Blob Storage with Immutable Storage feature can be used and supports automatic generation and storage of database digests. To prevent tampering of your digest files, configure and lock a retention policy for your container.", + "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a", + "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management", "services": [ - "WAF", - "AKV", - "Entra" + "AzurePolicy", + "Storage", + "SQL" ], - "severity": "High", - "text": "Use Managed Identity to connect to resources", + "severity": "Medium", + "subcategory": "Database Digest", + "text": "If Azure storage account is used to store database digests, ensure security is properly configured", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", + "category": "Ledger", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Ledger provides a form of data integrity called forward integrity, which provides evidence of data tampering on data in your ledger tables. The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.", + "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420", + "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification", "services": [ - "WAF", - "ACR", - "Entra" + "Storage", + "SQL" ], - "severity": "High", - "text": "Pull containers using a Managed Identity", + "severity": "Medium", + "subcategory": "Integrity", + "text": "Schedule the Ledger verification process regularly to verify data integrity", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", + "category": "Ledger", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "The Ledger feature provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with. Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators.", + "guid": "2563f498-e2d3-42ea-9e7b-5517881a06a2", + "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview", "services": [ - "WAF", - "AppSvc", - "Monitor", - "Entra" + "SQL" ], "severity": "Medium", - "text": "Send App Service runtime logs to Log Analytics", + "subcategory": "Ledger", + "text": "If cryptographic proof of data integrity is a critical requirement, Ledger feature should be considered", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", + "category": "Ledger", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Depending on the type of tampering, there are cases where you can repair the ledger without losing data. In the article contained in the --More Info-- column, different scenarios and recovery techniques are described.", + "guid": "804fc554-6554-4842-91c1-713b32f99902", + "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-how-to-recover-after-tampering", "services": [ - "WAF", - "AppSvc", - "Monitor", - "Entra" + "SQL" ], "severity": "Medium", - "text": "Send App Service activity logs to Log Analytics", + "subcategory": "Recovery", + "text": "Prepare a response plan to investigate and repair a database after a tampering event", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", + "category": "Logging", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. By default auditing policy includes all actions (queries, stored procedures and successful and failed logins) against the databases, which may result in high volume of audit logs. It's recommended for customers to configure auditing for different types of actions and action groups using PowerShell.", + "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6", + "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", "services": [ - "NVA", - "Firewall", - "WAF", - "Monitor", - "VNet" + "AzurePolicy", + "Storage", + "SQL" ], "severity": "Medium", - "text": "Outbound network access should be controlled", + "subcategory": "Auditing", + "text": "Ensure that Azure SQL Database Auditing is enabled at the server level", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", + "category": "Logging", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Azure SQL Database Auditing logs can be written to external storage accounts, Log Analytics workspace or Event Hub. Be sure to protect the target repository using backups and secured configuration. Use Azure SQL Database Managed Identity to access the storage and set an explicit retention period. Do not grant permissions to administrators to the audit log repository. Use a different target storage for --Enabling Auditing of Microsoft support operations--. ", + "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46", + "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", "services": [ + "SQL", + "Entra", "Storage", - "NVA", - "Firewall", - "WAF", - "PrivateLink", - "VNet" + "EventHubs", + "Backup", + "Monitor" ], "severity": "Low", - "text": "Ensure a stable IP for outbound communications towards internet addresses", + "subcategory": "Auditing", + "text": "Ensure that Azure SQL Database Auditing logs are backed up and secured in the selected repository type", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", + "category": "Logging", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).", + "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "services": [ - "WAF", - "AppSvc", - "PrivateLink" + "SQL", + "Storage", + "EventHubs", + "Subscriptions", + "Monitor" ], - "severity": "High", - "text": "Inbound network access should be controlled", + "severity": "Medium", + "subcategory": "Auditing", + "text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", + "category": "Logging", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.", + "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44", + "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", "services": [ - "AppSvc", - "FrontDoor", - "WAF", - "Monitor", - "AppGW" + "SQL", + "Monitor" ], - "severity": "High", - "text": "Use a WAF in front of App Service", + "severity": "Medium", + "subcategory": "SIEM/SOAR", + "text": "Ensure that Azure SQL Database Auditing logs are being presented in to your organizations SIEM/SOAR", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", + "category": "Logging", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.", + "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "services": [ - "WAF", - "PrivateLink" + "SQL", + "Monitor" ], - "severity": "High", - "text": "Avoid for WAF to be bypassed", + "severity": "Medium", + "subcategory": "SIEM/SOAR", + "text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Set minimum TLS policy to 1.2 in App Service configuration.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", + "category": "Logging", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.", + "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "services": [ - "WAF", - "AppSvc", - "AzurePolicy" + "SQL", + "EventHubs" ], "severity": "Medium", - "text": "Set minimum TLS policy to 1.2", + "subcategory": "SIEM/SOAR", + "text": "Ensure that you have response plans for malicious or aberrant audit logging events", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.", + "guid": "2c6d356a-1784-475b-a42c-ec187dc8c925", + "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview", "services": [ - "WAF", - "AppSvc" + "PrivateLink", + "SQL" ], "severity": "High", - "text": "Use HTTPS only", + "subcategory": "Connectivity", + "text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "IMPORTANT: Connections to private endpoint only support Proxy as the connection policy. When using private endpoints connections are proxied via the Azure SQL Database gateway to the database nodes. Clients will not have a direct connection.", + "guid": "557b3ce5-bada-4296-8d52-a2d447bc1718", + "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture", "services": [ - "WAF", - "Storage" + "AzurePolicy", + "PrivateLink", + "SQL" ], - "severity": "High", - "text": "Wildcards must not be used for CORS", + "severity": "Low", + "subcategory": "Connectivity", + "text": "Keep default Azure SQL Database Connection Policy if not differently required and justified", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.", + "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082", + "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview", "services": [ - "WAF" + "SQL", + "Subscriptions" ], "severity": "High", - "text": "Turn off remote debugging", + "subcategory": "Connectivity", + "text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.", + "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e", + "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql", "services": [ - "WAF", - "AppSvc", - "Defender" + "SQL", + "EventHubs", + "APIM" ], "severity": "Medium", - "text": "Enable Defender for Cloud - Defender for App Service", + "subcategory": "Outbound Control", + "text": "Block or restrict outbound REST API calls to external endpoints", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Outbound firewall rules limit network traffic from the Azure SQL Database logical server to a customer defined list of Azure Storage accounts and Azure SQL Database logical servers. Any attempt to access storage accounts or databases not in this list is denied.", + "guid": "a566dd3d-314e-4a94-9378-102c42d82b38", + "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview", "services": [ - "NVA", - "EventHubs", - "WAF", - "DDoS", - "AppGW", - "VNet" + "Storage", + "SQL" ], "severity": "Medium", - "text": "Enable DDOS Protection Standard on the WAF VNet", + "subcategory": "Outbound Control", + "text": "If outbound network access is required, it is recommended to configure outbound networking restrictions using built-in Azure SQL Database control feature", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Private Endpoint is created inside a subnet in an Azure Virtual Network. Proper security configuration must be applied also to the containing network environment, including NSG/ASG, UDR, firewall, monitoring and auditing.", + "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860", + "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server", "services": [ - "WAF", - "ACR", + "SQL", "PrivateLink", - "VNet" + "Firewall", + "VNet", + "Monitor" ], "severity": "Medium", - "text": "Pull containers over a Virtual Network", + "subcategory": "Private Access", + "text": "If Private Access connectivity is used, ensure that you are using the Private Endpoint, Azure Virtual Network, Azure Firewall, and Azure Network Security Group checklists", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "When adding a Private Endpoint connection, public routing to your logical server isn't blocked by default. In the --Firewall and virtual networks-- pane, the setting --Deny public network access-- is not selected by default. To disable public network access, ensure that you select --Deny public network access--.", + "guid": "3a0808ee-ea7a-47ab-bdce-920a6a2b3881", + "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server", "services": [ - "WAF" + "PrivateLink", + "SQL", + "VNet" ], - "severity": "Medium", - "text": "Conduct a penetration test", + "severity": "High", + "subcategory": "Private Access", + "text": "If Private Endpoint (Private Access) is used, consider disabling Public Access connectivity", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Network Security Group (NSG) and Application Security Group (ASG) can be now applied to subnet containing Private Endpoints to restrict connections to Azure SQLDB based on internal source IP ranges.", + "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints", "services": [ - "WAF" + "PrivateLink", + "SQL", + "VNet" ], "severity": "Medium", - "text": "Deploy validated code", + "subcategory": "Private Access", + "text": "If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to limit incoming source IP address ranges", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "WAF checklist", - "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. Applications and tools that are in the same or peered virtual network in the same region could access it directly. Applications and tools that are in different region could use virtual-network-to-virtual-network connection or ExpressRoute circuit peering to establish connection. Customer should use Network Security Groups (NSG), and eventually internal firewalls, to restrict access over port 1433 only to resources that require access to a managed instance.", + "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview", "services": [ - "WAF" + "ExpressRoute", + "SQL", + "VNet" ], - "severity": "High", - "text": "Use up-to-date platforms, languages, protocols and frameworks", + "severity": "Medium", + "subcategory": "Private Access", + "text": "Apply Network Security Groups (NSG) and firewall rules to restrict access to Azure SQL Managed Instance internal subnet", "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "WAF checklist", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Azure Virtual Network Service Endpoint is preferred solution if you want to establish a direct connection to the Azure SQL Database backend nodes using Redirect policy. This will allow access in high performance mode and is the recommended approach from a performance perspective.", + "guid": "55187443-6852-4fbd-99c6-ce303597ca7f", + "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules", "services": [ - "WAF" + "AzurePolicy", + "SQL", + "VNet" ], "severity": "High", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", - "waf": "Reliability" - }, + "subcategory": "Public Access", + "text": "If Public Access connectivity is used, leverage Service Endpoint to restrict access from selected Azure Virtual Networks", + "waf": "Security" + }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "WAF checklist", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted. This approach is fine for stable IP addresses that are outside the Azure private network.", + "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31", + "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview", "services": [ - "WAF" + "Storage", + "SQL" ], "severity": "Medium", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", - "waf": "Reliability" + "subcategory": "Public Access", + "text": "If Public Access connectivity is used, ensure that only specific known IPs are added to the firewall", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "WAF checklist", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.", + "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768", + "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure", "services": [ - "WAF" + "Storage", + "SQL" ], - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Public Access", + "text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "WAF checklist", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. The Managed Instance public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. If company policy disallows the use of public endpoints, use Azure Policy to prevent enabling public endpoints in the first place.", + "guid": "b8435656-143e-41a8-9922-61d34edb751a", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview", "services": [ - "WAF" + "AzurePolicy", + "SQL", + "VNet" ], "severity": "High", - "text": "Learn how to trigger a manual failover.", - "waf": "Reliability" + "subcategory": "Public Access", + "text": "Do not enable Azure SQL Managed Instance public endpoint", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "WAF checklist", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", + "category": "Networking", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "A Managed Instance (SQL MI) public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. In this case, it is recommended to apply a Network Security Groups (NSG) to restrict access to port 3342 only to trusted source IP addresses.", + "guid": "057dd298-8726-4aa6-b590-1f81d2e30421", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview", "services": [ - "WAF" + "SQL", + "VNet" ], "severity": "High", - "text": "Learn how to fail back after a failover.", - "waf": "Reliability" + "subcategory": "Public Access", + "text": "Restrict access if Azure SQL Managed Instance public endpoint is required", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachineScaleSets", - "checklist": "WAF checklist", - "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", - "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", - "service": "VMSS", + "category": "Privileged Access", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. In support scenarios where Microsoft needs to access customer data, Azure SQL Database supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.", + "guid": "37b6eb0f-553d-488f-8a8a-cb9bf97388ff", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", "services": [ - "WAF", - "VM" + "SQL" ], "severity": "Low", - "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", - "waf": "Reliability" + "subcategory": "Lockbox", + "text": "Review and enable Customer Lockbox for Azure SQL Database access by Microsoft personnel", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", - "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", - "service": "VM", + "category": "Privileged Access", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "The principle of least privilege states that users shouldn't have more privileges than needed to complete their tasks. High-privileged database and server users can perform many configuration and maintenance activities on the database and can also drop databases in Azure SQL instance. Tracking database owners and privileged accounts is important to avoid having excessive permission.", + "guid": "5fe5281f-f0f9-4842-a682-8baf18bd8316", + "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege", "services": [ - "WAF", - "Backup", - "VM" + "SQL" ], - "severity": "High", - "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Permissions", + "text": "Ensure that users are assigned the minimum level of access necessarily to complete their job functions", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", - "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "VM", + "category": "Privileged Access", + "checklist": "Azure SQLDB Security Checklist (Preview)", + "description": "Identities (both Users and SPNs) should be scoped to the least amount of access needed to perform the function. A higher number of tightly scoped SPNs should be used, instead of having one SPN with multiple sets of unrelated permissions. For example, if there are three external web applications hosted on-prem that make queries to the Azure SQL Database, they should not all use the same SPN for these activities. Instead, they should each have their own tightly scoped SPN.", + "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access", "services": [ - "WAF", - "VM" + "SQL", + "Entra" ], - "severity": "High", - "text": "Use Premium or Ultra disks for production VMs", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Permissions", + "text": "Ensure that distinct applications will be assigned different credentials with minimal permissions to access Azure SQL Database", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", - "guid": "b31e38c3-f298-412b-8363-cffe179b599d", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", - "service": "VM", + "category": "Application Deployment", + "checklist": "Azure AKS Review", + "guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks", "services": [ - "WAF", - "VM" + "AKS" ], - "severity": "High", - "text": "Ensure Managed Disks are used for all VMs", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Development", + "text": "Use canary or blue/green deployments", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", - "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", - "service": "VM", + "category": "Application Deployment", + "checklist": "Azure AKS Review", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", "services": [ - "WAF", - "SQL", - "Storage", - "VM" + "AKS" ], - "severity": "Medium", - "text": "Do not use the Temp disk for anything that is not acceptable to be lost", + "severity": "Low", + "subcategory": "Development", + "text": "If required for AKS Windows workloads HostProcess containers can be used", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", - "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "VM", + "category": "Application Deployment", + "checklist": "Azure AKS Review", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", "services": [ - "WAF", - "ACR", - "Storage", - "VM" + "AKS" ], - "severity": "Medium", - "text": "Leverage Availability Zones for your VMs in regions where they are supported", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Development", + "text": "Use KEDA if running event-driven workloads", + "waf": "Performance" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", - "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "VM", + "category": "Application Deployment", + "checklist": "Azure AKS Review", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", "services": [ - "WAF", - "VM" + "AKS" ], - "severity": "Medium", - "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Development", + "text": "Use Dapr to ease microservice development", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", - "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "VM", + "category": "Application Deployment", + "checklist": "Azure AKS Review", + "guid": "3acbe04b-be20-49d3-afda-47778424d116", + "link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks", "services": [ - "WAF", - "ASR", - "VM" + "AKS" ], - "severity": "High", - "text": "Avoid running a production workload on a single VM", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Infrastructure as Code", + "text": "Use automation through ARM/TF to create your Azure resources", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", - "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "category": "BC and DR", + "checklist": "Azure AKS Review", + "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery", "services": [ - "WAF", - "AVS", - "ASR", - "VM" + "AKS", + "ASR" ], "severity": "High", - "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", + "subcategory": "Disaster Recovery", + "text": "Schedule and perform DR tests regularly", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", - "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", - "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", - "service": "VM", + "category": "BC and DR", + "checklist": "Azure AKS Review", + "guid": "170265f4-bb46-4a39-9af7-f317284797b1", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", "services": [ - "WAF" + "TrafficManager", + "AKS", + "LoadBalancer", + "FrontDoor" ], - "severity": "Low", - "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", + "severity": "Medium", + "subcategory": "High Availability", + "text": "Use Azure Traffic Manager or Azure Front Door as a global load balancer for region failover", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", - "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", - "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", - "service": "VM", + "category": "BC and DR", + "checklist": "Azure AKS Review", + "graph": "resources | where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(properties.agentPoolProfiles[0].availabilityZones) | distinct id,compliant", + "guid": "578a219a-46be-4b54-9350-24922634292b", + "link": "https://learn.microsoft.com/azure/aks/availability-zones", "services": [ - "WAF", - "ASR", - "VM" + "AKS" ], "severity": "Medium", - "text": "Increase quotas in DR region before testing failover with ASR", + "subcategory": "High Availability", + "text": "Use Availability Zones if they are supported in your Azure region", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", - "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", - "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", - "service": "VM", + "category": "BC and DR", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", "services": [ - "WAF", - "VM" + "AKS" ], - "severity": "Low", - "text": "Utilize Scheduled Events to prepare for VM maintenance", + "severity": "High", + "subcategory": "High Availability", + "text": "Use the SLA-backed AKS offering", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", - "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "category": "BC and DR", + "checklist": "Azure AKS Review", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "services": [ - "WAF", - "Storage" + "AKS", + "Cost" ], - "severity": "Medium", - "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", + "severity": "Low", + "subcategory": "High Availability", + "text": "Use Disruption Budgets in your pod and deployment definitions", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", - "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "category": "BC and DR", + "checklist": "Azure AKS Review", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", "services": [ - "WAF", - "Storage" + "AKS", + "ACR" ], - "severity": "Low", - "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", + "severity": "High", + "subcategory": "High Availability", + "text": "If using a private registry, configure region replication to store images in multiple regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", - "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "category": "BC and DR", + "checklist": "Azure AKS Review", + "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", "services": [ - "WAF", - "Storage" + "Storage", + "AKS", + "ASR" ], - "severity": "Low", - "text": "Enable soft delete for Storage Account Containers", + "severity": "High", + "subcategory": "Disaster Recovery", + "text": "Use Zone-Redundant Storage (ZRS) with stateful workloads", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", - "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", + "category": "BC and DR", + "checklist": "Azure AKS Review", + "guid": "bc14aea6-e65d-48d9-a3ad-c218e6436b06", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery", "services": [ - "WAF", - "Storage" + "AKS" ], - "severity": "Low", - "text": "Enable soft delete for blobs", + "severity": "High", + "subcategory": "Requirements", + "text": "Define non-functional requirements such as SLAs, RTO (Recovery Time Objective) and RPO (Recovery Point Objective).", "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", - "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", - "service": "Azure Backup", + "category": "Cost Governance", + "checklist": "Azure AKS Review", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", "services": [ - "WAF", - "Backup" + "AKS", + "Cost" ], - "severity": "Medium", - "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Cost", + "text": "Use an external application such as kubecost to allocate costs to different users", + "waf": "Cost" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", - "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", - "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", - "service": "Azure Backup", + "category": "Cost Governance", + "checklist": "Azure AKS Review", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", "services": [ - "WAF", - "Backup" + "AKS", + "Cost" ], "severity": "Low", - "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", - "waf": "Reliability" + "subcategory": "Cost", + "text": "Use scale down mode to delete/deallocate nodes", + "waf": "Cost" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", - "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", - "service": "Azure Backup", + "category": "Cost Governance", + "checklist": "Azure AKS Review", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", "services": [ - "WAF", - "Storage", - "Backup" + "AKS", + "Cost" ], - "severity": "Low", - "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Cost", + "text": "When required use multi-instance partitioning GPU on AKS Clusters", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "WAF checklist", - "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", - "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", - "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", - "service": "DNS", + "category": "Cost Governance", + "checklist": "Azure AKS Review", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", "services": [ - "WAF", - "ACR", - "DNS", - "ASR" + "AKS", + "Cost" ], "severity": "Low", - "text": "Implement DNS Failover using Azure DNS Private Resolvers", - "waf": "Reliability" + "subcategory": "Cost", + "text": "If running a Dev/Test cluster use NodePool Start/Stop", + "waf": "Cost" }, { - "arm-service": "Microsoft.PowerBI/gateways", - "checklist": "WAF checklist", - "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", - "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", - "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", - "service": "Data Gateways", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", "services": [ - "WAF", - "ACR" + "AzurePolicy", + "AKS" ], "severity": "Medium", - "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", - "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "services": [ - "WAF", - "NVA" + "AKS" ], - "severity": "High", - "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Compliance", + "text": "Separate applications from the control plane with user/system node pools", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "services": [ - "WAF", - "AKV", - "Backup" + "AKS" ], - "severity": "High", - "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Compliance", + "text": "Add taint to your system nodepool to make it dedicated", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", "services": [ - "WAF", - "ACR", - "AKV" + "AKS", + "ACR" ], "severity": "Medium", - "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Use a private registry for your images, such as ACR", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", "services": [ - "WAF", - "AKV" + "AKS" ], "severity": "Medium", - "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Scan your images for vulnerabilities", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "cc639637-a652-42ac-89e8-06965388e9de", + "link": "https://learn.microsoft.com/azure/security-center/container-security", "services": [ - "WAF", - "AKV", - "AzurePolicy" + "AKS", + "Defender" ], "severity": "Medium", - "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Use Azure Security Center to detect security posture vulnerabilities", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "42d4aefe-2383-470e-b019-c30df24996b2", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool", "services": [ - "Backup", - "Storage", - "WAF", - "AKV", - "Subscriptions" + "AKS" ], - "severity": "Medium", - "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Compliance", + "text": "If required configure FIPS", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", "services": [ - "WAF", - "AKV" + "AKS" ], "severity": "High", - "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Define app separation requirements (namespace/nodepool/cluster)", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", "services": [ - "WAF", - "AKV" + "AKV", + "AKS" ], - "severity": "Low", - "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Secrets", + "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", "services": [ - "WAF", "AKV", - "Backup" + "AKS" ], - "severity": "Low", - "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Secrets", + "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", "services": [ - "WAF", "AKV", - "Backup" + "AKS" ], - "severity": "Low", - "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Secrets", + "text": "If required add Key Management Service etcd encryption", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", "services": [ - "WAF", "AKV", - "EventHubs" + "AKS" ], - "severity": "Medium", - "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Secrets", + "text": "If required consider using Confidential Compute for AKS", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "WAF checklist", - "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", - "guid": "d0642c1c-312b-4116-94ab-439e1c836819", - "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", - "service": "Key Vault", + "category": "Governance and Security", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", "services": [ - "WAF", "AKV", - "RBAC" + "AKS", + "Defender" ], "severity": "Medium", - "text": "RBAC is recommended to control access to your key vault. Familiarize yourself with the Key Vault's access control guidance.", + "subcategory": "Secrets", + "text": "Consider using Defender for Containers", "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", - "guid": "ba7da7be-9951-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", "services": [ - "WAF", - "Storage", - "Cost" + "AKS", + "Entra" ], - "text": "Leverage External Tables and Continuous data export overview to reduce costs", - "waf": "Reliability" + "severity": "High", + "subcategory": "Identity", + "text": "Use managed identities instead of Service Principals", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", - "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", - "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", "services": [ - "WAF", - "Storage" + "AKS", + "Entra" ], - "text": "To share data, explore Leader-follower cluster configuration", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "Integrate authentication with AAD (using the managed integration)", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", - "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", "services": [ - "WAF", - "ASR" + "AKS", + "Entra" ], - "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "Limit access to admin kubeconfig (get-credentials --admin)", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "guid": "436b0635-cb45-4e57-a603-324ace8cc123", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", "services": [ - "WAF", - "Storage", - "RBAC" + "RBAC", + "AKS", + "Entra" ], - "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "Integrate authorization with AAD RBAC", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", "services": [ - "WAF" + "RBAC", + "AKS", + "Entra" ], - "text": "Ingest data into each cluster in parallel", - "waf": "Reliability" + "severity": "High", + "subcategory": "Identity", + "text": "Use namespaces for restricting RBAC privilege in Kubernetes", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", - "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", "services": [ - "WAF", - "ACR" + "AKS", + "Entra" ], - "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", - "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", "services": [ - "WAF", - "ACR" + "AKS", + "Entra" ], - "text": "For critical applications, create Active-Active configuration in two paired regions", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "For AKS non-interactive logins use kubelogin (preview)", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", - "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", "services": [ - "WAF" + "AKS", + "Entra" ], - "text": "For applications, which required only read during failure, create Active-Hot standby configuration", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "Disable AKS local accounts", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", - "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", "services": [ - "Storage", - "AzurePolicy", - "WAF", - "Cost", - "ASR" + "AKS", + "Entra" ], - "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Identity", + "text": "Configure if required Just-in-time cluster access", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", - "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", "services": [ - "WAF", - "AzurePolicy" + "AKS", + "Entra" ], - "text": "Wrap DevOps and source control around all your code", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Identity", + "text": "Configure if required AAD conditional access for AKS", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", "services": [ - "WAF" + "AKS", + "Entra" ], - "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Identity", + "text": "If required for Windows AKS workloads configure gMSA ", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "WAF checklist", - "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", + "category": "Identity and Access Management", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", "services": [ - "WAF" + "AKS", + "Entra" ], - "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "For finer control consider using a managed Kubelet Identity", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AppGW", + "AKS", + "ACR" ], "severity": "Medium", - "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "Operations" - }, - { - "checklist": "WAF checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], - "severity": "Medium", - "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", - "training": "https://github.com/Azure/sap-automation", - "waf": "Operations" - }, - { - "checklist": "WAF checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], - "severity": "Medium", - "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", - "waf": "Reliability" - }, - { - "checklist": "WAF checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", - "services": [ - "WAF", - "Backup" - ], - "severity": "Medium", - "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", + "subcategory": "Best practices", + "text": "If using AGIC, do not share an AppGW across clusters", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", "services": [ - "Storage", - "WAF", - "SQL", - "Backup", - "SAP", - "ASR" + "AKS" ], "severity": "High", - "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "subcategory": "Best practices", + "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS" ], "severity": "Medium", - "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "subcategory": "Best practices", + "text": "For Windows workloads use Accelerated Networking", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "services": [ - "WAF", - "ExpressRoute", - "VPN", - "ASR" + "AKS", + "LoadBalancer" ], "severity": "High", - "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "subcategory": "Best practices", + "text": "Use the standard ALB (as opposed to the basic one)", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", "services": [ - "WAF", - "ACR", - "AKV" + "AKS", + "VNet" ], - "severity": "Low", - "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Best practices", + "text": "If using Azure CNI, consider using different Subnets for NodePools", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", "services": [ - "WAF", - "ASR", - "SAP", - "VNet" + "PrivateLink", + "AKS", + "VNet", + "Cost" ], "severity": "Medium", - "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", - "waf": "Reliability" + "subcategory": "Cost", + "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", "services": [ - "WAF", - "Storage", - "SAP" + "AKS", + "VPN" ], - "severity": "Low", - "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "severity": "Medium", + "subcategory": "HA", + "text": "If hybrid connectivity is required, use 2xER or ER+VPN for better availability", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "services": [ - "WAF" + "AKS" ], "severity": "High", - "text": "Native database replication technology should be used to synchronize the database in a HA pair.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "subcategory": "IPAM", + "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "services": [ - "WAF", + "AKS", "VNet" ], "severity": "High", - "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Reliability" + "subcategory": "IPAM", + "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "services": [ - "WAF", - "Entra", - "ASR", - "VM" + "AKS" ], "severity": "High", - "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Reliability" + "subcategory": "IPAM", + "text": "If using Azure CNI, check the maximum pods/node (default 30)", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS", + "VNet" ], - "severity": "High", - "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "Reliability" + "severity": "Low", + "subcategory": "IPAM", + "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS" ], "severity": "High", - "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "subcategory": "IPAM", + "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", "services": [ - "WAF", - "Storage", - "VM" + "AKS" ], - "severity": "High", - "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Operations", + "text": "If required add your own CNI plugin", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", "services": [ - "WAF", - "Storage", - "SAP" + "AKS" ], - "severity": "High", - "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Operations", + "text": "If required configure Public IP per node in AKS", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS" ], - "severity": "High", - "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "severity": "Medium", + "subcategory": "Scalability", + "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", "services": [ - "WAF", - "SAP", - "LoadBalancer" + "AKS" ], - "severity": "High", - "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "severity": "Low", + "subcategory": "Scalability", + "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", "services": [ - "WAF", - "LoadBalancer" + "AKS" ], - "severity": "High", - "text": "Make sure the Floating IP is enabled on the Load balancer", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "severity": "Medium", + "subcategory": "Scalability", + "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", "services": [ - "WAF" + "NVA", + "AKS" ], "severity": "High", - "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "subcategory": "Security", + "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", "services": [ - "WAF", - "SAP", - "Entra", - "VM" + "AKS" ], - "severity": "High", - "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Security", + "text": "If using a public API endpoint, restrict the IP addresses that can access it", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", "services": [ - "WAF", - "Entra", - "RBAC", - "VM" + "AKS" ], "severity": "High", - "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "subcategory": "Security", + "text": "Use private clusters if your requirements mandate it", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "services": [ - "WAF" + "AzurePolicy", + "AKS" ], "severity": "Medium", - "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "Reliability" + "subcategory": "Security", + "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "services": [ - "WAF", - "VM" + "AzurePolicy", + "AKS" ], "severity": "High", - "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "subcategory": "Security", + "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "services": [ - "WAF", - "Entra", - "SAP" + "AzurePolicy", + "AKS" ], "severity": "High", - "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", - "waf": "Reliability" + "subcategory": "Security", + "text": "Use Kubernetes network policies to increase intra-cluster security", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "services": [ - "WAF", - "ACR", - "SAP" + "AKS", + "WAF" ], "severity": "High", - "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", - "waf": "Reliability" + "subcategory": "Security", + "text": "Use a WAF for web workloads (UIs or APIs)", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", "services": [ - "WAF", - "Entra", - "SAP" + "DDoS", + "AKS", + "VNet" ], - "severity": "High", - "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Security", + "text": "Use DDoS Standard in the AKS Virtual Network", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", "services": [ - "WAF", - "Entra", - "VM" + "AKS" ], - "severity": "Medium", - "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Security", + "text": "If required add company HTTP Proxy", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", "services": [ - "WAF", - "Storage", - "VM" + "AKS" ], "severity": "Medium", - "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", - "waf": "Reliability" + "subcategory": "Security", + "text": "Consider using a service mesh for advanced microservice communication management", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS", + "Monitor" ], - "severity": "Medium", - "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "severity": "High", + "subcategory": "Alerting", + "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", "services": [ - "WAF", - "Storage" + "AKS", + "Entra" ], - "severity": "High", - "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Compliance", + "text": "Check regularly Azure Advisor for recommendations on your cluster", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", "services": [ - "WAF", - "Storage", - "SAP" + "AKS" + ], + "severity": "Low", + "subcategory": "Compliance", + "text": "Enable AKS auto-certificate rotation", + "waf": "Operations" + }, + { + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", + "services": [ + "AKS" ], "severity": "High", - "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", "services": [ - "WAF", - "Storage", - "ASR", - "SAP" + "AKS" ], "severity": "High", - "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", "services": [ - "WAF", - "Storage", - "SAP" + "AKS" ], "severity": "High", - "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", "services": [ - "WAF", - "SAP", - "Cost" + "AKS" ], - "severity": "Medium", - "text": "Automate SAP System Start-Stop to manage costs.", - "waf": "Cost" + "severity": "Low", + "subcategory": "Compliance", + "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", "services": [ - "Storage", - "VM", - "WAF", - "Cost", - "SAP" + "AKS" ], "severity": "Low", - "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", - "waf": "Cost" + "subcategory": "Compliance", + "text": "Consider using AKS command invoke on private clusters", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", "services": [ - "Storage", - "VM", - "WAF", - "Cost", - "SAP" + "AKS" ], "severity": "Low", - "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", - "waf": "Cost" + "subcategory": "Compliance", + "text": "For planned events consider using Node Auto Drain", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", "services": [ - "WAF", - "RBAC", - "Subscriptions" + "AKS" ], "severity": "High", - "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Security" + "subcategory": "Compliance", + "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", "services": [ - "WAF", - "Entra", - "SAP" + "AKS" ], - "severity": "Medium", - "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", - "waf": "Security" + "severity": "Low", + "subcategory": "Compliance", + "text": "Use custom Node RG (aka 'Infra RG') name", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", "services": [ - "WAF", - "Entra", - "SAP" + "AKS" ], "severity": "Medium", - "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", - "waf": "Security" + "subcategory": "Compliance", + "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS" ], - "severity": "Medium", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "Security" + "severity": "Low", + "subcategory": "Compliance", + "text": "Taint Windows nodes", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS" ], - "severity": "Medium", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", - "waf": "Security" + "severity": "Low", + "subcategory": "Compliance", + "text": "Keep windows containers patch level in sync with host patch level", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "description": "Via Diagnostic Settings at the cluster level", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS", + "Monitor" ], - "severity": "Medium", - "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "Security" + "severity": "Low", + "subcategory": "Compliance", + "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", "services": [ - "WAF", - "AKV", - "SAP" + "AKS" ], - "severity": "Medium", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", - "waf": "Security" + "severity": "Low", + "subcategory": "Compliance", + "text": "If required use nodePool snapshots", + "waf": "Cost" }, { - "checklist": "WAF checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", "services": [ - "WAF", - "AKV", - "SAP" + "AKS", + "Cost" ], - "severity": "Medium", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", - "waf": "Security" + "severity": "Low", + "subcategory": "Cost", + "text": "Consider spot node pools for non time-sensitive workloads", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS", + "Cost" ], - "severity": "Medium", - "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", - "waf": "Security" + "severity": "Low", + "subcategory": "Cost", + "text": "Consider AKS virtual node for quick bursting", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS", + "Monitor" ], - "severity": "Medium", - "text": "Implement SSO to SAP HANA", - "waf": "Security" + "severity": "High", + "subcategory": "Monitoring", + "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", "services": [ - "WAF", - "Entra", - "SAP" + "AKS", + "Monitor" ], - "severity": "Medium", - "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", - "waf": "Security" + "severity": "High", + "subcategory": "Monitoring", + "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS", + "Monitor" ], "severity": "Medium", - "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Monitor CPU and memory utilization of the nodes", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "services": [ - "WAF", - "Entra", - "SAP" + "AKS", + "Monitor" ], "severity": "Medium", - "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", - "waf": "Security" + "subcategory": "Monitoring", + "text": "If using Azure CNI, monitor % of pod IPs consumed per node", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", "services": [ - "WAF", - "SAP" + "ServiceBus", + "AKS", + "Storage", + "EventHubs", + "Monitor" ], "severity": "Medium", - "text": "Implement SSO to SAP BTP", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Monitor OS disk queue depth in nodes", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "services": [ - "WAF", - "Entra", - "SAP" + "NVA", + "AKS", + "LoadBalancer", + "Monitor" ], "severity": "Medium", - "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", - "waf": "Security" + "subcategory": "Monitoring", + "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", "services": [ - "WAF", - "Subscriptions", - "AzurePolicy", - "SAP" + "AKS", + "Monitor" ], "severity": "Medium", - "text": "enforce existing Management Group policies to SAP Subscriptions", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "subcategory": "Monitoring", + "text": "Subscribe to resource health notifications for your AKS cluster", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "services": [ - "WAF", - "Subscriptions", - "SAP" + "AKS" ], "severity": "High", - "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "subcategory": "Resources", + "text": "Configure requests and limits in your pod specs", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "services": [ - "WAF", - "Subscriptions" + "AKS" ], - "severity": "High", - "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "severity": "Medium", + "subcategory": "Resources", + "text": "Enforce resource quotas for namespaces", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", "services": [ - "WAF", - "Subscriptions", - "VM" + "AKS", + "Subscriptions" ], "severity": "High", - "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "subcategory": "Resources", + "text": "Ensure your subscription has enough quota to scale out your nodepools", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", + "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "service": "AKS", "services": [ - "WAF" + "AKS" ], - "severity": "Low", - "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", + "severity": "High", + "subcategory": "Resources", + "text": "Configure Liveness and Readiness probes for all deployments", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "services": [ - "WAF", - "Subscriptions", - "VM" + "AKS" ], - "severity": "High", - "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Scalability", + "text": "Use the Cluster Autoscaler", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", "services": [ - "WAF" + "AKS" ], - "severity": "High", - "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", - "waf": "Operations" + "severity": "Low", + "subcategory": "Scalability", + "text": "Customize node configuration for AKS node pools", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "services": [ - "WAF", - "TrafficManager", - "Cost" + "AKS" ], "severity": "Medium", - "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "subcategory": "Scalability", + "text": "Use the Horizontal Pod Autoscaler when required", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", "services": [ - "WAF", - "Backup" + "AKS" ], "severity": "High", - "text": "Help protect your HANA database by using the Azure Backup service.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Reliability" + "subcategory": "Scalability", + "text": "Consider an appropriate node size, not too large or too small", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", "services": [ - "WAF", - "Entra", - "Storage", - "VM" + "AKS" ], - "severity": "Medium", - "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Scalability", + "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", "services": [ - "WAF", - "SAP" + "AKS" ], - "severity": "High", - "text": "Ensure time-zone matches between the operating system and the SAP system.", - "waf": "Operations" + "severity": "Low", + "subcategory": "Scalability", + "text": "Consider subscribing to EventGrid Events for AKS automation", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", "services": [ - "WAF", - "Entra" + "AKS" ], - "severity": "Medium", - "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Scalability", + "text": "For long running operation on an AKS cluster consider event termination", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", "services": [ - "WAF", - "Cost" + "AKS" ], "severity": "Low", - "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", - "waf": "Cost" + "subcategory": "Scalability", + "text": "If required consider using Azure Dedicated Hosts for AKS nodes", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", "services": [ - "WAF", - "Entra", - "SAP" + "Storage", + "AKS" ], - "severity": "Medium", - "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", - "waf": "Operations" + "severity": "High", + "subcategory": "Storage", + "text": "Use ephemeral OS disks", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", "services": [ - "WAF", - "VM" + "Storage", + "AKS" ], - "severity": "Medium", - "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", - "waf": "Operations" + "severity": "High", + "subcategory": "Storage", + "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", "services": [ - "WAF", - "SAP" + "Storage", + "AKS" ], "severity": "Low", - "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", - "waf": "Operations" + "subcategory": "Storage", + "text": "For hyper performance storage option use Ultra Disks on AKS", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", "services": [ - "WAF", - "SQL", - "Monitor", - "SAP" + "Storage", + "AKS", + "SQL" ], "severity": "Medium", - "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Operations" + "subcategory": "Storage", + "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", "services": [ - "VM", - "WAF", - "Monitor", - "Entra", - "SAP" + "Storage", + "AKS" ], - "severity": "High", - "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Storage", + "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", + "category": "Operations", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", "services": [ - "WAF", - "AzurePolicy" + "Storage", + "AKS" ], "severity": "Medium", - "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" + "subcategory": "Storage", + "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", + "category": "Version Control", + "checklist": "Azure DevOps", + "description": "Implement branching policy in Azure DevOps", + "guid": "eda1dae2-cc85-4c47-a6b7-81cca0e6c465", + "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-policies-overview?view=azure-devops", "services": [ - "WAF", - "Monitor", - "NetworkWatcher", - "SAP" + "AzurePolicy" ], - "severity": "Medium", - "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "severity": "High", + "subcategory": "Branching Policy", + "text": "Branch Policies", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", + "category": "Version Control", + "checklist": "Azure DevOps", + "description": "Understand branch strategy such as GitFlow or GitHub Flow", + "guid": "bc288bec-6a16-4ca7-8444-51e1add34529", + "link": "https://learn.microsoft.com/azure/devops/repos/git/git-branching-guidance?view=azure-devops", "services": [ - "WAF", - "SAP", - "VM" + "AzurePolicy" ], - "severity": "Medium", - "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", + "severity": "High", + "subcategory": "Branching Policy", + "text": "Branching strategy", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "category": "Version Control", + "checklist": "Azure DevOps", + "description": "Understand how teams work with git", + "guid": "ec723823-7a15-41c5-ab4e-401914387e5c", + "link": "https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow", "services": [ - "WAF", - "Subscriptions", - "SAP" + "AzurePolicy" ], "severity": "High", - "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "waf": "Performance" + "subcategory": "Branching Policy", + "text": "Understand GitFlow Branch Strategy", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", + "category": "Version Control", + "checklist": "Azure DevOps", + "description": "Merge into higher branches after two or more reviewers in a PR", + "guid": "a9c26c9c-32ab-45bd-8c69-98a246e33899", + "link": "https://learn.microsoft.com/azure/devops/repos/git/review-pull-requests?view=azure-devops&tabs=browser", "services": [ - "WAF", - "Storage", - "ASR" + "AzurePolicy" ], - "severity": "Medium", - "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", - "waf": "Reliability" + "severity": "High", + "subcategory": "Branching Policy", + "text": "Pull Request Review", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", + "category": "Version Control", + "checklist": "Azure DevOps", + "description": "Implement access control to the branches", + "guid": "7e41c77d-68cb-46a2-8ac1-9f916d697d8e", + "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-permissions?view=azure-devops", "services": [ - "WAF", - "SAP", - "Monitor", - "Sentinel" + "AzurePolicy" ], "severity": "Medium", - "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "subcategory": "Branching Policy", + "text": "Access Control to the Branch", + "waf": "Operations" + }, + { + "category": "Version Control", + "checklist": "Azure DevOps", + "description": "Perform SAST code scan", + "guid": "adfd27bd-e187-401a-a252-baa9b68a088c", + "link": "https://devblogs.microsoft.com/devops/integrate-security-into-your-developer-workflow-with-github-advanced-security-for-azure-devops/", + "services": [], + "severity": "High", + "subcategory": "Security", + "text": "Code Scan", "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", - "services": [ - "WAF", - "Cost" - ], - "severity": "Medium", - "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "category": "Version Control", + "checklist": "Azure DevOps", + "description": "Understand TFVC as Code Repo", + "guid": "9a8f822b-8eb9-4d1b-a77f-26e5e6beba8e", + "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops", + "services": [], + "severity": "Low", + "subcategory": "Practice", + "text": "TFVC as Code Repository", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", - "services": [ - "WAF", - "Monitor", - "VM" - ], - "severity": "Low", - "text": "Use inter-VM latency monitoring for latency-sensitive applications.", - "waf": "Performance" + "category": "Version Control", + "checklist": "Azure DevOps", + "description": "Compare Git vs TFVC for your project", + "guid": "d4f3437b-c336-4d71-9f27-a71eee0b9b5d", + "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops", + "services": [], + "severity": "Low", + "subcategory": "Practice", + "text": "Choose Right version control", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", - "services": [ - "WAF", - "Monitor", - "ASR", - "SAP" - ], - "severity": "Medium", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Reliability" + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "Set up your team management", + "guid": "8defd5d7-21d4-41d2-900c-807bf9eab40f", + "link": "https://learn.microsoft.com/azure/devops/organizations/settings/manage-teams?view=azure-devops", + "services": [], + "severity": "High", + "subcategory": "Team Planning", + "text": "Configure your teams", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", - "services": [ - "WAF", - "Storage", - "SAP" - ], + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "Start scheduling sprints", + "guid": "9ed5b354-78d4-447a-a26c-2863c00f1cac", + "link": "https://learn.microsoft.com/azure/devops/boards/sprints/define-sprints?view=azure-devops", + "services": [], "severity": "Medium", - "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", - "waf": "Performance" + "subcategory": "Team Planning", + "text": "Configure your sprints", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "Set up your work item heirarchy", + "guid": "699ef1d5-a83d-4e5d-b36c-1c81870a0bc5", + "link": "https://learn.microsoft.com/azure/devops/organizations/settings/work/customize-process-work-item-type?view=azure-devops", + "services": [], "severity": "Low", - "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", - "waf": "Performance" + "subcategory": "Team Planning", + "text": "Choose Work Item types", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", - "services": [ - "WAF", - "Storage", - "SAP" - ], - "severity": "Medium", - "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", - "waf": "Performance" + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "WIT Processes available in Azure DevOps", + "guid": "c1e43a18-658d-4285-aed6-7179b825546d", + "link": "https://learn.microsoft.com/azure/devops/boards/work-items/guidance/choose-process?view=azure-devops&tabs=agile-process", + "services": [], + "severity": "High", + "subcategory": "Team Planning", + "text": "Select a WIT Process", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", - "services": [ - "WAF", - "SQL", - "SAP" - ], - "severity": "Medium", - "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", - "waf": "Performance" + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "Use Azure Boards with GitHub", + "guid": "f2aee455-3afc-4833-a248-726dd68c5b5c", + "link": "https://learn.microsoft.com/azure/devops/cross-service/github-integration?view=azure-devops", + "services": [], + "severity": "Low", + "subcategory": "Tool Integration", + "text": "GitHub Integration", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", - "services": [ - "WAF", - "Monitor", - "ASR", - "SAP" - ], - "severity": "High", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "Understand the methologies", + "guid": "2925394b-69b9-4d37-aac4-3bc68d1d7665", + "link": "https://www.atlassian.com/agile/scrum/agile-vs-scrum", + "services": [], + "severity": "Medium", + "subcategory": "Process Planning", + "text": "Understand Agile Vs Scrum", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", - "services": [ - "WAF", - "AppGW", - "AzurePolicy" - ], + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "Create Dashboard and PowerBI reports", + "guid": "7246b448-564b-44dd-94a7-59c7633bd2a1", + "link": "https://learn.microsoft.com/azure/devops/report/dashboards/overview?view=azure-devops", + "services": [], "severity": "Medium", - "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", - "waf": "Security" + "subcategory": "Reporting", + "text": "Dashboard", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", - "services": [ - "WAF", - "SAP", - "DNS", - "VM" - ], + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "Set up backlog", + "guid": "a27a764a-90be-40e3-98ee-293c1bd363ca", + "link": "https://learn.microsoft.com/azure/devops/boards/backlogs/set-up-your-backlog?view=azure-devops", + "services": [], "severity": "Medium", - "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "subcategory": "Reporting", + "text": "Refine your backlog", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", - "services": [ - "WAF", - "DNS", - "SAP", - "VNet" - ], + "category": "Azure Boards", + "checklist": "Azure DevOps", + "description": "Link your work items", + "guid": "aab75719-49ab-4919-9dc9-fc9d1bb84b37", + "link": "https://learn.microsoft.com/azure/devops/boards/queries/link-work-items-support-traceability?view=azure-devops&tabs=browser", + "services": [], "severity": "Medium", - "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "subcategory": "Reporting", + "text": "Visualize Relationships", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", - "services": [ - "WAF", - "ACR", - "SAP", - "VNet" - ], - "severity": "Medium", - "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "Reliability" + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "View the velocity report", + "guid": "b5a67fcb-9ed5-4b35-978d-447a826c2863", + "link": "https://learn.microsoft.com/azure/devops/report/dashboards/team-velocity?view=azure-devops&tabs=in-context", + "services": [], + "severity": "Low", + "subcategory": "Reporting", + "text": "Review Team Velocity", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", - "services": [ - "WAF", - "NVA", - "SAP" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Create your first pipeline", + "guid": "c00f1cac-699e-4f1d-9a83-de5de36c1c81", + "link": "https://learn.microsoft.com/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Ctfs-2018-2%2Cbrowser", + "services": [], "severity": "High", - "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", - "training": "https://me.sap.com/notes/2731110", - "waf": "Performance" + "subcategory": "Continuous Integration", + "text": "Set up pipeline", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", - "services": [ - "WAF", - "ACR", - "VWAN", - "SAP" - ], - "severity": "Medium", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Specify events that trigger pipelines", + "guid": "870a0bc5-c1e4-43a1-a658-d2858ed67179", + "link": "https://learn.microsoft.com/azure/devops/pipelines/build/triggers?view=azure-devops", + "services": [], + "severity": "High", + "subcategory": "Continuous Integration", + "text": "Set Build triggers", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", - "services": [ - "WAF", - "NVA", - "VNet" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Use YAML to create build pipeline", + "guid": "b825546d-f2ae-4e45-93af-c8339248726d", + "link": "https://learn.microsoft.com/azure/devops/pipelines/customize-pipeline?view=azure-devops", + "services": [], + "severity": "Low", + "subcategory": "Continuous Integration", + "text": "Customize YAML Pipeline", + "waf": "Operations" + }, + { + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Use classic GUI editor to set up pipeline", + "guid": "d68c5b5c-2925-4394-a69b-9d379ac43bc6", + "link": "https://learn.microsoft.com/azure/devops/pipelines/get-started/pipelines-get-started?view=azure-devops&source=recommendations#define-pipelines-using-the-classic-interface", + "services": [], "severity": "Medium", - "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "subcategory": "Continuous Integration", + "text": "Use GUI for pipeline", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", - "services": [ - "NVA", - "WAF", - "VWAN", - "SAP", - "VNet" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Set up templates, parameters and expressions", + "guid": "8d1d7665-7246-4b44-a564-b4dd74a759c7", + "link": "https://learn.microsoft.com/azure/devops/pipelines/process/templates?view=azure-devops&pivots=templates-includes", + "services": [], "severity": "Medium", - "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "subcategory": "Continuous Integration", + "text": "Configure Templates", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "services": [ - "WAF", - "SAP", - "VM" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Set up jobs, stages and dependencies", + "guid": "633bd2a1-a27a-4764-a90b-e0e378ee293c", + "link": "https://learn.microsoft.com/azure/devops/pipelines/process/stages?view=azure-devops&tabs=yaml", + "services": [], "severity": "High", - "text": "Public IP assignment to VM running SAP Workload is not recommended.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "Security" + "subcategory": "Continuous Integration", + "text": "Jobs", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", - "services": [ - "WAF", - "ASR" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Set up conditions and Demands", + "guid": "1bd363ca-aab7-4571-a49a-b9193dc9fc9d", + "link": "https://learn.microsoft.com/azure/devops/pipelines/process/conditions?view=azure-devops&tabs=yaml%2Cstages", + "services": [], + "severity": "Medium", + "subcategory": "Continuous Integration", + "text": "Conditions and Demands", + "waf": "Operations" + }, + { + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Define Variables", + "guid": "1bb84b37-b5a6-47fc-a9ed-5b35478d447a", + "link": "https://learn.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch", + "services": [], "severity": "High", - "text": "Consider reserving IP address on DR side when configuring ASR", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "subcategory": "Continuous Integration", + "text": "Variables", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "services": [ - "WAF" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Set up your deployment pipeline", + "guid": "826c2863-c00f-41ca-a699-ef1d5a83de5d", + "link": "https://learn.microsoft.com/azure/devops/pipelines/process/create-multistage-pipeline?view=azure-devops", + "services": [], "severity": "High", - "text": "Avoid using overlapping IP address ranges for production and DR sites.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "subcategory": "Continuous Deployment", + "text": "Deployment Pipeline", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", - "services": [ - "WAF", - "Storage", - "VNet" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Select correct branches to deploy from", + "guid": "e36c1c81-870a-40bc-9c1e-43a18658d285", + "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deploy-multiple-branches?view=azure-devops", + "services": [], "severity": "Medium", - "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "subcategory": "Continuous Deployment", + "text": "Release branch", + "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", - "services": [ - "WAF", - "Firewall" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "use relevant template to deploy to azure", + "guid": "8ed67179-b825-4546-bf2a-ee4553afc833", + "link": "https://learn.microsoft.com/azure/devops/pipelines/overview-azure?view=azure-devops", + "services": [], "severity": "Medium", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", - "waf": "Security" + "subcategory": "Continuous Deployment", + "text": "Deploy to Azure", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", - "services": [ - "WAF", - "AppGW", - "SAP" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Define Release Approvals and pre deployment checks", + "guid": "9248726d-d68c-45b5-a292-5394b69b9d37", + "link": "https://learn.microsoft.com/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass", + "services": [], "severity": "Medium", - "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", - "waf": "Security" + "subcategory": "Continuous Deployment", + "text": "Approvals and Checks", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", - "services": [ - "WAF", - "ACR", - "FrontDoor", - "AzurePolicy" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Define Gates and post deployment checks", + "guid": "9ac43bc6-8d1d-4766-9724-6b448564b4dd", + "link": "https://learn.microsoft.com/azure/devops/pipelines/release/approvals/?view=azure-devops&tabs=yaml", + "services": [], "severity": "Medium", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", - "waf": "Security" + "subcategory": "Continuous Deployment", + "text": "Gates", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", - "services": [ - "WAF", - "AppGW", - "AzurePolicy", - "FrontDoor" - ], - "severity": "Medium", - "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", - "waf": "Security" + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Define Azure Function and REST API Checks", + "guid": "74a759c7-633b-4d2a-8a27-a764a90be0e3", + "link": "https://learn.microsoft.com/azure/devops/pipelines/process/invoke-checks?view=azure-devops", + "services": [], + "severity": "Low", + "subcategory": "Continuous Deployment", + "text": "Azure Function Checks", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", - "services": [ - "WAF", - "AppGW", - "LoadBalancer" - ], - "severity": "Medium", - "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", - "waf": "Security" + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Review pipeline reports", + "guid": "78ee293c-1bd3-463c-aaab-7571949ab919", + "link": "https://learn.microsoft.com/azure/devops/pipelines/reports/pipelinereport?view=azure-devops", + "services": [], + "severity": "High", + "subcategory": "Continuous Deployment", + "text": "Pipline Reports", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", - "services": [ - "WAF", - "ACR", - "VWAN", - "SAP" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "configure Trend Result widget", + "guid": "3dc9fc9d-1bb8-44b3-9b5a-67fcb9ed5b35", + "link": "https://learn.microsoft.com/azure/devops/report/dashboards/analytics-widgets?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&view=azure-devops#test-results-trend-advanced", + "services": [], "severity": "Medium", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "Performance" + "subcategory": "Analytics", + "text": "Pipeline Result Trend", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", - "services": [ - "ACR", - "Storage", - "WAF", - "PrivateLink", - "Backup", - "VNet" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Connect with WIT to visualize work", + "guid": "478d447a-826c-4286-9c00-f1cac699ef1d", + "link": "https://learn.microsoft.com/azure/devops/pipelines/integrations/configure-pipelines-work-tracking?view=azure-devops&tabs=yaml", + "services": [], "severity": "Medium", - "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", - "waf": "Security" - }, - { - "checklist": "WAF checklist", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", - "services": [ - "WAF", - "SAP", - "VM" - ], - "severity": "High", - "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Performance" + "subcategory": "Analytics", + "text": "Work Tracking with Pipeline", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", - "services": [ - "WAF", - "LoadBalancer" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Understand agent pools", + "guid": "5a83de5d-e36c-41c8-8870-a0bc5c1e43a1", + "link": "https://learn.microsoft.com/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=yaml%2Cbrowser", + "services": [], "severity": "Medium", - "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "Security" + "subcategory": "Continuous Deployment", + "text": " Agents and agent pools", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", - "services": [ - "WAF", - "SAP", - "VM", - "VNet" - ], - "severity": "Medium", - "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", - "waf": "Security" + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Understand and provision Deployment Groups when required", + "guid": "8658d285-8ed6-4717-ab82-5546df2aee45", + "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deployment-groups/?view=azure-devops", + "services": [], + "severity": "Low", + "subcategory": "Continuous Deployment", + "text": "Deployment Groups", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Understand Kubernetes Deployment", + "guid": "53afc833-9248-4726-bd68-c5b5c2925394", + "link": "https://learn.microsoft.com/azure/devops/pipelines/ecosystems/kubernetes/deploy?view=azure-devops", "services": [ - "WAF", - "SAP", - "VNet" + "AKS" ], - "severity": "High", - "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Performance" + "severity": "Low", + "subcategory": "Continuous Deployment", + "text": "Deploy to Kubernetes", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Perform Dynamic Security Testing", + "guid": "b69b9d37-9ac4-43bc-98d1-d76657246b44", + "link": "https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/", + "services": [], "severity": "Medium", - "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "Performance" + "subcategory": "Security", + "text": "DAST Scan", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], - "severity": "High", - "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Performance" + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Manage Service Connections", + "guid": "8564b4dd-74a7-459c-9633-bd2a1a27a764", + "link": "https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml", + "services": [], + "severity": "Medium", + "subcategory": "Security", + "text": "Service Connections", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Set data retention policies for CI and CD", + "guid": "a90be0e3-78ee-4293-a1bd-363caaab7571", + "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/retention?view=azure-devops&tabs=yaml", "services": [ - "WAF", - "SAP", - "Cost", - "VNet" + "AzurePolicy" ], - "severity": "High", - "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Cost" + "severity": "Medium", + "subcategory": "Security", + "text": "Retention Policies", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", - "services": [ - "WAF", - "LoadBalancer" - ], - "severity": "High", - "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Performance" + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Set up and pay for concurrent pipelines", + "guid": "949ab919-3dc9-4fc9-b1bb-84b37b5a67fc", + "link": "https://learn.microsoft.com/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops&tabs=ms-hosted", + "services": [], + "severity": "Low", + "subcategory": "Administration", + "text": "Parallel Pipelines", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", - "services": [ - "WAF", - "SAP", - "VNet" - ], + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Set pipeline permissions", + "guid": "b9ed5b35-478d-4447-a826-c2863c00f1ca", + "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/permissions?view=azure-devops", + "services": [], "severity": "Medium", - "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", + "subcategory": "Security", + "text": "Pipeline Permissions", + "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/", "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "services": [ - "WAF", - "SAP", - "Backup", - "VM" - ], - "severity": "High", - "text": "Review SAP HANA database backups for Azure VMs.", - "waf": "Cost" + "category": "Azure Pipelines", + "checklist": "Azure DevOps", + "description": "Add users to pipeline", + "guid": "c699ef1d-5a83-4de5-be36-c1c81870a0bc", + "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/set-permissions?view=azure-devops", + "services": [], + "severity": "Low", + "subcategory": "Security", + "text": "Pipeline Users", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", - "services": [ - "WAF", - "Monitor", - "ASR", - "SAP" - ], + "category": "Azure Artifact", + "checklist": "Azure DevOps", + "description": "Configure Artifacts", + "guid": "5c1e43a1-8658-4d28-98ed-67179b825546", + "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/artifacts-overview?view=azure-devops&tabs=nuget", + "services": [], "severity": "Medium", - "text": "Review Site Recovery built-in monitoring, where used for SAP.", - "waf": "Cost" + "subcategory": "Configuration", + "text": "Artifact In Pipeline", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", - "services": [ - "WAF", - "Monitor", - "SAP" - ], - "severity": "High", - "text": "Review the Monitoring the SAP HANA System Landscape guidance.", + "category": "Azure Artifact", + "checklist": "Azure DevOps", + "description": "Publish and consume artifact in pipeline", + "guid": "df2aee45-53af-4c83-9924-8726dd68c5b5", + "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/pipeline-artifacts?view=azure-devops&tabs=yaml", + "services": [], + "severity": "Medium", + "subcategory": "Configuration", + "text": "Publish and download Artifact", + "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", - "services": [ - "WAF", - "Backup", - "VM" - ], - "severity": "Medium", - "text": "Review Oracle Database in Azure Linux VM backup strategies.", + "category": "Azure Artifact", + "checklist": "Azure DevOps", + "description": "Publish NuGet packages with artifacts", + "guid": "c2925394-b69b-49d3-99ac-43bc68d1d766", + "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/nuget?view=azure-devops&tabs=yaml", + "services": [], + "severity": "Low", + "subcategory": "Configuration", + "text": "NuGet", + "training": "https://learn.microsoft.com/azure/role-based-access-control/overview", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", - "services": [ - "WAF", - "SQL", - "Storage" - ], - "severity": "Medium", - "text": "Review the use of Azure Blob Storage with SQL Server 2016.", + "category": "Azure Artifact", + "checklist": "Azure DevOps", + "description": "Publish Maven packages with artifacts", + "guid": "57246b44-8564-4b4d-b74a-759c7633bd2a", + "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/publish-maven-artifacts?view=azure-devops", + "services": [], + "severity": "Low", + "subcategory": "Configuration", + "text": "Maven", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", - "services": [ - "WAF", - "Backup", - "VM" - ], + "category": "Azure Artifact", + "checklist": "Azure DevOps", + "description": "Publish NPM packages with artifacts", + "guid": "1a27a764-a90b-4e0e-978e-e293c1bd363c", + "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/npm?view=azure-devops&tabs=yaml", + "services": [], + "severity": "Low", + "subcategory": "Configuration", + "text": "NPM", + "waf": "Operations" + }, + { + "category": "Azure Artifact", + "checklist": "Azure DevOps", + "description": "Best Practices to work with Azure Artifact", + "guid": "aaab7571-949a-4b91-a3dc-9fc9d1bb84b3", + "link": "https://learn.microsoft.com/azure/devops/artifacts/concepts/best-practices?view=azure-devops", + "services": [], "severity": "Medium", - "text": "Review the use of Automated Backup v2 for Azure VMs.", + "subcategory": "Configuration", + "text": "Best Practices", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "category": "DevOps Practice", + "checklist": "Azure DevOps", + "description": "What is monitoring?", + "guid": "7b5a67fc-b9ed-45b3-9478-d447a826c286", + "link": "https://learn.microsoft.com/devops/operate/what-is-monitoring", "services": [ - "WAF" + "Monitor" ], "severity": "High", - "text": "Enabling Write accelerator for M series when using premium disks(V1)", + "subcategory": "Practice", + "text": "What to monitor?", "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", - "services": [ - "WAF" - ], + "category": "DevOps Practice", + "checklist": "Azure DevOps", + "description": "Progressive Exposure Strategy", + "guid": "3c00f1ca-c699-4ef1-b5a8-3de5de36c1c8", + "link": "https://learn.microsoft.com/devops/operate/safe-deployment-practices", + "services": [], "severity": "Medium", - "text": "Test availability zone latency.", - "waf": "Performance" + "subcategory": "Practice", + "text": "Safe Deployment Practices", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], - "severity": "Medium", - "text": "Activate SAP EarlyWatch Alert for all SAP components.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "Performance" + "category": "DevOps Practice", + "checklist": "Azure DevOps", + "description": "Microsoft runs reliable systems with DevOps", + "guid": "1870a0bc-5c1e-443a-8865-8d2858ed6717", + "link": "https://learn.microsoft.com/devops/operate/how-microsoft-operates-devops", + "services": [], + "severity": "Low", + "subcategory": "Practice", + "text": "Case Study", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operations" }, { - "checklist": "WAF checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], + "category": "DevOps Practice", + "checklist": "Azure DevOps", + "description": "Security in DevOps", + "guid": "9b825546-df2a-4ee4-953a-fc8339248726", + "link": "https://learn.microsoft.com/devops/operate/security-in-devops", + "services": [], "severity": "Medium", - "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", - "training": "https://me.sap.com/notes/0002879613", - "waf": "Performance" + "subcategory": "Practice", + "text": "DevSecOps", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", - "services": [ - "WAF", - "SQL", - "Monitor" - ], - "severity": "Medium", - "text": "Review SQL Server performance monitoring using CCMS.", - "waf": "Performance" + "category": "DevOps Practice", + "checklist": "Azure DevOps", + "description": "Enable DevSecops with Azure And GitHub", + "guid": "dd68c5b5-c292-4539-9b69-b9d379ac43bc", + "link": "https://learn.microsoft.com/devops/devsecops/enable-devsecops-azure-github", + "services": [], + "severity": "Low", + "subcategory": "Practice", + "text": "DevSecops", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", + "category": "DevOps Practice", + "checklist": "Azure DevOps", + "description": "Mirror RBAC in DevOps", + "guid": "68d1d766-5724-46b4-9856-4b4dd74a759c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/secure/best-practices/end-to-end-governance", "services": [ - "WAF", - "SAP", - "VM" + "RBAC" ], - "severity": "Medium", - "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", - "training": "https://me.sap.com/notes/1100926/E", - "waf": "Performance" + "severity": "Low", + "subcategory": "Practice", + "text": "Secure DevOps Govenance", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", - "services": [ - "WAF", - "Monitor", - "SAP" - ], - "severity": "Medium", - "text": "Review SAP HANA studio alerts.", - "waf": "Performance" - }, - { - "checklist": "WAF checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], + "category": "DevOps Practice", + "checklist": "Azure DevOps", + "description": "Governance when using CI/CD", + "guid": "7633bd2a-1a27-4a76-9a90-be0e378ee293", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/governance/end-to-end-governance-in-azure", + "services": [], "severity": "Medium", - "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", - "waf": "Performance" + "subcategory": "Practice", + "text": "Azure DevOps Governance", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", - "services": [ - "WAF", - "VM" - ], - "severity": "Medium", - "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", - "waf": "Security" + "category": "Responsible AI", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Metaprompting", + "text": "Follow Metaprompting guardrails for resonsible AI", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "Azure OpenAI", "services": [ - "WAF", - "SAP" + "Entra", + "APIM" ], - "severity": "Medium", - "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", - "waf": "Security" + "severity": "High", + "subcategory": "Load Balancing", + "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "Azure OpenAI", "services": [ - "WAF", - "SQL", - "SAP" + "Monitor" ], - "severity": "Low", - "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", - "waf": "Security" + "severity": "High", + "subcategory": "Monitoring", + "text": "Enable monitoring for your AOAI instances", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.insights/metricalerts' | extend compliant = (properties.targetResourceType =~ 'Microsoft.CognitiveServices/accounts') | project id, compliant", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "Azure OpenAI", "services": [ - "WAF", - "SQL" + "AKV", + "Subscriptions", + "Monitor" ], "severity": "High", - "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", - "training": "https://me.sap.com/notes/3019299/E", - "waf": "Security" + "subcategory": "Alerts", + "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "services": [ - "Storage", - "WAF", - "SQL", - "Backup", - "SAP" + "Monitor" ], "severity": "High", - "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Monitor token usage to prevent service disruptions due to capacity", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "services": [ - "WAF", - "Storage" + "Monitor" ], "severity": "Medium", - "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", - "waf": "Security" + "subcategory": "Observability", + "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "Azure OpenAI", "services": [ - "WAF", - "AKV" + "APIM" ], - "severity": "High", - "text": "Use Azure Key Vault to store your secrets and credentials", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "severity": "Low", + "subcategory": "Observability", + "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", - "services": [ - "WAF", - "Subscriptions", - "RBAC", - "AzurePolicy" - ], - "severity": "Medium", - "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", - "waf": "Security" + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Infrastructure Deployment", + "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", "services": [ - "WAF", - "AKV", - "AzurePolicy" + "Entra" ], - "severity": "Medium", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "severity": "High", + "subcategory": "Authentication", + "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", "waf": "Security" }, { - "checklist": "WAF checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", - "services": [ - "WAF", - "RBAC", - "AzurePolicy" - ], + "category": "Responsible AI", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "services": [], "severity": "High", - "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", - "waf": "Security" + "subcategory": "Evaluation", + "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "services": [ - "WAF", - "Storage", - "SAP", - "Defender" - ], + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "Azure OpenAI", + "services": [], "severity": "High", - "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", - "waf": "Security" + "subcategory": "Hosting model", + "text": "Evaluate usage of Provisioned throughput model ", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", - "services": [ - "WAF", - "RBAC", - "SAP", - "Defender" - ], + "category": "Responsible AI", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "Azure OpenAI", + "services": [], "severity": "High", - "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "waf": "Security" + "subcategory": "Content Safety", + "text": "Review and implement Azure AI content safety", + "waf": "Operational Excellence" }, { - "checklist": "WAF checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], - "severity": "Low", - "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", - "waf": "Security" + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Throughput definition", + "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", - "services": [ - "WAF", - "AKV" - ], + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "subcategory": "Latency improvement", + "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "services": [ - "WAF", - "AKV" + "ServiceBus", + "Storage" ], - "severity": "High", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "severity": "Medium", + "subcategory": "Elasticity segregation", + "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", - "services": [ - "WAF", - "AKV", - "SAP" - ], + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", + "services": [], "severity": "High", - "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", - "waf": "Security" + "subcategory": "Benchmarking", + "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", - "services": [ - "WAF", - "RBAC", - "Subscriptions", - "SAP" - ], - "severity": "High", - "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", - "waf": "Security" + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", + "services": [], + "severity": "Medium", + "subcategory": "Elasticity ", + "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", - "services": [ - "WAF", - "PrivateLink", - "NVA", - "SAP" - ], + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "Azure OpenAI", + "services": [], "severity": "High", - "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "waf": "Security" + "subcategory": "Model choice", + "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "services": [ - "WAF", - "Storage", - "VM" - ], - "severity": "Low", - "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", - "waf": "Security" + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", + "services": [], + "severity": "Medium", + "subcategory": "Fine tuning", + "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", + "waf": "Performance" }, { - "checklist": "WAF checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", + "category": "BC and DR", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", "services": [ - "WAF", - "Defender" + "ACR" ], "severity": "Low", - "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", - "waf": "Security" + "subcategory": "Multi-region architecture", + "text": "Deploy multiple OAI instances across regions", + "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "category": "BC and DR", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", "services": [ - "WAF", - "SAP", - "VNet" + "Entra", + "APIM" ], "severity": "High", - "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", - "waf": "Security" - }, - { - "checklist": "WAF checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "services": [ - "WAF", - "SAP" - ], - "severity": "Low", - "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", - "waf": "Security" + "subcategory": "Load balancing", + "text": "Implement retry & healthchecks with Gateway pattern like APIM", + "waf": "Reliability" }, { - "checklist": "WAF checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", - "services": [ - "WAF", - "AKV", - "Monitor", - "SAP" - ], + "category": "BC and DR", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Security" + "subcategory": "Quotas", + "text": "Ensure having adequate quotas of TPM & RPM for the workload", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "WAF checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "services": [ - "WAF" - ], - "severity": "High", - "text": "Enable 2 replicas to have 99.9% availability for read operations", - "waf": "Reliability" + "category": "Responsible AI", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "Azure OpenAI", + "services": [], + "severity": "Medium", + "subcategory": "UX best practice", + "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "WAF checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "category": "BC and DR", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Azure OpenAI", "services": [ - "WAF" + "ACR" ], "severity": "Medium", - "text": "Enable 3 replicas to have 99.9% availability for read/write operations", + "subcategory": "Load balancing", + "text": "Deploy separate fine tuned models across regions if finetuning is employed", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "WAF checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", + "category": "BC and DR", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "Azure OpenAI", "services": [ - "WAF" + "ASR", + "Backup" ], - "severity": "High", - "text": "Leverage Availability Zones by enabling read and/or write replicas", + "severity": "Medium", + "subcategory": "Data Backup and Disaster Recovery", + "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "WAF checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", - "services": [ - "WAF", - "ACR" - ], - "severity": "Medium", - "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", + "category": "BC and DR", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.search/searchservices' | extend compliant = (sku.name != 'free' and properties.replicaCount >= 3) | project id, compliant", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "SLA considerations", + "text": "Azure AI search service tiers should be choosen to have a SLA ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "WAF checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", - "services": [ - "WAF", - "ACR" - ], - "severity": "Medium", - "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", - "waf": "Reliability" + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "Azure OpenAI", + "services": [], + "severity": "Low", + "subcategory": "Data Sensitivity", + "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "WAF checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", - "services": [ - "WAF", - "TrafficManager" - ], - "severity": "Medium", - "text": "Use Azure Traffic Manager to coordinate requests", - "waf": "Reliability" + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Encryption at Rest", + "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "WAF checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "Azure OpenAI", "services": [ - "WAF", - "Storage", - "Backup" + "ACR" ], "severity": "High", - "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", - "waf": "Reliability" + "subcategory": "Transit Encryption", + "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", + "waf": "Security" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Azure Monitor", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", "services": [ - "WAF", - "Monitor" + "RBAC" ], - "severity": "Medium", - "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "severity": "High", + "subcategory": "Access Control", + "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", + "waf": "Security" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Azure Backup", - "services": [ - "WAF", - "Backup" - ], + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "check backup instances with the underlying datasource not found", - "waf": "Cost" + "subcategory": "Data Masking and Redaction", + "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/ai-onboarding", + "service": "Azure OpenAI", "services": [ - "WAF" + "Sentinel", + "Monitor", + "Defender" ], - "severity": "Medium", - "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", - "waf": "Cost" + "severity": "High", + "subcategory": "Threat Detection and Monitoring", + "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", + "waf": "Security" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Azure Backup", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "Azure OpenAI", "services": [ - "WAF", - "Storage", - "Backup", - "ASR" + "AzurePolicy" ], "severity": "Medium", - "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", - "waf": "Cost" + "subcategory": "Data Retention and Disposal", + "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", + "waf": "Security" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Azure Monitor", - "services": [ - "WAF", - "Monitor" - ], - "severity": "Medium", - "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "Cost" + "category": "Responsible AI", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Jail break Safety", + "text": "Implement Prompt shields and groundedness detection using Content Safety ", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "WAF checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Azure Monitor", - "services": [ - "WAF", - "Storage", - "AzurePolicy" - ], - "severity": "Medium", - "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "Cost" + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Data Privacy and Compliance", + "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", - "services": [ - "WAF", - "Storage", - "Backup" - ], + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "Cost" + "subcategory": "Employee Awareness and Training", + "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", - "services": [ - "WAF", - "Storage", - "AzurePolicy" - ], - "severity": "Medium", - "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "Cost" + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Environment segregation", + "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", - "services": [ - "WAF", - "VM" - ], + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Make sure advisor is configured for VM right sizing ", - "waf": "Cost" + "subcategory": "Index Segregation", + "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "description": "check by searching the Meter Category Licenses in the Cost analysys", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "Azure OpenAI", "services": [ - "WAF", - "Cost", "AzurePolicy", - "VM" + "RBAC" ], "severity": "Medium", - "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", - "waf": "Cost" + "subcategory": "Sensitive Data in Separate Instances", + "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "VM", - "services": [ - "WAF", - "LoadBalancer" - ], - "severity": "Medium", - "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "Cost" + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Embedding and Vector handling", + "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", "services": [ - "WAF", - "VM" + "RBAC" ], - "severity": "Medium", - "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "Cost" + "severity": "High", + "subcategory": "Access control", + "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.privateEndpointConnections != '[]' and properties.publicNetworkAccess !~ 'enabled')", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "Azure OpenAI", "services": [ - "WAF", - "ARS", - "VM", - "Cost" + "PrivateLink" ], - "severity": "Medium", - "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", - "waf": "Cost" + "severity": "High", + "subcategory": "Network security", + "text": "Configure private endpoint for AI services to restrict service access within your network", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "Azure OpenAI", "services": [ - "WAF" + "Firewall", + "VNet" ], - "severity": "Medium", - "text": "Only larger disks can be reserved => 1 TiB -", - "waf": "Cost" + "severity": "High", + "subcategory": "Network security", + "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", - "services": [ - "WAF" - ], - "severity": "Medium", - "text": "After the right-sizing optimization", - "waf": "Cost" + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Control Network Access", + "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", + "waf": "Security" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "WAF checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "Azure OpenAI", "services": [ - "WAF", - "SQL", - "AzurePolicy", "Cost" ], "severity": "Medium", - "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", - "waf": "Cost" + "subcategory": "Token Optimization", + "text": "Use prompt compression tools like LLMLingua or gprtrim", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (isnotnull(identity))", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", "services": [ - "WAF", - "VM" + "AKV", + "Entra" ], + "severity": "High", + "subcategory": "Secure APIs and Endpoints", + "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", + "waf": "Security" + }, + { + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", - "waf": "Cost" + "subcategory": "Implement Strong Authentication", + "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "Azure OpenAI", "services": [ - "WAF", - "VM" + "Monitor" ], "severity": "Medium", - "text": "Consider using a VMSS to match demand rather than flat sizing", - "waf": "Cost" + "subcategory": "Use Network Monitoring", + "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "WAF checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", - "services": [ - "WAF", - "AKS" - ], + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", - "waf": "Cost" + "subcategory": "Security Audits and Penetration Testing", + "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", + "waf": "Security" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Azure Backup", - "services": [ - "WAF" - ], - "severity": "Medium", - "text": "Move recovery points to vault-archive where applicable (Validate)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (tags != '{}')", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "Azure OpenAI", + "services": [], + "severity": "Low", + "subcategory": "Infrastructure Deployment", + "text": "Azure AI Services are properly tagged for better management", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "WAF checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", - "services": [ - "WAF", - "VM", - "LoadBalancer" - ], - "severity": "Medium", - "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", - "waf": "Cost" + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "Azure OpenAI", + "services": [], + "severity": "Low", + "subcategory": "Infrastructure Deployment", + "text": "Azure AI Service accounts follows organizational naming conventions", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Azure Functions", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Diagnostics Logging", + "text": "Diagnostic logs in Azure AI services resources should be enabled", + "waf": "Operational Excellence" + }, + { + "category": "Identity and Access Management", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.disableLocalAuth == true)", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "Azure OpenAI", "services": [ - "WAF" + "Entra" ], - "severity": "Medium", - "text": "Functions - Reuse connections", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "Cost" + "severity": "High", + "subcategory": "Entra ID based access", + "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Azure Functions", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "services": [ - "WAF" + "AKV", + "Entra" ], - "severity": "Medium", - "text": "Functions - Cache data locally", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "Cost" + "severity": "High", + "subcategory": "Secure Key Management", + "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Azure Functions", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "services": [ - "WAF", - "Storage" + "AKV" ], - "severity": "Medium", - "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Cost" + "severity": "High", + "subcategory": "Key Rotation and Expiration", + "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Azure Functions", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "Azure OpenAI", "services": [ - "WAF" + "Cost" ], - "severity": "Medium", - "text": "Functions - Keep your functions warm", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Cost" + "severity": "High", + "subcategory": "Token Optimization", + "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Azure Functions", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Secure coding practice", + "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", + "waf": "Security" + }, + { + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "Azure OpenAI", + "services": [], + "severity": "High", + "subcategory": "Patching and updates", + "text": "Setup a process to regularly update and patch the LLM libraries and other system components", + "waf": "Security" + }, + { + "category": "Responsible AI", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "Azure OpenAI", "services": [ - "WAF" + "AzurePolicy" ], - "severity": "Medium", - "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", - "waf": "Cost" + "severity": "High", + "subcategory": "Governance", + "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Azure Functions", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "Azure OpenAI", "services": [ - "WAF" + "Cost" ], "severity": "Medium", - "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", - "waf": "Cost" + "subcategory": "Cost familiarization", + "text": "Understand difference in cost of base models and fine tuned models and token step sizes", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "WAF checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Azure Functions", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "services": [ - "WAF" + "Cost" ], - "severity": "Medium", - "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "Cost" + "severity": "High", + "subcategory": "Batch processing", + "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "services": [ - "WAF", - "FrontDoor", - "EventHubs" + "Monitor", + "Cost" ], "severity": "Medium", - "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", - "waf": "Cost" + "subcategory": "Cost monitoring", + "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "Azure OpenAI", "services": [ - "WAF", - "AppSvc", - "FrontDoor" + "Cost" ], "severity": "Medium", - "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", - "waf": "Cost" + "subcategory": "Token limit", + "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "Azure OpenAI", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "Consider archiving tiers for less used data", - "waf": "Cost" + "subcategory": "AI Search Vector Limits", + "text": "Plan and manage AI Search Vector storage", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "Azure OpenAI", "services": [ - "WAF" + "ACR" ], "severity": "Medium", - "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", - "waf": "Cost" + "subcategory": "DevOps", + "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "Azure OpenAI", "services": [ - "WAF" + "Storage", + "Cost" ], + "severity": "High", + "subcategory": "Costing Model", + "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", + "waf": "Cost Optimization" + }, + { + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Consider using standard SSD rather than Premium or Ultra where possible", - "waf": "Cost" + "subcategory": "DevOps", + "text": "Evaluate the quality of prompts and applications when switching between model versions", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "Azure OpenAI", "services": [ - "WAF", - "Storage" + "Monitor" ], "severity": "Medium", - "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", - "waf": "Cost" + "subcategory": "Development", + "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "WAF checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", - "services": [ - "WAF", - "ASR" - ], + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", - "waf": "Cost" + "subcategory": "Development", + "text": "Evaluate your Azure AI Search results based on different search parameters", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "WAF checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", - "services": [ - "WAF", - "Storage" - ], + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Storage accounts: check hot tier and/or GRS necessary", - "waf": "Cost" + "subcategory": "Development", + "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "services": [ - "WAF" - ], + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", - "waf": "Cost" + "subcategory": "Development", + "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "WAF checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", - "services": [ - "WAF", - "Monitor", - "Cost", - "EventHubs" - ], + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", - "waf": "Cost" + "subcategory": "Security Audits and Penetration Testing", + "text": "Red team your GenAI applications", + "waf": "Security" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "WAF checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", - "services": [ - "WAF", - "Storage", - "Cost" - ], + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Export cost data to a storage account for additional data analysis.", - "waf": "Cost" + "subcategory": "End user feedback", + "text": "Provide end users with scoring options for LLM responses and track these scores. ", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "WAF checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "services": [ - "WAF", - "SQL", "Cost" ], - "severity": "Medium", - "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", - "waf": "Cost" + "severity": "High", + "subcategory": "Quota Management", + "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "WAF checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "Azure OpenAI", "services": [ - "WAF" + "APIM", + "LoadBalancer", + "ACR", + "Entra" ], "severity": "Medium", - "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", - "waf": "Cost" + "subcategory": "Load Balancing", + "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "WAF checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", + "service": "Azure OpenAI", "services": [ - "WAF" + "Storage" ], "severity": "Medium", - "text": "Create multiple Apache Spark pool definitions of various sizes.", - "waf": "Cost" - }, + "subcategory": "Fine tuning", + "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", + "waf": "Reliability" + }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "WAF checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", + "service": "Azure OpenAI", "services": [ - "WAF", - "Cost" + "Monitor" ], "severity": "Medium", - "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "Azure OpenAI", "services": [ - "WAF", - "VM", - "Cost" + "Monitor" ], "severity": "Medium", - "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", - "services": [ - "WAF", - "VM" - ], + "category": "Responsible AI", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Right-sizing all VMs", - "waf": "Cost" + "subcategory": "Content Safety", + "text": "Tune content filters to minimize false positives from overly aggressive filters", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", + "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", + "service": "Azure OpenAI", "services": [ - "WAF", - "VM" + "AKV" ], "severity": "Medium", - "text": "Swap VM sized with normalized and most recent sizes", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "subcategory": "Key Management", + "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' and kind =~ 'contentsafety' | project id, compliant = 1", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", "services": [ - "WAF", - "Monitor", - "VM" + "LoadBalancer" ], "severity": "Medium", - "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "subcategory": "Jailbreak protection", + "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "WAF checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "services": [ - "WAF", - "VM" - ], + "category": "Governance and Security", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "Azure OpenAI", + "services": [], "severity": "Medium", - "text": "Containerizing an application can improve VM density and save money on scaling it", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Cost" + "subcategory": "Quota exhaustion", + "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", "service": "Azure OpenAI", "services": [ - "WAF" + "Cost" ], - "severity": "High", - "text": "Follow Metaprompting guardrails for resonsible AI", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Cost estimation", + "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", + "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", "service": "Azure OpenAI", "services": [ - "WAF", - "Entra", - "APIM" + "Cost" ], - "severity": "High", - "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Model selection", + "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", "service": "Azure OpenAI", "services": [ - "WAF", - "Monitor" + "Cost" ], - "severity": "High", - "text": "Enable monitoring for your AOAI instances", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Usage Optimization", + "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", "service": "Azure OpenAI", "services": [ - "WAF", - "AKV", - "Monitor", - "Subscriptions" + "Cost" ], - "severity": "High", - "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Usage Optimization", + "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "category": "Cost Optimization", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", "service": "Azure OpenAI", "services": [ - "WAF", - "Monitor" + "Cost" ], - "severity": "High", - "text": "Monitor token usage to prevent service disruptions due to capacity", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Token Optimization", + "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", + "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", "service": "Azure OpenAI", - "services": [ - "WAF", - "Monitor" - ], + "services": [], "severity": "Medium", - "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", + "subcategory": "IaC", + "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "category": "Operations Management", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5855", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", "service": "Azure OpenAI", - "services": [ - "WAF", - "APIM" - ], - "severity": "Low", - "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", + "services": [], + "severity": "Medium", + "subcategory": "Development", + "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", + "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", + "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", + "query": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend exportPolicyStatus = properties.policies.exportPolicy.status | extend compliant = iif(exportPolicyStatus =~ 'Disabled', true, false) | project acrName, acrId, exportPolicyStatus, compliant", + "service": "ACR", "services": [ - "WAF" + "ACR" ], "severity": "High", - "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", - "waf": "Operational Excellence" + "subcategory": "Data Protection", + "text": "Disable Azure Container Registry image export", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", + "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", + "service": "ACR", "services": [ - "WAF", - "Entra" + "AzurePolicy", + "ACR" ], "severity": "High", - "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", + "subcategory": "Data Protection", + "text": "Enable Azure Policies for Azure Container Registry", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", + "guid": "d345293c-7639-4637-a551-c5c04e401955", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", + "service": "ACR", "services": [ - "WAF" + "AKV", + "ACR" ], "severity": "High", - "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", - "waf": "Operational Excellence" + "subcategory": "Data Protection", + "text": "Sign and Verify containers with notation (Notary v2)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend encryptionStatus = properties.encryption.status | extend compliant = iif(encryptionStatus == 'disabled', false, true) | project acrName, acrId, encryptionStatus, compliant", + "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", + "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", + "service": "ACR", "services": [ - "WAF" + "AKV", + "ACR" ], - "severity": "High", - "text": "Evaluate usage of Provisioned throughput model ", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Data Protection", + "text": "Encrypt registry with a customer managed key", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", + "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", "services": [ - "WAF" + "Entra", + "RBAC", + "ACR" ], "severity": "High", - "text": "Review and implement Azure AI content safety", - "waf": "Operational Excellence" + "subcategory": "Identity and Access Control", + "text": "Use Managed Identities to connect instead of Service Principals", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", + "guid": "be0e38ce-e297-411b-b363-caaab79b198d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", "services": [ - "WAF" + "Entra", + "RBAC", + "ACR" ], "severity": "High", - "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", - "waf": "Performance" + "subcategory": "Identity and Access Control", + "text": "Disable local authentication for management plane access", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", + "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", + "service": "ACR", "services": [ - "WAF" + "Entra", + "RBAC", + "ACR" ], - "severity": "Medium", - "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", - "waf": "Performance" + "severity": "High", + "subcategory": "Identity and Access Control", + "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Disable anonymous pull/push access", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend compliant = iif(properties.anonymousPullEnabled == false, true, false) | project compliant, name, id, tags | distinct id, compliant", + "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", + "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", + "service": "ACR", "services": [ - "WAF", - "ServiceBus", - "Storage" + "Entra", + "ACR" ], "severity": "Medium", - "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", - "waf": "Performance" + "subcategory": "Identity and Access Control", + "text": "Disable Anonymous pull access", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", + "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", + "service": "ACR", "services": [ - "WAF" + "Entra", + "ACR" ], "severity": "High", - "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", - "services": [ - "WAF" - ], - "severity": "Medium", - "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", - "waf": "Performance" + "subcategory": "Identity and Access Control", + "text": "Disable repository-scoped access tokens", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", + "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", + "service": "ACR", "services": [ - "WAF" + "Entra", + "PrivateLink", + "EventHubs", + "ACR" ], "severity": "High", - "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", - "waf": "Performance" + "subcategory": "Identity and Access Control", + "text": "Deploy images from a trusted environment", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", + "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", + "service": "ACR", "services": [ - "WAF" + "Entra", + "AzurePolicy", + "ACR" ], "severity": "Medium", - "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", - "waf": "Performance" + "subcategory": "Identity and Access Control", + "text": "Disable Azure ARM audience tokens for authentication", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", + "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", + "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", + "service": "ACR", "services": [ - "WAF", + "Entra", + "Monitor", "ACR" ], - "severity": "Low", - "text": "Deploy multiple OAI instances across regions", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Logging and Monitoring", + "text": "Enable diagnostics logging", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", + "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", + "service": "ACR", "services": [ - "WAF", - "Entra", - "APIM" - ], - "severity": "High", - "text": "Implement retry & healthchecks with Gateway pattern like APIM", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "Azure OpenAI", - "services": [ - "WAF" - ], - "severity": "Medium", - "text": "Ensure having adequate quotas of TPM & RPM for the workload", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "Azure OpenAI", - "services": [ - "WAF" + "PrivateLink", + "Firewall", + "VNet", + "ACR" ], "severity": "Medium", - "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", - "waf": "Operational Excellence" + "subcategory": "Network Security", + "text": "Control inbound network access with Private Link", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Disable public network access if inbound network access is secured using Private Link", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | where sku.name =~ 'Premium' // Check for Premium SKU | extend publicAccessEnabled = properties.publicNetworkAccess | extend defaultAction = tostring(properties.networkRuleSet.defaultAction) // Extract defaultAction | extend compliant = iif(publicAccessEnabled != 'Enabled' or defaultAction == 'Deny', true, false) | project name, id, publicAccessEnabled, defaultAction, compliant", + "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", + "service": "ACR", "services": [ - "WAF", + "PrivateLink", "ACR" ], "severity": "Medium", - "text": "Deploy separate fine tuned models across regions if finetuning is employed", - "waf": "Reliability" + "subcategory": "Network Security", + "text": "Disable Public Network access", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Only the ACR Premium SKU supports Private Link access", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend skuName = sku.name // Extract the SKU name | extend compliant = iif(skuName == 'Premium', true, false) // Check if SKU is Premium | project name, id, skuName, compliant", + "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", + "service": "ACR", "services": [ - "WAF", - "Backup", - "ASR" + "PrivateLink", + "ACR" ], "severity": "Medium", - "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "Azure OpenAI", - "services": [ - "WAF" - ], - "severity": "High", - "text": "Azure AI search service tiers should be choosen to have a SLA ", - "waf": "Reliability" + "subcategory": "Network Security", + "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", + "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", + "service": "ACR", "services": [ - "WAF" + "Defender", + "ACR" ], "severity": "Low", - "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", + "subcategory": "Network Security", + "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", + "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", + "service": "ACR", "services": [ - "WAF" + "ACR" ], - "severity": "High", - "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", + "severity": "Medium", + "subcategory": "Vulnerability Management", + "text": "Deploy validated container images", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Container Registry Security Review", + "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", + "guid": "4e401955-387e-45ce-b126-cd132af5b20c", + "service": "ACR", "services": [ - "WAF", "ACR" ], "severity": "High", - "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", + "subcategory": "Vulnerability Management", + "text": "Use up-to-date platforms, languages, protocols and frameworks", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", + "guid": "ba7da7be-9951-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", + "service": "Azure Data Explorer", "services": [ - "WAF", - "RBAC" + "Storage", + "Cost" ], - "severity": "High", - "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", - "waf": "Security" + "subcategory": "Replication", + "text": "Leverage External Tables and Continuous data export overview to reduce costs", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "Azure OpenAI", + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", + "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", + "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", + "service": "Azure Data Explorer", "services": [ - "WAF" + "Storage" ], - "severity": "Medium", - "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", - "waf": "Security" + "subcategory": "Replication", + "text": "To share data, explore Leader-follower cluster configuration", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", - "service": "Azure OpenAI", + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", + "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", + "service": "Azure Data Explorer", "services": [ - "WAF", - "Monitor", - "Sentinel", - "Defender" + "ASR" ], - "severity": "High", - "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", - "waf": "Security" + "subcategory": "Replication", + "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "Azure OpenAI", + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "436b0635-cb45-4e57-a603-324ace8cc123", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", + "service": "Azure Data Explorer", "services": [ - "WAF", - "AzurePolicy" + "RBAC", + "Storage" ], - "severity": "Medium", - "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", - "waf": "Security" + "subcategory": "Replication", + "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", - "services": [ - "WAF" - ], - "severity": "High", - "text": "Implement Prompt shields and groundedness detection using Content Safety ", - "waf": "Operational Excellence" + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", + "service": "Azure Data Explorer", + "services": [], + "subcategory": "Replication", + "text": "Ingest data into each cluster in parallel", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "Azure OpenAI", + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", + "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", + "service": "Azure Data Explorer", "services": [ - "WAF" + "ACR" ], - "severity": "High", - "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", - "waf": "Security" + "subcategory": "DR Configuration", + "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "Azure OpenAI", + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", + "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", + "service": "Azure Data Explorer", "services": [ - "WAF" + "ACR" ], - "severity": "Medium", - "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", - "waf": "Security" + "subcategory": "DR Configuration", + "text": "For critical applications, create Active-Active configuration in two paired regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "Azure OpenAI", - "services": [ - "WAF" - ], - "severity": "High", - "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", - "waf": "Security" + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", + "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", + "service": "Azure Data Explorer", + "services": [], + "subcategory": "DR Configuration", + "text": "For applications, which required only read during failure, create Active-Hot standby configuration", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "Azure OpenAI", + "category": "BC and DR", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", + "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", + "service": "Azure Data Explorer", "services": [ - "WAF" + "AzurePolicy", + "Storage", + "ASR", + "Cost" ], - "severity": "Medium", - "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", - "waf": "Security" + "subcategory": "DR Configuration", + "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "Azure Data Explorer Review Checklist", + "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", + "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", "services": [ - "WAF", - "RBAC", "AzurePolicy" ], - "severity": "Medium", - "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", - "waf": "Security" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "Azure OpenAI", - "services": [ - "WAF" - ], - "severity": "High", - "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", - "waf": "Security" + "subcategory": "IaC", + "text": "Wrap DevOps and source control around all your code", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", - "services": [ - "WAF", - "RBAC" - ], - "severity": "High", - "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", - "waf": "Security" + "category": "Operations Management", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "services": [], + "subcategory": "IaC", + "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "Azure OpenAI", - "services": [ - "WAF", - "PrivateLink" - ], - "severity": "High", - "text": "Configure private endpoint for AI services to restrict service access within your network", - "waf": "Security" + "category": "Operations Management", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "services": [], + "subcategory": "IaC", + "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "DNS Review Checklist", + "guid": "a96b96ad-8840-48f3-9273-4c876ba28021", + "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency", "services": [ - "WAF", - "Firewall", + "DNS", "VNet" ], "severity": "High", - "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", - "waf": "Security" + "subcategory": "Azure Private DNS", + "text": "Verify that Zones are linked to Vnets in multiple regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "DNS Review Checklist", + "guid": "45901465-d38e-453f-accb-d969266acca2", + "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency", "services": [ - "WAF" + "DNS" ], "severity": "High", - "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", - "waf": "Security" + "subcategory": "Azure Private DNS", + "text": "If different Zones are used between regions, verify a plan for making sure that Zones are up to date in a DR failover situation", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "DNS Review Checklist", + "guid": "74faa19b-f39d-495d-94c7-c8919ca1f6d5", + "link": "https://learn.microsoft.com/azure/reliability/reliability-traffic-manager?toc=%2Fazure%2Fdns%2Ftoc.json", "services": [ - "WAF" + "TrafficManager", + "DNS", + "ASR" ], "severity": "Medium", - "text": "Use prompt compression tools like LLMLingua or gprtrim", - "waf": "Cost Optimization" + "subcategory": "Azure DNS", + "text": "Plan for disaster recovery with Azure DNS and Traffic Manager", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "DNS Review Checklist", + "guid": "315ae524-ba34-4d45-a5e1-2139bd7bb012", + "link": "https://learn.microsoft.com/azure/dns/private-resolver-reliability#availability-zones", "services": [ - "WAF", - "AKV", - "Entra" + "DNS" ], - "severity": "High", - "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Azure DNS Resolver", + "text": "Enable availability zones with Private Resolver", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "DNS Review Checklist", + "guid": "f7b95e06-e154-4e2a-a359-2828e6e20517", + "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", "services": [ - "WAF" + "DNS", + "ASR" ], "severity": "Medium", - "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", - "waf": "Security" + "subcategory": "Azure DNS Resolver", + "text": "Plan for failover with Private Resolvers in a Disaster Recovery", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "DNS Review Checklist", + "guid": "2676ae46-691e-4883-9ad9-42223e138105", + "link": "https://learn.microsoft.com/azure/reliability/reliability-virtual-machines?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json&tabs=graph", "services": [ - "WAF", - "Monitor" + "VM", + "DNS" ], "severity": "Medium", - "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", - "waf": "Security" + "subcategory": "VM Based DNS Service", + "text": "Follow VM Guidance for resillency of VM", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "DNS Review Checklist", + "guid": "23081a94-1741-4583-9ff7-ad7c6d373316", + "link": "https://www.windows-active-directory.com/azure-ad-dns-for-custom-domain-names-with-advanced-dns-settings.html", "services": [ - "WAF" + "VM", + "DNS", + "Entra" ], "severity": "Medium", - "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", - "waf": "Security" + "subcategory": "VM Based DNS Service", + "text": "IF AD based DNS, follow the Identity -> Windows Server AD path", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "Azure OpenAI", + "category": "Operations Management", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", + "services": [], + "severity": "Medium", + "subcategory": "Best Practices", + "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "services": [], + "severity": "High", + "subcategory": "Availablity Zone", + "text": "Use zone redundant pipelines in regions that support Availability Zones", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", "services": [ - "WAF" + "Backup" ], - "severity": "Low", - "text": "Azure AI Services are properly tagged for better management", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "DevOps Integration", + "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "Azure OpenAI", + "category": "Network Topology and Connectivity", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "services": [ - "WAF" + "VM" ], - "severity": "Low", - "text": "Azure AI Service accounts follows organizational naming conventions", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Network", + "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "Azure OpenAI", + "category": "Network Topology and Connectivity", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "services": [ - "WAF" + "VNet" ], - "severity": "High", - "text": "Diagnostic logs in Azure AI services resources should be enabled", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Network", + "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "Azure OpenAI", + "category": "Governance and Security", + "checklist": "Azure Data Factory Review Checklist", + "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", "services": [ - "WAF", + "AKV" + ], + "severity": "Low", + "subcategory": "Integration", + "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", + "waf": "Reliability" + }, + { + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", + "services": [ + "AVS", + "Subscriptions", "Entra" ], "severity": "High", - "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", + "subcategory": "Identity", + "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", "services": [ - "WAF", - "AKV", + "AVS", "Entra" ], - "severity": "High", - "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", + "severity": "Medium", + "subcategory": "Identity", + "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", "services": [ - "WAF", - "AKV" + "AVS", + "Entra" ], "severity": "High", - "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", + "subcategory": "Identity", + "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Entra" ], - "severity": "High", - "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", - "waf": "Cost Optimization" + "severity": "Medium", + "subcategory": "Identity", + "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Entra" ], - "severity": "High", - "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", + "severity": "Medium", + "subcategory": "Identity", + "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Entra" ], "severity": "High", - "text": "Setup a process to regularly update and patch the LLM libraries and other system components", + "subcategory": "Identity", + "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", "services": [ - "WAF", - "AzurePolicy" + "RBAC", + "AVS", + "Entra" ], - "severity": "High", - "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Identity", + "text": "Has an RBAC model been created for use within VMware vSphere", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", "services": [ - "WAF", - "Cost" + "RBAC", + "AVS", + "Entra" ], "severity": "Medium", - "text": "Understand difference in cost of base models and fine tuned models and token step sizes", - "waf": "Cost Optimization" + "subcategory": "Identity", + "text": "RBAC permissions should be granted on ADDS groups and not on specific users", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", "services": [ - "WAF", - "Cost" + "RBAC", + "AVS", + "Entra" ], "severity": "High", - "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", - "waf": "Cost Optimization" + "subcategory": "Identity", + "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Design Review", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", "services": [ - "WAF", - "Monitor", - "Cost" + "RBAC", + "AVS", + "Entra" ], - "severity": "Medium", - "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", - "waf": "Cost Optimization" + "severity": "High", + "subcategory": "Identity", + "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", "services": [ - "WAF" + "AVS" ], - "severity": "Medium", - "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", - "waf": "Cost Optimization" + "severity": "High", + "subcategory": "Architecture", + "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Design Review", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", "services": [ - "WAF" + "AVS", + "VPN", + "NetworkWatcher", + "ExpressRoute", + "Monitor" ], - "severity": "Medium", - "text": "Review the guidance provided on setting up AI search for Reliability", - "waf": "Operational Excellence" + "severity": "High", + "subcategory": "Monitoring", + "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Design Review", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", "services": [ - "WAF", - "Storage" + "VM", + "AVS", + "NetworkWatcher", + "ExpressRoute", + "Monitor" ], "severity": "Medium", - "text": "Plan and manage AI Search Vector storage", - "waf": "Operational Excellence" + "subcategory": "Monitoring", + "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Design Review", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", "services": [ - "WAF", - "ACR" + "VM", + "NetworkWatcher", + "AVS", + "Monitor" ], "severity": "Medium", - "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", - "waf": "Operational Excellence" + "subcategory": "Monitoring", + "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Design Review", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", "services": [ - "WAF", - "Storage" + "AVS", + "ARS" ], "severity": "High", - "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", - "waf": "Cost Optimization" + "subcategory": "Routing", + "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", "services": [ - "WAF" + "RBAC", + "AVS", + "Entra" ], - "severity": "Medium", - "text": "Evaluate the quality of prompts and applications when switching between model versions", - "waf": "Operational Excellence" + "severity": "High", + "subcategory": "Security (identity)", + "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", "services": [ - "WAF", - "Monitor" + "RBAC", + "AVS", + "Entra" ], - "severity": "Medium", - "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", - "waf": "Operational Excellence" + "severity": "High", + "subcategory": "Security (identity)", + "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Entra" ], "severity": "Medium", - "text": "Evaluate your Azure AI Search results based on different search parameters", - "waf": "Operational Excellence" + "subcategory": "Security (identity)", + "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Entra" ], - "severity": "Medium", - "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", - "waf": "Operational Excellence" + "severity": "High", + "subcategory": "Security (identity)", + "text": "Limit use of CloudAdmin account to emergency access only", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", "services": [ - "WAF" + "RBAC", + "AVS", + "Entra" ], "severity": "Medium", - "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", - "waf": "Operational Excellence" + "subcategory": "Security (identity)", + "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Entra" ], "severity": "Medium", - "text": "Red team your GenAI applications", + "subcategory": "Security (identity)", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", "services": [ - "WAF" + "VM", + "AVS", + "Entra" ], - "severity": "Medium", - "text": "Provide end users with scoring options for LLM responses and track these scores. ", - "waf": "Operational Excellence" + "severity": "High", + "subcategory": "Security (identity)", + "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", "services": [ - "WAF" - ], - "severity": "High", - "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", - "waf": "Cost Optimization" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "Azure OpenAI", - "services": [ - "ACR", - "WAF", - "LoadBalancer", - "Entra", - "APIM" + "AVS" ], "severity": "Medium", - "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", - "waf": "Operational Excellence" + "subcategory": "Security (network)", + "text": "Is East-West traffic filtering implemented within NSX-T", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", "services": [ - "WAF", - "Storage" + "AppGW", + "AVS", + "Firewall" ], - "severity": "Medium", - "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", - "waf": "Reliability" + "severity": "High", + "subcategory": "Security (network)", + "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", "services": [ - "WAF", - "Monitor" + "AVS" ], - "severity": "Medium", - "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", - "waf": "Reliability" + "severity": "High", + "subcategory": "Security (network)", + "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", "services": [ - "WAF", + "AVS", "Monitor" ], "severity": "Medium", - "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", - "waf": "Reliability" + "subcategory": "Security (network)", + "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", "services": [ - "WAF" + "AVS", + "VPN", + "DDoS", + "ExpressRoute", + "VNet" ], "severity": "Medium", - "text": "Tune content filters to minimize false positives from overly aggressive filters", - "waf": "Reliability" + "subcategory": "Security (network)", + "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", - "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", "services": [ - "WAF", - "AKV" + "AVS" ], "severity": "Medium", - "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", + "subcategory": "Security (network)", + "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", "services": [ - "WAF", - "LoadBalancer" + "AVS", + "Defender" ], "severity": "Medium", - "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", + "subcategory": "Security (guest/VM)", + "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Arc" ], "severity": "Medium", - "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", + "subcategory": "Security (guest/VM)", + "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", "services": [ - "WAF", - "Cost" + "AVS", + "SQL" ], - "severity": "Medium", - "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", - "waf": "Cost Optimization" + "severity": "Low", + "subcategory": "Security (guest/VM)", + "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", - "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", "services": [ - "WAF", - "Cost" + "AKV", + "AVS" ], - "severity": "Medium", - "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", - "waf": "Cost Optimization" + "severity": "Low", + "subcategory": "Security (guest/VM)", + "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", "services": [ - "WAF", - "Cost" + "AVS" ], "severity": "Medium", - "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", - "waf": "Cost Optimization" + "subcategory": "Security (guest/VM)", + "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", "services": [ - "WAF" + "AVS" ], - "severity": "Medium", - "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", - "waf": "Cost Optimization" + "severity": "High", + "subcategory": "Governance (platform)", + "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", "services": [ - "WAF" + "AzurePolicy", + "Storage", + "AVS" ], - "severity": "Medium", - "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", - "waf": "Cost Optimization" + "severity": "High", + "subcategory": "Governance (platform)", + "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", - "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", "services": [ - "WAF" + "AVS", + "ASR" ], - "severity": "Medium", - "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", - "waf": "Operational Excellence" + "severity": "High", + "subcategory": "Governance (platform)", + "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "WAF checklist", - "guid": "2744293b-b628-4537-a551-19b08e8f5855", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", - "service": "Azure OpenAI", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", "services": [ - "WAF" + "AVS" ], "severity": "Medium", - "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", - "waf": "Operational Excellence" + "subcategory": "Governance (platform)", + "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", "services": [ - "WAF", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "Medium", - "text": "Implement an error handling policy at the global level", + "subcategory": "Governance (platform)", + "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", "services": [ - "WAF", - "AzurePolicy" + "AVS", + "Cost" ], "severity": "Medium", - "text": "Ensure all APIs policies include a element.", - "waf": "Operations" + "subcategory": "Governance (platform)", + "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", + "waf": "Cost" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", "services": [ - "WAF", - "ACR", - "AzurePolicy" + "AVS", + "Cost" ], - "severity": "Medium", - "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", - "waf": "Operations" + "severity": "Low", + "subcategory": "Governance (platform)", + "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", + "waf": "Cost" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", "services": [ - "WAF" + "AVS" ], "severity": "Medium", - "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", - "waf": "Operations" + "subcategory": "Governance (platform)", + "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", "services": [ - "WAF", - "Monitor" + "AVS" ], "severity": "High", - "text": "Enable Diagnostics Settings to export logs to Azure Monitor", - "waf": "Operations" + "subcategory": "Governance (platform)", + "text": "Ensure all required resource reside within the same Azure availability zone(s)", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "service": "AVS", "services": [ - "WAF" + "VM", + "AVS", + "Defender" ], "severity": "Medium", - "text": "Enable Application Insights for more detailed telemetry", - "waf": "Operations" + "subcategory": "Governance (guest/VM)", + "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "service": "AVS", "services": [ - "WAF", - "Monitor" + "VM", + "AVS", + "Arc" ], - "severity": "High", - "text": "Configure alerts on the most critical metrics", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Governance (guest/VM)", + "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "service": "AVS", "services": [ - "WAF", - "AKV" + "AVS" ], "severity": "High", - "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", - "waf": "Security" + "subcategory": "Governance (guest/VM)", + "text": "Enable Diagnostic and metric logging on Azure VMware Solution", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "service": "AVS", "services": [ - "WAF", - "Entra" + "VM", + "AVS", + "Monitor" ], - "severity": "High", - "text": "Protect incoming requests to APIs (data plane) with Azure AD", - "waf": "Security" + "severity": "Medium", + "subcategory": "Governance (guest/VM)", + "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "service": "AVS", "services": [ - "WAF", - "Entra" + "VM", + "AVS", + "AzurePolicy", + "Backup" ], "severity": "Medium", - "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", - "waf": "Security" + "subcategory": "Governance (guest/VM)", + "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Monitor", + "Defender" ], "severity": "Medium", - "text": "Create appropriate groups to control the visibility of the products", + "subcategory": "Compliance", + "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Defender" ], "severity": "Medium", - "text": "Use Backends feature to eliminate redundant API backend configurations", - "waf": "Operations" + "subcategory": "Compliance", + "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "service": "AVS", "services": [ - "WAF", - "AzurePolicy" + "AVS" ], - "severity": "Medium", - "text": "Use Named Values to store common values that can be used in policies", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", - "service": "APIM", + "severity": "High", + "subcategory": "Compliance", + "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "waf": "Security" + }, + { + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "service": "AVS", "services": [ - "WAF", - "ACR" + "AVS" ], - "severity": "Medium", - "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", - "waf": "Reliability" + "severity": "High", + "subcategory": "Compliance", + "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", - "service": "APIM", + "category": "Governance", + "checklist": "Azure VMware Solution Design Review", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "service": "AVS", "services": [ - "WAF" + "AVS" ], "severity": "Medium", - "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", - "waf": "Reliability" + "subcategory": "Compliance", + "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "service": "AVS", "services": [ - "WAF", - "Backup" + "AVS", + "Monitor" ], "severity": "High", - "text": "Ensure there is an automated backup routine", - "waf": "Reliability" + "subcategory": "Monitoring", + "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "service": "AVS", "services": [ - "WAF", - "AzurePolicy" + "AVS", + "Monitor" ], - "severity": "Medium", - "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Monitoring", + "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "service": "AVS", "services": [ - "WAF", - "AzurePolicy", - "EventHubs" + "AVS", + "Monitor" ], - "severity": "Low", - "text": "If you need to log at high performance levels, consider Event Hubs policy", + "severity": "High", + "subcategory": "Monitoring", + "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "service": "AVS", "services": [ - "WAF", - "AzurePolicy" + "AVS", + "Monitor" ], - "severity": "Medium", - "text": "Apply throttling policies to control the number of requests per second", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", - "waf": "Performance" + "severity": "High", + "subcategory": "Monitoring", + "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "service": "AVS", "services": [ - "WAF" + "Storage", + "AVS", + "Monitor" ], "severity": "Medium", - "text": "Configure autoscaling to scale out the number of instances when the load increases", - "waf": "Performance" + "subcategory": "Monitoring", + "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Monitor" ], - "severity": "Medium", - "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", - "waf": "Performance" + "severity": "Low", + "subcategory": "Monitoring", + "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", "services": [ - "WAF" + "AzurePolicy", + "Storage", + "AVS", + "VM" ], - "severity": "Medium", - "text": "Use the premium tier for production workloads.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Operations", + "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", "services": [ - "WAF", - "AzurePolicy" + "AVS" ], "severity": "Medium", - "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", - "waf": "Reliability" + "subcategory": "Operations", + "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", "services": [ - "WAF", - "Entra", - "APIM" + "Storage", + "AVS", + "Backup" ], - "severity": "High", - "text": "Be aware of APIM's limits", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Operations", + "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Arc" ], - "severity": "High", - "text": "Ensure that the self-hosted gateway deployments are resilient.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Operations", + "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", "services": [ - "WAF", - "Entra", - "APIM", - "FrontDoor" + "AVS", + "Monitor" ], "severity": "Medium", - "text": "Use Azure Front Door in front of APIM for multi-region deployment", - "waf": "Performance" + "subcategory": "Operations", + "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", "services": [ - "WAF", - "VNet" + "AVS" ], "severity": "Medium", - "text": "Deploy the service within a Virtual Network (VNet)", - "waf": "Security" + "subcategory": "Operations", + "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", "services": [ - "WAF", - "Monitor", - "Entra", - "APIM", - "VNet" + "AzurePolicy", + "AVS", + "Monitor" ], "severity": "Medium", - "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", - "waf": "Security" + "subcategory": "Operations", + "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", + "category": "Management", + "checklist": "Azure VMware Solution Design Review", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", "services": [ - "WAF", - "PrivateLink", - "Entra", - "APIM", - "VNet" + "AVS", + "Defender" ], "severity": "Medium", - "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", + "subcategory": "Security", + "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Backup" ], - "severity": "High", - "text": "Disable Public Network Access", - "waf": "Security" + "severity": "Medium", + "subcategory": "Backup", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", - "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", "services": [ - "WAF" + "AVS", + "ASR" ], "severity": "Medium", - "text": "Simplify management with PowerShell automation scripts", - "waf": "Operations" + "subcategory": "Disaster Recovery", + "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", "services": [ - "WAF", - "Entra", - "APIM" + "AVS", + "ASR" ], "severity": "Medium", - "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", - "waf": "Operations" + "subcategory": "Disaster Recovery", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", - "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", "services": [ - "WAF", - "Entra", - "APIM" + "AVS", + "ASR" ], - "severity": "Medium", - "text": "Promote usage of Visual Studio Code APIM extension for faster API development", - "waf": "Operations" + "severity": "High", + "subcategory": "Disaster Recovery", + "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "354f1c03-8112-4965-85ad-c0074bddf231", - "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", "services": [ - "WAF" + "AVS", + "ASR" ], "severity": "Medium", - "text": "Implement DevOps and CI/CD in your workflow", - "waf": "Operations" + "subcategory": "Disaster Recovery", + "text": "Use the geopolitical region pair as the secondary disaster recovery environment", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "b6439493-426a-45f3-9697-cf65baee208d", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "service": "AVS", "services": [ - "WAF" + "AVS", + "ASR" ], - "severity": "Medium", - "text": "Secure APIs using client certificate authentication", - "waf": "Security" + "severity": "High", + "subcategory": "Disaster Recovery", + "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "2a67d143-1033-4c0a-8732-680896478f08", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "service": "AVS", "services": [ - "WAF" + "NVA", + "AVS", + "ASR", + "ExpressRoute" ], "severity": "Medium", - "text": "Secure backend services using client certificate authentication", - "waf": "Security" + "subcategory": "Disaster Recovery", + "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", - "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Backup" ], "severity": "Medium", - "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", - "waf": "Security" + "subcategory": "Business Continuity", + "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", - "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Backup" ], "severity": "Medium", - "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", - "waf": "Security" + "subcategory": "Business Continuity", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "service": "AVS", "services": [ - "WAF" + "AVS", + "Backup" ], - "severity": "High", - "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Business Continuity", + "text": "Deploy your backup solution outside of vSan, on Azure native components", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", + "category": "BCDR", + "checklist": "Azure VMware Solution Design Review", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "service": "AVS", "services": [ - "WAF", - "AKV" + "AVS" ], - "severity": "High", - "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", - "waf": "Security" + "severity": "Low", + "subcategory": "Business Continuity", + "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "service": "AVS", "services": [ - "WAF", - "Entra" + "AVS" ], - "severity": "Medium", - "text": "Use managed identities to authenticate to other Azure resources whenever possible", - "waf": "Security" + "severity": "Low", + "subcategory": "Deployment strategy", + "text": "For manual deployments, all configuration and deployments must be documented", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "WAF checklist", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "service": "AVS", "services": [ - "WAF", - "Entra", - "APIM", - "AppGW" + "AVS" ], - "severity": "High", - "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", - "waf": "Security" + "severity": "Low", + "subcategory": "Deployment strategy", + "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", - "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "service": "AVS", "services": [ - "WAF", - "AKV", - "FrontDoor" + "AVS" ], - "severity": "Medium", - "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", + "severity": "Low", + "subcategory": "Automated Deployment", + "text": "For automated deployments, deploy a minimal private cloud and scale as needed", "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", - "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "service": "AVS", "services": [ - "WAF", - "FrontDoor", - "AzurePolicy" + "AVS" ], - "severity": "Medium", - "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "Low", + "subcategory": "Automated Deployment", + "text": "For automated deployments, request or reserve quota prior to starting the deployment", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "service": "AVS", "services": [ - "WAF", - "AppGW", "AzurePolicy", - "FrontDoor" + "AVS" ], - "severity": "Medium", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "Low", + "subcategory": "Automated Deployment", + "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", - "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "service": "AVS", "services": [ - "WAF", - "FrontDoor", - "AzurePolicy" + "AKV", + "AVS" ], - "severity": "High", - "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", - "waf": "Security" + "severity": "Low", + "subcategory": "Automated Connectivity", + "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", - "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "service": "AVS", "services": [ - "WAF", - "TrafficManager", - "FrontDoor", - "EventHubs" + "AKV", + "AVS", + "ExpressRoute" ], - "severity": "High", - "text": "Avoid placing Traffic Manager behind Front Door.", - "waf": "Security" + "severity": "Low", + "subcategory": "Automated Connectivity", + "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", - "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS" ], - "severity": "High", - "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", - "waf": "Security" + "severity": "Low", + "subcategory": "Automated Connectivity", + "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", - "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS" ], "severity": "Low", - "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", - "waf": "Performance" + "subcategory": "Automated Connectivity", + "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS", + "Subscriptions" ], "severity": "Medium", - "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", - "waf": "Reliability" + "subcategory": "Automated Scale", + "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", - "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AzurePolicy", + "Storage", + "AVS" ], - "severity": "Low", - "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", + "severity": "Medium", + "subcategory": "Automated Scale", + "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", - "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "service": "AVS", "services": [ - "WAF", - "AKV", - "FrontDoor", - "Cost" + "AVS" ], - "severity": "High", - "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Automated Scale", + "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS" ], "severity": "Medium", - "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" + "subcategory": "Automated Scale", + "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", - "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS" ], - "severity": "High", - "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Automated Scale", + "text": "Define and enforce scale in/out maximum limits for your environment in the automations", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", - "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", - "service": "Front Door", + "category": "Platform Automation", + "checklist": "Azure VMware Solution Design Review", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS", + "Monitor" ], "severity": "Medium", - "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", - "waf": "Security" + "subcategory": "Automated Scale", + "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", - "service": "Front Door", + "category": "Migration", + "checklist": "Azure VMware Solution Design Review", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "VM", + "AVS" ], "severity": "High", - "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", - "waf": "Security" + "subcategory": "Architecture", + "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", - "service": "Front Door", + "category": "Migration", + "checklist": "Azure VMware Solution Design Review", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS" ], "severity": "High", - "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", - "waf": "Security" + "subcategory": "Architecture", + "text": "When using MON, you cannot enable MON on more than 100 Network extensions", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "Front Door", + "category": "Migration", + "checklist": "Azure VMware Solution Design Review", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", + "service": "AVS", "services": [ - "WAF", - "FrontDoor", - "AzurePolicy" + "AVS", + "VPN" ], - "severity": "High", - "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Networking", + "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", - "service": "Front Door", + "category": "Migration", + "checklist": "Azure VMware Solution Design Review", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS" ], - "severity": "High", - "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Networking", + "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", - "service": "Front Door", + "category": "Migration", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS" ], - "severity": "High", - "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Process", + "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", - "service": "Front Door", + "category": "Data Storage", + "checklist": "Azure VMware Solution Design Review", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "VM", + "Storage", + "AVS" ], "severity": "Medium", - "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", - "waf": "Security" + "subcategory": "Architecture", + "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", - "service": "Front Door", + "category": "Data Storage", + "checklist": "Azure VMware Solution Design Review", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "Storage", + "AVS", + "ExpressRoute" ], "severity": "Medium", - "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", - "waf": "Security" + "subcategory": "Architecture", + "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", - "service": "Front Door", + "category": "Data Storage", + "checklist": "Azure VMware Solution Design Review", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "Storage", + "AVS", + "ExpressRoute" ], "severity": "Medium", - "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", - "waf": "Security" + "subcategory": "Architecture", + "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", - "service": "Front Door", + "category": "Stretched Cluster", + "checklist": "Azure VMware Solution Design Review", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "AVS", "services": [ - "WAF" + "AVS", + "ASR" ], - "severity": "Low", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", - "waf": "Security" + "severity": "High", + "subcategory": "Architecture", + "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", - "service": "Front Door", + "category": "Stretched Cluster", + "checklist": "Azure VMware Solution Design Review", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "AVS", "services": [ - "WAF", - "FrontDoor" + "AVS" ], - "severity": "Medium", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", - "waf": "Security" + "severity": "High", + "subcategory": "Architecture", + "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "WAF checklist", - "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "Front Door", + "category": "Stretched Cluster", + "checklist": "Azure VMware Solution Design Review", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "AVS", "services": [ - "WAF", - "Monitor" + "AVS", + "ExpressRoute" ], - "severity": "Medium", - "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", - "waf": "Operations" + "severity": "High", + "subcategory": "Architecture", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", + "category": "Stretched Cluster", + "checklist": "Azure VMware Solution Design Review", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "AVS", + "services": [ + "AVS", + "ExpressRoute" + ], + "severity": "High", + "subcategory": "Architecture", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", + "waf": "Reliability" + }, + { + "category": "Stretched Cluster", + "checklist": "Azure VMware Solution Design Review", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "AVS", + "services": [ + "AVS" + ], + "severity": "High", + "subcategory": "Architecture", + "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "845f5f91-9c21-4674-a725-5ce890850e20", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "Front Door", + "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", + "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", + "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", + "query": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend exportPolicyStatus = properties.policies.exportPolicy.status | extend compliant = iif(exportPolicyStatus =~ 'Disabled', true, false) | project acrName, acrId, exportPolicyStatus, compliant", + "service": "ACR", "services": [ "WAF", - "Sentinel", - "FrontDoor" + "ACR" ], - "severity": "Medium", - "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", - "waf": "Operations" + "severity": "High", + "text": "Disable Azure Container Registry image export", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", - "service": "Front Door", + "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", + "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", + "service": "ACR", "services": [ + "AzurePolicy", "WAF", - "Backup" + "ACR" ], - "severity": "Medium", - "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", - "waf": "Reliability" + "severity": "High", + "text": "Enable Azure Policies for Azure Container Registry", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", - "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", - "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", - "service": "Front Door", + "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", + "guid": "d345293c-7639-4637-a551-c5c04e401955", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", + "service": "ACR", "services": [ - "WAF" + "AKV", + "WAF", + "ACR" ], "severity": "High", - "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", - "waf": "Reliability" + "text": "Sign and Verify containers with notation (Notary v2)", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", - "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", - "service": "Front Door", + "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend encryptionStatus = properties.encryption.status | extend compliant = iif(encryptionStatus == 'disabled', false, true) | project acrName, acrId, encryptionStatus, compliant", + "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", + "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", + "service": "ACR", "services": [ + "AKV", "WAF", - "FrontDoor" + "ACR" ], "severity": "Medium", - "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", - "waf": "Reliability" + "text": "Encrypt registry with a customer managed key", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", - "service": "Front Door", + "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", + "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", "services": [ - "WAF" + "RBAC", + "WAF", + "ACR", + "Entra" ], - "severity": "Medium", - "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", - "waf": "Reliability" + "severity": "High", + "text": "Use Managed Identities to connect instead of Service Principals", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", - "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", - "service": "Front Door", + "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", + "guid": "be0e38ce-e297-411b-b363-caaab79b198d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", "services": [ + "RBAC", "WAF" ], - "severity": "Medium", - "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", + "severity": "High", + "text": "Disable local authentication for management plane access", "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", + "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", + "service": "ACR", + "services": [ + "RBAC", + "WAF", + "ACR", + "Entra" + ], + "severity": "High", + "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "WAF checklist", + "description": "Disable anonymous pull/push access", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend compliant = iif(properties.anonymousPullEnabled == false, true, false) | project compliant, name, id, tags | distinct id, compliant", + "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", + "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", + "service": "ACR", "services": [ "WAF" ], "severity": "Medium", - "text": "Use caching for endpoints that support it.", - "waf": "Cost" + "text": "Disable Anonymous pull access", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", - "guid": "34069d73-e4de-46c5-a36f-625f87575a56", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", + "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", + "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", + "service": "ACR", "services": [ "WAF", - "FrontDoor" + "Entra" ], - "severity": "Low", - "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", - "waf": "Cost" + "severity": "High", + "text": "Disable repository-scoped access tokens", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", - "service": "Front Door", + "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", + "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", + "service": "ACR", "services": [ + "EventHubs", + "PrivateLink", "WAF", - "Storage", - "FrontDoor" + "ACR" ], - "severity": "Medium", - "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", - "waf": "Operations" + "severity": "High", + "text": "Deploy images from a trusted environment", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", - "service": "Front Door", + "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", + "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", + "service": "ACR", "services": [ + "AzurePolicy", "WAF", - "AKV" + "ACR", + "Entra" ], "severity": "Medium", - "text": "Use wildcard TLS certificates when possible.", - "waf": "Operations" + "text": "Disable Azure ARM audience tokens for authentication", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", + "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", + "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", + "service": "ACR", "services": [ + "Monitor", "WAF", - "FrontDoor" + "ACR", + "Entra" ], "severity": "Medium", - "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", - "waf": "Performance" + "text": "Enable diagnostics logging", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", - "service": "Front Door", + "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", + "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", + "service": "ACR", "services": [ - "WAF", - "Storage" + "PrivateLink", + "Firewall", + "VNet", + "WAF" ], "severity": "Medium", - "text": "Use file compression when you're accessing downloadable content.", - "waf": "Performance" + "text": "Control inbound network access with Private Link", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", - "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", - "link": "https://learn.microsoft.com/azure/cdn/tier-migration", - "service": "Front Door", + "description": "Disable public network access if inbound network access is secured using Private Link", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | where sku.name =~ 'Premium' // Check for Premium SKU | extend publicAccessEnabled = properties.publicNetworkAccess | extend defaultAction = tostring(properties.networkRuleSet.defaultAction) // Extract defaultAction | extend compliant = iif(publicAccessEnabled != 'Enabled' or defaultAction == 'Deny', true, false) | project name, id, publicAccessEnabled, defaultAction, compliant", + "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", + "service": "ACR", "services": [ - "WAF", - "FrontDoor" + "PrivateLink", + "WAF" ], - "severity": "High", - "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", - "waf": "Operations" + "severity": "Medium", + "text": "Disable Public Network access", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", - "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", - "service": "Front Door", + "description": "Only the ACR Premium SKU supports Private Link access", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend skuName = sku.name // Extract the SKU name | extend compliant = iif(skuName == 'Premium', true, false) // Check if SKU is Premium | project name, id, skuName, compliant", + "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", + "service": "ACR", "services": [ + "PrivateLink", "WAF", - "TrafficManager", - "Storage", - "FrontDoor" + "ACR" ], "severity": "Medium", - "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", - "waf": "Reliability" + "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", - "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", - "service": "Front Door", + "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", + "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", + "service": "ACR", "services": [ "WAF", - "AppSvc", - "FrontDoor" + "ACR", + "Defender" ], - "severity": "High", - "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", + "severity": "Low", + "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", "waf": "Security" }, { - "arm-service": "Microsoft.DBforMySQL/servers", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", + "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", + "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", + "service": "ACR", "services": [ "WAF" ], "severity": "Medium", - "text": "Leverage Flexible Server", - "waf": "Reliability" + "text": "Deploy validated container images", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforMySQL/servers", + "arm-service": "microsoft.containerregistry/registries", "checklist": "WAF checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", + "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", + "guid": "4e401955-387e-45ce-b126-cd132af5b20c", + "service": "ACR", "services": [ "WAF" ], "severity": "High", - "text": "Leverage Availability Zones where regionally applicable", - "waf": "Reliability" + "text": "Use up-to-date platforms, languages, protocols and frameworks", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforMySQL/servers", + "arm-service": "Microsoft.DataFactory/datafactories", "checklist": "WAF checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", "services": [ "WAF" ], "severity": "Medium", - "text": "Leverage Data-in replication for cross-region DR scenarios", + "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", - "service": "Azure Service Fabric", - "services": [], - "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Use Standard SKU for production scenarios.", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "WAF checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Use zone redundant pipelines in regions that support Availability Zones", "waf": "Reliability" }, { - "category": "Standard clusters", - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "WAF checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", "services": [ - "VM" + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Use durability level Silver (5 VMs) or greater for production scenarios", + "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", - "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "WAF checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "services": [ - "ACR" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", + "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "WAF checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "services": [ - "APIM" + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", + "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", - "service": "Azure Service Fabric", - "services": [], - "severity": "Medium", - "subcategory": "Workload architecture", - "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "WAF checklist", + "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", + "services": [ + "AKV", + "WAF" + ], + "severity": "Low", + "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", - "guid": "4da21268-f775-4c89-a271-eb80543c8df7", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", + "guid": "ba7da7be-9951-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", + "service": "Azure Data Explorer", "services": [ - "VM" + "Storage", + "WAF", + "Cost" ], - "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", - "waf": "Cost" + "text": "Leverage External Tables and Continuous data export overview to reduce costs", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", + "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", + "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", + "service": "Azure Data Explorer", "services": [ - "VM" + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", - "waf": "Cost" + "text": "To share data, explore Leader-follower cluster configuration", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", - "service": "Azure Service Fabric", - "services": [], - "severity": "Medium", - "subcategory": "Cluster and workload architectures", - "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", - "waf": "Cost" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", + "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", + "service": "Azure Data Explorer", + "services": [ + "ASR", + "WAF" + ], + "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "guid": "436b0635-cb45-4e57-a603-324ace8cc123", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", + "service": "Azure Data Explorer", "services": [ - "APIM", - "VNet" + "RBAC", + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", - "waf": "Security" + "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", - "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", + "service": "Azure Data Explorer", "services": [ - "AKV", - "Storage", - "Entra", - "VM" + "WAF" ], - "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", - "waf": "Security" + "text": "Ingest data into each cluster in parallel", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "001cbb6f-d88d-4431-8434-d01333397776", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", - "service": "Azure Service Fabric", - "services": [], - "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", - "waf": "Security" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", + "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", + "service": "Azure Data Explorer", + "services": [ + "WAF", + "ACR" + ], + "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", + "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", + "service": "Azure Data Explorer", "services": [ + "WAF", "ACR" ], - "severity": "Medium", - "subcategory": "Cluster architecture", - "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", - "waf": "Security" + "text": "For critical applications, create Active-Active configuration in two paired regions", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", - "link": "", - "service": "Azure Service Fabric", - "services": [], - "severity": "Medium", - "subcategory": "Workload architecture", - "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", - "waf": "Security" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", + "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", + "service": "Azure Data Explorer", + "services": [ + "WAF" + ], + "text": "For applications, which required only read during failure, create Active-Hot standby configuration", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", - "link": "", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", + "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", + "service": "Azure Data Explorer", "services": [ - "AKV" + "Cost", + "Storage", + "ASR", + "AzurePolicy", + "WAF" ], - "severity": "Medium", - "subcategory": "Workload architecture", - "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", - "waf": "Security" + "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", + "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", "services": [ - "Entra" + "AzurePolicy", + "WAF" ], - "severity": "Medium", - "subcategory": "Workload architecture", - "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", - "waf": "Security" + "text": "Wrap DevOps and source control around all your code", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Reliability" }, { - "category": "Managed clusters", - "checklist": "Azure Service Fabric Review Checklist", - "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", - "service": "Azure Service Fabric", - "services": [], - "severity": "Medium", - "subcategory": "Cluster and workload architectures", - "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", - "waf": "Security" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "services": [ + "WAF" + ], + "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "waf": "Reliability" }, { - "category": "Foundation", - "checklist": "Azure Arc Review", - "description": "Define a resource group structure for placement of Azure Arc-enabled servers resources", - "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "WAF checklist", + "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", "services": [ - "Arc" + "WAF" ], - "severity": "High", - "subcategory": "Capacity Planning", - "text": "One or more resource groups is required for onboarding servers into Azure", - "waf": "Operations" + "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Reliability" }, { - "category": "Foundation", - "checklist": "Azure Arc Review", - "guid": "aa359271-8e6e-4205-8725-769e46691e88", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", "services": [ - "Arc", - "Entra" + "AKV", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Capacity Planning", - "text": "Take Azure Active Directory object limitations into account", - "waf": "Performance" + "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", + "waf": "Operations" }, { - "category": "Foundation", - "checklist": "Azure Arc Review", - "description": "The following resource providers needs to be registered: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity", - "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", "services": [ - "Arc", - "Subscriptions" + "AzurePolicy", + "WAF", + "FrontDoor" ], - "severity": "High", - "subcategory": "General", - "text": "Has the Resource providers required been registered in all subscriptions", - "waf": "Operations" + "severity": "Medium", + "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "category": "Foundation", - "checklist": "Azure Arc Review", - "description": "Aligning with an existing or creating an Azure tagging strategy is recommended. Resource tags allow you to quickly locate it, automate operational tasks amd more. ", - "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", + "service": "Front Door", "services": [ - "Arc" + "AppGW", + "AzurePolicy", + "WAF", + "FrontDoor" ], - "severity": "Low", - "subcategory": "General", - "text": "Has a tagging strategy for Azure Arc-enabled servers been defined", - "waf": "Cost" + "severity": "Medium", + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "category": "Foundation", - "checklist": "Azure Arc Review", - "description": "Installation of the connected machine agent is supported on most newer Windows and Linux operative systems, review the link to se the latest list", - "guid": "7778424c-5167-475c-9fa9-5b96ad88408e", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", "services": [ - "Arc" + "AzurePolicy", + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "General", - "text": "What operating systems need to be Azure Arc-enabled", - "waf": "Operations" + "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", + "waf": "Security" }, { - "category": "Foundation", - "checklist": "Azure Arc Review", - "description": "There are software requirements to the agent installation. Some might require a system reboot after installation, review to link", - "guid": "372734b8-76ba-428f-8145-901365d38e53", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", "services": [ - "Arc" + "EventHubs", + "TrafficManager", + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "General", - "text": "Are required software installed on Windows and Linux servers to support the installation", - "waf": "Operations" + "text": "Avoid placing Traffic Manager behind Front Door.", + "waf": "Security" }, { - "category": "Foundation", - "checklist": "Azure Arc Review", - "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc®ions=all", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", "services": [ - "Arc" + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "General", - "text": "Make sure to use a supported Azure region", - "waf": "Reliability" + "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", + "waf": "Security" }, { - "category": "Foundation", - "checklist": "Azure Arc Review", - "description": "The scope include organization into management groups, subscriptions, and resource groups.", - "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", "services": [ - "Arc", - "Subscriptions" + "WAF", + "FrontDoor" ], "severity": "Low", - "subcategory": "Organization", - "text": "Define the structure for Azure management of resources", + "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", "waf": "Performance" }, { - "category": "Identity", - "checklist": "Azure Arc Review", - "description": "Define RBAC rules to the servers / resource groups as required for servers management, the 'Azure Connected Machine Resource Administrator' or 'Hybrid Server Resource Administrator' role would be sufficient for management of the Azure Arc-enabled servers resources in Azure", - "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", "services": [ - "Arc", - "RBAC", - "Entra" + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Access", - "text": "Assign RBAC rights to Azure AD user/group access for managing Azure Arc-enabled servers", - "waf": "Security" + "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure Arc Review", - "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e", - "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", "services": [ - "AKV", - "Arc", - "Entra" + "WAF", + "FrontDoor" ], "severity": "Low", - "subcategory": "Access", - "text": "Consider using managed identities for applications to access Azure resources like Key Vault example in link", - "waf": "Security" + "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", + "waf": "Performance" }, { - "category": "Identity", - "checklist": "Azure Arc Review", - "description": "An Azure subscription must be parented to the same Azure AD tenant", - "guid": "35ac9322-23e1-4380-8523-081a94174158", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "Front Door", "services": [ - "Subscriptions", - "Arc", - "Entra" + "AKV", + "FrontDoor", + "WAF", + "Cost" ], "severity": "High", - "subcategory": "Requirements", - "text": "An Azure Active Directory tenant must be available with at least one subscription", + "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", "waf": "Operations" }, { - "category": "Identity", - "checklist": "Azure Arc Review", - "description": "Users (or SPs) need the 'Azure Connected Machine Onboarding' or 'Contributor' role to onboarding of servers", - "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", "services": [ - "Arc", - "RBAC", - "Entra" + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Requirements", - "text": "Define which users (AAD user/groups) has access to onboard Azure Arc-enabled servers", - "waf": "Security" + "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" }, { - "category": "Identity", - "checklist": "Azure Arc Review", - "description": "Ensure to only add the rights to users or groups that is required to perform their role", - "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", "services": [ - "Arc", - "RBAC", - "Entra" + "WAF", + "FrontDoor" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Use the principle of least privileged", + "severity": "High", + "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Arc Review", - "description": "A service principle with the 'Azure Connected Machine Onboarding' role is required for at-scale onboarding of servers, consider more SP's if onboarding is done by different teams/decentralized management", - "guid": "ad88408e-3727-434b-a76b-a28f21459013", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", "services": [ - "Arc", - "RBAC", - "Entra" + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Security", - "text": "How many Service Principals are needed for onboarding Arc-enabled servers into Azure", + "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Arc Review", - "description": "Consider assigning the rights for the 'Azure Connected Machine Onboarding' role at the resource group level, to control the resource creation", - "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=~'Enabled') and (mode=~'Prevention')), enabledState, mode", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", "services": [ - "Arc", - "RBAC", - "Entra" + "WAF", + "FrontDoor" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Limit the rights to onboard Azure Arc-enabled servers to the desired resource groups", + "severity": "High", + "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "description": "Plan for agent deployments at scale", - "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "WAF", + "FrontDoor" ], - "severity": "Medium", - "subcategory": "Management", - "text": "Define a strategy for agent provisioning", - "waf": "Operations" + "severity": "High", + "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "description": "Use Microsoft Update to ensure that the connected machine agent is always up-to-date", - "guid": "c78e1d76-6673-457c-9496-74c5ed85b859", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "AzurePolicy", + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "Management", - "text": "Define a strategy for agent updates", - "waf": "Operations" + "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "description": "Recommendation is to use Azure Policy, or another automation tool like Azure DevOps - important is to avoid configuration drift.", - "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", "services": [ - "Monitor", - "Arc", - "AzurePolicy" - ], - "severity": "Medium", - "subcategory": "Management", - "text": "Define a strategy for extension installation", - "waf": "Operations" - }, - { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "description": "Use automatic upgrades where available and define an update strategy for all extensions not supporting automatic upgrades.", - "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal", - "services": [ - "Monitor", - "Arc" + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "Management", - "text": "Define a strategy for extension updates", - "waf": "Operations" - }, - { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "description": "Azure Automanage help implement Microsoft best-practices for servers management in Azure", - "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de", - "link": "https://learn.microsoft.com/azure/automanage/automanage-arc", - "services": [ - "Monitor", - "Arc" - ], - "severity": "Medium", - "subcategory": "Management", - "text": "Consider using Azure Automanage to control settings and avoid configuration drift on servers", - "waf": "Operations" + "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "Monitoring", - "text": "Monitor for unresponsive agents", - "waf": "Operations" + "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d", - "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Design a monitoring strategy to send metrics and logs to an Log Analytics workspace", - "waf": "Operations" + "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782", - "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use notification in Activity logs to receive notification on unexpected changes to the resources", - "waf": "Operations" + "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "guid": "89c93555-6d02-4bfe-9564-b0d834a34872", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use Azure Monitor for compliance and operational monitoring", - "waf": "Operations" + "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "WAF" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Create an alert to identify Azure Arc-enabled servers that aren't using the latest version of the Azure connected machine agent", - "waf": "Operations" + "severity": "Low", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "Azure Arc Review", - "description": "Use Update Management in Azure Automation or the new Update Management Center (preview) functionality to ensure update management of servers", - "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "WAF", + "FrontDoor" ], - "severity": "Low", - "subcategory": "Security", - "text": "Use Azure Arc-enabled servers to control software updates deployments to servers", - "waf": "Operations" + "severity": "Medium", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Arc Review", - "description": "The Connected Machine Agent will by default communicate with Azure services over public Internet connectivity using HTTPS (TCP port 443)", - "guid": "f6e043d2-aa35-4927-88e6-e2050725769e", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", "services": [ - "Arc" + "WAF", + "Monitor" ], - "severity": "High", - "subcategory": "Networking", - "text": "Define a connectivity method from the server to Azure", + "severity": "Medium", + "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure Arc Review", - "description": "The Connected Machine Agent can be configured to use a proxy server, it is recommended to define the proxy server address using 'azcmagent config set proxy.url' command on the local system.", - "guid": "46691e88-35ac-4932-823e-13800523081a", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", "services": [ - "Arc" + "Sentinel", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Is a proxy server a required for communication over the Public Internet", + "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure Arc Review", - "description": "The Connected Machine Agent can use a Private Link for communication with Azure Services over an existing ExpressRoute or VPN connection", - "guid": "94174158-33ee-47ad-9c6d-3733165c7acb", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", + "service": "Front Door", "services": [ - "ExpressRoute", - "Arc", - "VPN", - "PrivateLink" + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Is a private (not public Internet) connection required?", - "waf": "Operations" + "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Arc Review", - "description": "Firewall configuration might be required for the agent to communicate with Azure, use the link to see ServiceTags and/or URL's required", - "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", + "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", + "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", + "service": "Front Door", "services": [ - "Arc" + "WAF" ], "severity": "High", - "subcategory": "Networking", - "text": "Will Firewall configurations be needed in order to ensure communication with Azure Services?", - "waf": "Security" + "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Arc Review", - "description": "Use available automation tool for the system in question to regularly update the Azure endpoints", - "guid": "6fa95b96-ad88-4408-b372-734b876ba28f", - "link": "https://www.microsoft.com/download/details.aspx?id=56519", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", + "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", + "service": "Front Door", "services": [ - "Arc" + "WAF", + "FrontDoor" ], - "severity": "Low", - "subcategory": "Networking", - "text": "Can the Firewall or Proxy rules be automated updated if Service Tags or IP addresses change", - "waf": "Security" + "severity": "Medium", + "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Arc Review", - "description": "Configure Servers to use Transport Layer Security (TLS) version 1.2", - "guid": "21459013-65d3-48e5-9f9c-cbd868266abc", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", + "service": "Front Door", "services": [ - "Arc" + "WAF" ], - "severity": "High", - "subcategory": "Networking", - "text": "Always use secure communication for Azure where possible", - "waf": "Security" + "severity": "Medium", + "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure Arc Review", - "description": "All extensions (like log analytics etc.) have separate network requirements, be sure to include all in the network design.", - "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", + "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", + "service": "Front Door", "services": [ - "Monitor", - "Arc", - "PrivateLink" + "WAF" ], - "severity": "Low", - "subcategory": "Networking", - "text": "Include communication for Azure Arc-enabled Servers extensions in the design (firewall/proxy/private link)", + "severity": "Medium", + "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c", - "link": "https://learn.microsoft.com/azure/governance/policy/", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "services": [ - "Arc", - "AzurePolicy" + "WAF" ], "severity": "Medium", - "subcategory": "Management", - "text": "Use Azure Policy to implement a governance model for hybrid connected servers", - "waf": "Security" + "text": "Use caching for endpoints that support it.", + "waf": "Cost" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", + "guid": "34069d73-e4de-46c5-a36f-625f87575a56", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", "services": [ - "Arc" + "WAF", + "FrontDoor" ], - "severity": "Medium", - "subcategory": "Management", - "text": "Consider using Machine configurations for in guest OS configurations", - "waf": "Operations" + "severity": "Low", + "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", + "waf": "Cost" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "667357c4-4967-44c5-bd85-b859c7733be2", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", + "service": "Front Door", "services": [ - "Arc", - "AzurePolicy" + "Storage", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Management", - "text": "Evaluate the need for custom Guest Configuration policies", + "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", "waf": "Operations" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77", - "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", + "service": "Front Door", "services": [ - "Monitor", - "Arc" + "AKV", + "WAF" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Consider using change tracking for tracking changes made on the servers", + "text": "Use wildcard TLS certificates when possible.", "waf": "Operations" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "services": [ - "Arc" + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Requirements", - "text": "Make sure to use an Azure region for storing the metadata approved by the organization", - "waf": "Security" + "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780", - "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", + "service": "Front Door", "services": [ - "AKV", - "Arc" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Secrets", - "text": "Use Azure Key Vault for certificate management on servers", - "waf": "Security" + "text": "Use file compression when you're accessing downloadable content.", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "description": "Consider using a short-lived Azure AD service principal client secrets.", - "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b", - "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", + "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", + "link": "https://learn.microsoft.com/azure/cdn/tier-migration", + "service": "Front Door", "services": [ - "AKV", - "Arc", - "Storage", - "Entra" + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "Secrets", - "text": "What is the acceptable life time of the secret used by SP's", - "waf": "Security" + "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", + "waf": "Operations" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "description": "A private key is saved to the disk, ensure this is protected using disk encryption", - "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", + "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", + "service": "Front Door", "services": [ - "AKV", - "Arc" + "TrafficManager", + "Storage", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Secrets", - "text": "Secure the public key for Azure Arc-enabled Servers", - "waf": "Security" + "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", + "waf": "Reliability" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "description": "Local administrator is required to install the Connected Machine Agent on Windows and Linux systems", - "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", + "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", + "service": "Front Door", "services": [ - "Arc" + "AppSvc", + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "Security", - "text": "Ensure there is local administrator access for executing the agent installation", + "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "description": "Members of the local administrator group on Windows and users with root privileges on Linux, have permissions to manage the agent via command line.", - "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", "services": [ - "Arc" + "AKS", + "WAF" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Limit the amount of users with local administrator rights to the servers", - "waf": "Security" + "severity": "Low", + "text": "If required for AKS Windows workloads HostProcess containers can be used", + "waf": "Reliability" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", "services": [ - "Arc", - "Entra" + "WAF" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Consider using and restricting access to managed identities for applications.", - "waf": "Security" + "severity": "Low", + "text": "Use KEDA if running event-driven workloads", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "description": "Use Defender for Endpoint or another AV and EDR solution to protect endpoints", - "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868", - "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", "services": [ - "Arc", - "Defender" + "WAF" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Enable Defender for Servers for all servers to secure hybrid workloads from threats", - "waf": "Security" + "severity": "Low", + "text": "Use Dapr to ease microservice development", + "waf": "Operations" }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", "services": [ - "Arc" + "AKS", + "WAF" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Define controls to detect security misconfigurations and track compliance", - "waf": "Security" - }, + "severity": "High", + "text": "Use the SLA-backed AKS offering", + "waf": "Reliability" + }, { - "category": "Security, Governance and Compliance", - "checklist": "Azure Arc Review", - "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c", - "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "services": [ - "Arc" + "WAF", + "Cost" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Use allow- or block-lists to control what extensions can be installed on the Azure Arc-enabled servers", - "waf": "Security" + "severity": "Low", + "text": "Use Disruption Budgets in your pod and deployment definitions", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "d7e47431-76c8-4bdb-b55b-ce619e8a03f9", - "link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "WAF checklist", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", "services": [ - "Entra", - "RBAC" + "WAF", + "ACR" ], "severity": "High", - "subcategory": "Identity", - "text": "Create a service principal and its role assignments before creating the ARO clusters.", - "waf": "Security" + "text": "If using a private registry, configure region replication to store images in multiple regions", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "7879424d-6267-486d-90b9-6c97be985190", - "link": "https://learn.microsoft.com/azure/openshift/configure-azure-ad-ui", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", "services": [ - "Entra" + "WAF", + "Cost" ], - "severity": "High", - "subcategory": "Identity", - "text": "Use AAD to authenticate users in your ARO cluster.", - "waf": "Security" + "severity": "Low", + "text": "Use an external application such as kubecost to allocate costs to different users", + "waf": "Cost" }, { - "category": "Identity and Access Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "adfec5f9-a82d-46e9-a8d1-5a0c7fed5d15", - "link": "https://docs.openshift.com/container-platform/4.14/authentication/remove-kubeadmin.html", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", "services": [ - "Entra" + "WAF" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "When using AAD authentication, remove kubeadmin user from the cluster.", - "waf": "Security" + "severity": "Low", + "text": "Use scale down mode to delete/deallocate nodes", + "waf": "Cost" }, { - "category": "Identity and Access Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "483835c9-86bb-4291-8155-a11475e39f54", - "link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", "services": [ - "Entra", - "RBAC" + "AKS", + "WAF" ], - "severity": "High", - "subcategory": "Identity", - "text": "Define OpenShift projects to restrict RBAC privilege and isolate workloads in your cluster.", - "waf": "Security" + "severity": "Medium", + "text": "When required use multi-instance partitioning GPU on AKS Clusters", + "waf": "Cost" }, { - "category": "Identity and Access Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "0acccd97-9376-4bcd-a375-0ab2ab039da6", - "link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", "services": [ - "Entra", - "RBAC" + "WAF" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "Define the required RBAC roles in OpenShift are scoped to either a project or a cluster.", - "waf": "Security" + "severity": "Low", + "text": "If running a Dev/Test cluster use NodePool Start/Stop", + "waf": "Cost" }, { - "category": "Identity and Access Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "d54d7c89-29db-4107-b532-5ae625ca44e4", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", "services": [ - "AKV", - "Entra" + "AzurePolicy", + "AKS", + "WAF" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Minimize the number of users who have administrator rights and secrets access.", + "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", "waf": "Security" }, { - "category": "Identity and Access Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "685e2223-ace8-4bb1-8307-ca5f16f154e3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "services": [ - "Entra", - "RBAC" + "WAF" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Use Privileged Identity Management in AAD for ARO users with privileged roles.", + "text": "Separate applications from the control plane with user/system node pools", "waf": "Security" }, { - "category": "Network topology and connectivity", - "checklist": "Azure Red Hat OpenShift", - "guid": "aa369282-9e7e-4216-8836-87af467a1f89", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "services": [ - "Firewall", - "WAF", - "DDoS", - "Entra", - "Subscriptions", - "VNet" + "WAF" ], "severity": "Low", - "subcategory": "DDoS", - "text": "Use Azure DDoS Network/IP Protection to protect the virtual network you use for the ARO cluster unless you use Azure Firewall or WAF in a centralized subscription", + "text": "Add taint to your system nodepool to make it dedicated", "waf": "Security" }, { - "category": "Network topology and connectivity", - "checklist": "Azure Red Hat OpenShift", - "guid": "35bda433-24f1-4481-8533-182aa5174269", - "link": "https://docs.openshift.com/container-platform/4.13/networking/routes/secured-routes.html", - "services": [], - "severity": "High", - "subcategory": "Encryption", - "text": "All web applications you configure to use an ingress should use TLS encryption and shouldn't allow access over unencrypted HTTP.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", + "services": [ + "WAF", + "ACR" + ], + "severity": "Medium", + "text": "Use a private registry for your images, such as ACR", "waf": "Security" }, { - "category": "Network topology and connectivity", - "checklist": "Azure Red Hat OpenShift", - "guid": "44008ae7-d7e4-4743-876c-8bdbf55bce61", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "WAF checklist", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", "services": [ - "WAF", - "FrontDoor" + "WAF" ], "severity": "Medium", - "subcategory": "Internet", - "text": "Use Azure Front Door with WAF to securely publish ARO applications to the internet, especially in multi-region environments.", + "text": "Scan your images for vulnerabilities", "waf": "Security" }, { - "category": "Network topology and connectivity", - "checklist": "Azure Red Hat OpenShift", - "guid": "9e8a03f9-7879-4424-b626-786d60b96c97", - "link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", "services": [ - "PrivateLink", - "FrontDoor" + "WAF" ], - "severity": "Medium", - "subcategory": "Internet", - "text": "If exposing an app on ARO with Azure Front Door, use private link to connect Front Door with the ARO router.", + "severity": "High", + "text": "Define app separation requirements (namespace/nodepool/cluster)", "waf": "Security" }, { - "category": "Network topology and connectivity", - "checklist": "Azure Red Hat OpenShift", - "guid": "be985190-4838-435c-a86b-b2912155a114", - "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", "services": [ - "NVA", - "AzurePolicy", - "Firewall" + "AKV", + "WAF" ], "severity": "Medium", - "subcategory": "Internet", - "text": "If your security policy requires you to inspect all outbound internet traffic that's generated in the ARO cluster, secure egress network traffic by using Azure Firewall or an NVA.", + "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", "waf": "Security" }, { - "category": "Network topology and connectivity", - "checklist": "Azure Red Hat OpenShift", - "guid": "75e39f54-0acc-4cd9-9937-6bcda3750ab2", - "link": "https://learn.microsoft.com/azure/openshift/howto-create-private-cluster-4x", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", "services": [ - "AzurePolicy" + "WAF" ], "severity": "High", - "subcategory": "Private access", - "text": "If your security policy requires you to use a private IP address for the OpenShift API, deploy a private ARO cluster.", + "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", "waf": "Security" }, { - "category": "Network topology and connectivity", - "checklist": "Azure Red Hat OpenShift", - "guid": "ab039da6-d54d-47c8-a29d-b107d5325ae6", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", "services": [ - "ACR", - "PrivateLink" + "WAF" ], "severity": "Medium", - "subcategory": "Private access", - "text": "Use Azure Private Link to secure network connections to managed Azure services, including to Azure Container Registry.", + "text": "If required add Key Management Service etcd encryption", "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "25ca44e4-685e-4222-9ace-8bb12307ca5f", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-enable-arc-enabled-clusters", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", "services": [ - "Monitor" + "AKS", + "WAF" ], - "severity": "High", - "subcategory": "Operations", - "text": "Establish a monitoring process using the inbuilt Prometheus, OpenShift Logging or Container Insights integration.", - "waf": "Operations" + "severity": "Low", + "text": "If required consider using Confidential Compute for AKS", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "16f154e3-aa36-4928-89e7-e216183687af", - "link": "https://docs.openshift.com/container-platform/4.13/cicd/pipelines/understanding-openshift-pipelines.html", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", + "services": [ + "WAF", + "Defender" + ], "severity": "Medium", - "subcategory": "Operations", - "text": "Automate the application delivery process through DevOps practices and CI/CD solutions, such as Pipelines/GitOps provided by OpenShift.", - "waf": "Operations" - }, - { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "467a1f89-35bd-4a43-924f-14811533182a", - "link": "https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services", - "services": [], - "severity": "Low", - "subcategory": "Operations", - "text": "Whenever possible, remove the service state from inside containers. Instead, use an Azure platform as a service (PaaS) that supports multiregion replication.", - "waf": "Operations" + "text": "Consider using Defender for Containers", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "1b7da8cf-aa66-4e15-b4d5-ada97dc3e232", - "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-storageclass", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", "services": [ - "Storage" + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Operations", - "text": "Use RWX storage with inbuilt Azure Files storage class.", - "waf": "Operations" + "severity": "High", + "text": "Use managed identities instead of Service Principals", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "6bb235c7-05e1-4696-bded-fa8a4c8cdec4", - "link": "https://docs.openshift.com/container-platform/4.13/nodes/clusters/nodes-cluster-limit-ranges.html", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", + "services": [ + "WAF", + "Entra" + ], "severity": "Medium", - "subcategory": "Performance", - "text": "Use pod requests and limits to manage the compute resources within a cluster.", - "waf": "Performance" + "text": "Integrate authentication with AAD (using the managed integration)", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "c620c30c-14ee-4b7f-9ae8-d9b3fec228e7", - "link": "https://docs.openshift.com/container-platform/4.13/applications/quotas/quotas-setting-per-project.html", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", + "services": [ + "WAF" + ], "severity": "Medium", - "subcategory": "Performance", - "text": "Enforce resource quotas on projects.", - "waf": "Performance" + "text": "Limit access to admin kubeconfig (get-credentials --admin)", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "87ab177a-db59-4f6b-a613-334fd09dc234", - "link": "https://docs.openshift.com/container-platform/4.13/machine_management/applying-autoscaling.html", - "services": [], - "severity": "High", - "subcategory": "Performance", - "text": "Define ClusterAutoScaler and MachineAutoScaler to scale machines when your cluster runs out of resources to support more deployments.", - "waf": "Performance" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", + "services": [ + "RBAC", + "WAF", + "Entra" + ], + "severity": "Medium", + "text": "Integrate authorization with AAD RBAC", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "19db6128-1269-4040-a4ba-4d3e0804276d", - "link": "https://learn.microsoft.com/azure/openshift/support-policies-v4#supported-virtual-machine-sizes", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", "services": [ - "VM" + "RBAC", + "AKS", + "WAF" ], "severity": "High", - "subcategory": "Reliability", - "text": "Use virtual machine sizes that are large enough to contain multiple container instances so you get the benefits of increased density, but not so large that your cluster can't handle the workload of a failing node.", - "waf": "Reliability" + "text": "Use namespaces for restricting RBAC privilege in Kubernetes", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "4b98b15c-8b31-4aa5-aceb-58889135e227", - "link": "https://docs.openshift.com/container-platform/4.13/machine_management/deploying-machine-health-checks.html", - "services": [], - "severity": "High", - "subcategory": "Reliability", - "text": "Deploy machine health checks to automatically repair damaged machines in a machine pool.", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", + "services": [ + "WAF", + "Entra" + ], + "severity": "Medium", + "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "896d31b6-6c67-4ba5-a119-c08e8f5d587c", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-metric-alerts", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", "services": [ - "Monitor" + "AKS", + "WAF" ], - "severity": "High", - "subcategory": "Reliability", - "text": "Use an alerting system to provide notifications when things need direct action: Container Insights metric alerts or in-built Alerting UI.", - "waf": "Reliability" + "severity": "Medium", + "text": "For AKS non-interactive logins use kubelogin (preview)", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "7e9ced16-acd1-476e-b9b2-41a998a57ae7", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones", - "services": [], - "severity": "High", - "subcategory": "Reliability", - "text": "Ensure that the cluster is created in a region that supports AZs and create a machine set for each AZ.", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", + "services": [ + "AKS", + "WAF" + ], + "severity": "Medium", + "text": "Disable AKS local accounts", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "7b997e71-1b7d-4a8c-baa6-6e15d4d5ada9", - "link": "https://docs.openshift.com/container-platform/4.13/machine_management/creating-infrastructure-machinesets.html", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", "services": [ - "AKS" + "WAF" ], "severity": "Low", - "subcategory": "Reliability", - "text": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines.", - "waf": "Reliability" + "text": "Configure if required Just-in-time cluster access", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "7dc3e232-6bb2-435c-905e-1696fdedfa8a", - "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup#create-a-backup-with-velero-to-include-snapshots", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", "services": [ - "Backup" + "AKS", + "WAF", + "Entra" ], - "severity": "Medium", - "subcategory": "Reliability", - "text": "Create application backup and plan for restore and include persistent volumes in the backup.", - "waf": "Reliability" + "severity": "Low", + "text": "Configure if required AAD conditional access for AKS", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "81c12318-1a64-4174-8583-3fb4ae3c2df7", - "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-priority.html", - "services": [], - "severity": "Low", - "subcategory": "Reliability", - "text": "Use pod priorities, so that in case of limited resources the most critical pods will run.", - "waf": "Reliability" - }, - { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "43166c3b-cbe0-45bb-b209-d4a0da577784", - "link": "https://docs.openshift.com/container-platform/4.13/architecture/admission-plug-ins.html", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", "services": [ - "AzurePolicy" + "AKS", + "WAF" ], "severity": "Low", - "subcategory": "Security", - "text": "Regulate cluster functions using admission plug-ins, which are commonly used to enforce security policy, resource limitations, or configuration requirements.", + "text": "If required for Windows AKS workloads configure gMSA ", "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "24d21678-5d2f-4a56-a56a-d48408fe8273", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", "services": [ - "ACR" + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Security", - "text": "Store your container images in Azure Container Registry and geo-replicate the registry to each region.", - "waf": "Security" - }, - { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "4c486ba2-80dc-4059-8cf7-5ee8e1309ccc", - "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-vertical-autoscaler.html", - "services": [], "severity": "Medium", - "subcategory": "Workload", - "text": "Optimize the CPU and memory request values, and maximize the efficiency of the cluster resources using vertical pod autoscaler.", - "waf": "Performance" + "text": "For finer control consider using a managed Kubelet Identity", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "d579366b-cda2-4750-aa1a-bfe9d55d14c3", - "link": "https://docs.openshift.com/container-platform/4.13/applications/application-health.html", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", "services": [ - "Monitor" + "AppGW", + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Workload", - "text": "Add health probes to your pods to monitor application health. Make sure pods contain livenessProbe and readinessProbe. Use Startup probes to determine the point at which the application has started up.", - "waf": "Reliability" - }, - { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "c4929cb1-b3d1-4325-ae12-4ba34d0685ed", - "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-autoscaling.html", - "services": [], - "severity": "Medium", - "subcategory": "Workload", - "text": "Scale pods to meet demand using horizontal pod autoscaler.", + "text": "If using AGIC, do not share an AppGW across clusters", "waf": "Reliability" }, { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "dce9be3b-b0dd-4b3b-95fb-2ec14eeaa359", - "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-configuring.html#nodes-pods-pod-distruption-about_nodes-pods-configuring", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", "services": [ - "Cost" + "AKS", + "WAF" ], - "severity": "Medium", - "subcategory": "Workload", - "text": "Use disruption budgets to ensure the required number of pod replicas exist to handle expected application load.", - "waf": "Reliability" - }, - { - "category": "Operations management", - "checklist": "Azure Red Hat OpenShift", - "guid": "2829e2ed-b217-4367-9aff-6791b4935ada", - "link": "https://docs.openshift.com/container-platform/4.13/nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.html", - "services": [], - "severity": "Medium", - "subcategory": "Workload", - "text": "Use pod topology constraints to automatically schedule pods on nodes throughout the cluster.", + "severity": "High", + "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "fea1dbf3-dd95-4d48-a7c8-91dcb1f7d575", - "link": "https://learn.microsoft.com/azure/openshift/intro-openshift#service-level-agreement", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", + "services": [ + "WAF" + ], "severity": "Medium", - "subcategory": "Availablity", - "text": "Leverage Current ARO SLA - 99.95 into BCDR planning", - "waf": "Reliability" + "text": "For Windows workloads use Accelerated Networking", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "b95e06e1-58e2-4ea3-a92c-2de6e2065b3a", - "link": "https://www.redhat.com/rhdc/managed-files/pa-getting-started-azure-openshift-ebook-f20686-201911-en_0.pdf", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "services": [ + "LoadBalancer", + "WAF" + ], "severity": "High", - "subcategory": "Cluster Design", - "text": "Run user workloads on the worker nodes, not the control plane nodes", + "text": "Use the standard ALB (as opposed to the basic one)", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Red Hat OpenShift", - "description": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines", - "guid": "76af4a69-1e88-439a-ba46-667e13c10567", - "link": "https://learn.microsoft.com/azure/openshift/howto-segregate-machinesets", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", "services": [ - "AKS", - "VNet" + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Cluster Design", - "text": "Isolate workloads into worker nodes running in individual subnets as needed", - "waf": "Reliability" + "text": "If using Azure CNI, consider using different Subnets for NodePools", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "785c6fe9-6c96-4ad8-a44c-f3b2b38c886b", - "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", "services": [ - "Backup" + "PrivateLink", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Backup a cluster state for stateful workload scenarios to a paired region", - "waf": "Reliability" + "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "a2c02149-9014-4a5d-9ce5-74dccbd9792a", - "link": "https://access.redhat.com/documentation/red_hat_openshift_container_storage/4.4/html/deploying_and_managing_openshift_container_storage_on_microsoft_azure/deploying-openshift-container-storage-on-microsoft-azure_rhocs", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "services": [ - "ACR", - "Storage" + "WAF" ], - "severity": "Medium", - "subcategory": "Data Store", - "text": "If container storage is required, ensure availability across regions if needed: Using RWX storage with inbuilt Azure Files storage class. Using CSI Drivers for storage provisioning", + "severity": "High", + "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Red Hat OpenShift", - "guid": "6bcca2b4-fea1-4dbf-9dd9-5d48c7c891dc", - "link": "https://docs.openshift.com/aro/3/dev_guide/persistent_volumes.html", - "services": [], - "severity": "Medium", - "subcategory": "Data Store", - "text": "Whenever possible, move state out of containers and into external databases that support multi-region replication. Avoid Persistent Volumes", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "services": [ + "VNet", + "WAF" + ], + "severity": "High", + "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", + "waf": "Performance" }, { - "category": "Platform Automation", - "checklist": "Azure Red Hat OpenShift", - "guid": "42324ece-81c1-4231-a1a6-417415833fb4", - "link": "https://docs.openshift.com/container-platform/4.13/applications/deployments/route-based-deployment-strategies.html", - "services": [], - "severity": "Low", - "subcategory": "Workload", - "text": "Consider blue/green or canary strategies to deploy new releases of application.", - "waf": "Operations" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "services": [ + "WAF" + ], + "severity": "High", + "text": "If using Azure CNI, check the maximum pods/node (default 30)", + "waf": "Performance" }, { - "category": "Platform Automation", - "checklist": "Azure Red Hat OpenShift", - "guid": "ae3c2df7-4316-46c3-acbe-05bbe209d4a0", - "link": "https://docs.openshift.com/container-platform/4.13/cicd/gitops/understanding-openshift-gitops.html", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "services": [ + "AKS", + "VNet", + "WAF" + ], "severity": "Low", - "subcategory": "Workload", - "text": "Consider using Red Hat OpenShift GitOps. Red Hat OpenShift GitOps uses Argo CD to maintain cluster resources and support application CI/CD.", - "waf": "Operations" - }, - { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "da577784-24d2-4167-a5d2-fa56c56ad484", - "link": "https://learn.microsoft.com/azure/openshift/support-lifecycle", - "services": [], - "severity": "High", - "subcategory": "Control plane", - "text": "Keep your clusters on the latest OpenShift version to avoid potential security or upgrade issues.", + "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "08fe8273-4c48-46ba-880d-c0591cf75ee8", - "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "services": [ - "AKS", - "Arc" + "WAF" ], "severity": "High", - "subcategory": "Control plane", - "text": "Connect Azure Red Hat OpenShift clusters to Azure Arc-enabled Kubernetes.", - "waf": "Security" + "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "e1309ccc-d579-4366-acda-2750aa1abfe9", - "link": "https://docs.openshift.com/container-platform/4.10/security/encrypting-etcd.html", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", + "services": [ + "WAF" + ], "severity": "Low", - "subcategory": "Encryption", - "text": "For Azure Red Hat OpenShift 4 clusters, etcd data isn't encrypted by default, but it's recommended to enable etcd encryption to provide another layer of data security.", + "text": "If required add your own CNI plugin", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "d55d14c3-c492-49cb-8b3d-1325ae124ba3", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", "services": [ "AKS", - "Arc", - "Defender" + "WAF" ], - "severity": "Medium", - "subcategory": "Posture", - "text": "Use Microsoft Defender for Containers supported via Arc-enabled Kubernetes to secure clusters, containers, and applications.", - "waf": "Security" + "severity": "Low", + "text": "If required configure Public IP per node in AKS", + "waf": "Performance" }, { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "4d0685ed-dce9-4be3-ab0d-db3b55fb2ec1", - "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", "services": [ - "AKS", - "AKV", - "Arc" + "WAF" ], "severity": "Medium", - "subcategory": "Secrets", - "text": "For applications that require access to sensitive information, use a service principal and the AKV Secrets Provider with the extension for Arc-enabled Kubernetes clusters.", - "waf": "Security" + "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "4eeaa359-2829-4e2e-bb21-73676aff6791", - "link": "https://learn.microsoft.com/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources", - "services": [], - "severity": "Medium", - "subcategory": "Workload", - "text": "Secure pod access to resources. Provide the least number of permissions, and avoid using root or privileged escalation.", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", + "services": [ + "WAF" + ], + "severity": "Low", + "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "b4935ada-4232-44ec-b81c-123181a64174", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", "services": [ - "Monitor", - "AzurePolicy" + "WAF" ], "severity": "Medium", - "subcategory": "Workload", - "text": "Monitor and enforce configuration by using the Azure Policy Extension.", - "waf": "Security" + "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "15833fb4-ae3c-42df-9431-66c3bcbe05bb", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", "services": [ - "Defender" + "NVA", + "WAF" ], "severity": "High", - "subcategory": "Workload", - "text": "Scan your images for vulnerabilities with Microsoft Defender or any other image scanning solution.", + "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Red Hat OpenShift", - "guid": "e209d4a0-da57-4778-924d-216785d2fa56", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", "services": [ - "ACR", - "Subscriptions" + "WAF" ], - "severity": "Low", - "subcategory": "Workload", - "text": "Deploy a dedicated and private instance of Azure Container Registry to each landing zone subscription.", + "severity": "Medium", + "text": "If using a public API endpoint, restrict the IP addresses that can access it", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "services": [], - "severity": "Medium", - "subcategory": "App delivery", - "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Use private clusters if your requirements mandate it", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "services": [ - "AppGW" + "AzurePolicy", + "AKS", + "WAF" ], "severity": "Medium", - "subcategory": "App Gateway", - "text": "Ensure you are using Application Gateway v2 SKU", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "services": [ - "LoadBalancer" + "AzurePolicy", + "AKS", + "WAF" ], - "severity": "Medium", - "subcategory": "Load Balancer", - "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", + "severity": "High", + "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "services": [ - "LoadBalancer" + "AzurePolicy", + "AKS", + "WAF" ], - "severity": "Medium", - "subcategory": "Load Balancer", - "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "severity": "High", + "text": "Use Kubernetes network policies to increase intra-cluster security", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "services": [ - "AppGW", - "VNet" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "severity": "High", + "text": "Use a WAF for web workloads (UIs or APIs)", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", "services": [ - "NVA", - "WAF", - "Entra", - "AppGW", - "Subscriptions", - "VNet" + "DDoS", + "AKS", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "App Gateway", - "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "Use DDoS Standard in the AKS Virtual Network", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", "services": [ - "DDoS" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "severity": "Low", + "text": "If required add company HTTP Proxy", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", - "service": "App Gateway", - "services": [], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Configure autoscaling with a minimum amount of instances of two.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" - }, - { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", - "service": "App Gateway", - "services": [ - "ACR", - "AppGW" - ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Deploy Application Gateway across Availability Zones", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" - }, - { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", "services": [ - "WAF", - "AppGW", - "AzurePolicy", - "FrontDoor" + "WAF" ], "severity": "Medium", - "subcategory": "App delivery", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Consider using a service mesh for advanced microservice communication management", "waf": "Security" }, { - "ammp": true, - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", "services": [ - "TrafficManager" + "WAF", + "Monitor" ], "severity": "High", - "subcategory": "Traffic Manager", - "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Reliability" + "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", "services": [ - "AVD", + "WAF", "Entra" ], "severity": "Low", - "subcategory": "App delivery", - "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "Security" + "text": "Check regularly Azure Advisor for recommendations on your cluster", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", "services": [ - "Entra" + "AKS", + "WAF" ], - "severity": "Medium", - "subcategory": "App delivery", - "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Security" + "severity": "Low", + "text": "Enable AKS auto-certificate rotation", + "waf": "Operations" }, { - "ammp": true, - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", "services": [ - "LoadBalancer" + "AKS", + "WAF" ], "severity": "High", - "subcategory": "Load Balancer", - "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", - "waf": "Reliability" + "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", + "waf": "Operations" }, { - "ammp": true, - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", "services": [ - "WAF", - "AppGW" + "WAF" ], "severity": "High", - "subcategory": "App Gateway", - "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", - "waf": "Security" + "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", + "waf": "Operations" }, { - "ammp": true, - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", "services": [ - "WAF", - "AppGW", - "AzurePolicy" + "WAF" ], "severity": "High", - "subcategory": "App Gateway", - "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", - "waf": "Security" + "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", + "waf": "Operations" }, { - "ammp": true, - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", "services": [ - "WAF", - "AppGW" + "WAF" ], - "severity": "High", - "subcategory": "App Gateway", - "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", - "waf": "Security" + "severity": "Low", + "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", + "waf": "Operations" }, { - "ammp": true, - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", "services": [ - "WAF", - "AppGW", - "AzurePolicy" + "AKS", + "WAF" ], - "severity": "High", - "subcategory": "App Gateway", - "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", - "waf": "Security" + "severity": "Low", + "text": "Consider using AKS command invoke on private clusters", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", "services": [ - "WAF", - "AppGW" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", - "waf": "Security" + "severity": "Low", + "text": "For planned events consider using Node Auto Drain", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", "services": [ - "WAF", - "AppGW" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", - "waf": "Security" + "severity": "High", + "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "App Gateway", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "services": [ + "WAF" + ], "severity": "Low", - "subcategory": "App Gateway", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", - "waf": "Security" + "text": "Use custom Node RG (aka 'Infra RG') name", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", "services": [ - "WAF", - "AppGW" + "AKS", + "WAF" ], "severity": "Medium", - "subcategory": "App Gateway", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", - "waf": "Security" + "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", "services": [ - "WAF", - "AppGW" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", - "waf": "Security" + "severity": "Low", + "text": "Taint Windows nodes", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", "services": [ - "WAF", - "AppGW" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", + "severity": "Low", + "text": "Keep windows containers patch level in sync with host patch level", "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "description": "Via Diagnostic Settings at the cluster level", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", "services": [ "WAF", - "Sentinel", - "AppGW" + "Monitor" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", + "severity": "Low", + "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", "services": [ - "WAF", - "AppGW" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" + "severity": "Low", + "text": "If required use nodePool snapshots", + "waf": "Cost" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", "services": [ - "WAF", - "AzurePolicy" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Use WAF Policies instead of the legacy WAF configuration.", + "severity": "Low", + "text": "Consider spot node pools for non time-sensitive workloads", "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "services": [ - "ExpressRoute", - "VNet", - "AppGW", - "VPN" + "AKS", + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", - "waf": "Security" + "severity": "Low", + "text": "Consider AKS virtual node for quick bursting", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "App Gateway", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "services": [ + "WAF", + "Monitor" + ], "severity": "High", - "subcategory": "App Gateway", - "text": "You should encrypt traffic to the backend servers.", - "waf": "Security" + "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", "services": [ "WAF" ], "severity": "High", - "subcategory": "App Gateway", - "text": "You should use a Web Application Firewall.", - "waf": "Security" + "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "App Gateway", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", + "services": [ + "WAF", + "Monitor" + ], "severity": "Medium", - "subcategory": "App Gateway", - "text": "Redirect HTTP to HTTPS", - "waf": "Security" - }, - { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "App Gateway", - "services": [], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", - "waf": "Operations" - }, - { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "App Gateway", - "services": [], - "severity": "High", - "subcategory": "App Gateway", - "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", - "waf": "Security" - }, - { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "App Gateway", - "services": [], - "severity": "Low", - "subcategory": "App Gateway", - "text": "Create custom error pages to display a personalized user experience", + "text": "Monitor CPU and memory utilization of the nodes", "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "App Gateway", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "services": [ + "WAF", + "Monitor" + ], "severity": "Medium", - "subcategory": "App Gateway", - "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", - "waf": "Security" + "text": "If using Azure CNI, monitor % of pod IPs consumed per node", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", "services": [ - "FrontDoor" + "ServiceBus", + "Storage", + "EventHubs", + "Monitor", + "WAF" ], "severity": "Medium", - "subcategory": "App Gateway", - "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", - "waf": "Performance" + "text": "Monitor OS disk queue depth in nodes", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "services": [ + "NVA", + "LoadBalancer", + "WAF", + "Monitor" + ], "severity": "Medium", - "subcategory": "App Gateway", - "text": "Use transport layer load balancing", - "waf": "Performance" + "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", + "services": [ + "AKS", + "WAF" + ], "severity": "Medium", - "subcategory": "App Gateway", - "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", - "waf": "Security" + "text": "Subscribe to resource health notifications for your AKS cluster", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "services": [ - "Entra" + "WAF" ], - "severity": "Medium", - "subcategory": "App Gateway", - "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", - "waf": "Security" + "severity": "High", + "text": "Configure requests and limits in your pod specs", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "services": [ - "AppGW" + "WAF" ], - "severity": "Low", - "subcategory": "App Gateway", - "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", - "waf": "Security" + "severity": "Medium", + "text": "Enforce resource quotas for namespaces", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "PostgreSQL Review Checklist", - "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", - "service": "PostgreSQL", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", "services": [ - "SQL" + "Subscriptions", + "WAF" ], - "severity": "Medium", - "subcategory": "Best Practices", - "text": "Leverage Flexible Server", - "waf": "Reliability" + "severity": "High", + "text": "Ensure your subscription has enough quota to scale out your nodepools", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "PostgreSQL Review Checklist", - "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", - "service": "PostgreSQL", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", + "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "service": "AKS", "services": [ - "SQL" + "WAF" ], "severity": "High", - "subcategory": "Best Practices", - "text": "Leverage Availability Zones where regionally applicable", - "waf": "Reliability" + "text": "Configure Liveness and Readiness probes for all deployments", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "PostgreSQL Review Checklist", - "guid": "31b67c67-be59-4519-8083-845d587cb391", - "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", - "service": "PostgreSQL", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "services": [ - "SQL" + "WAF" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Leverage cross-region read replicas for BCDR", - "waf": "Reliability" + "text": "Use the Cluster Autoscaler", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Cognitive Services Review Checklist", - "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", - "service": "Cognitive Services", - "services": [], - "severity": "Medium", - "subcategory": "Best Practice", - "text": "Leverage FTA HandBook for Cognitive Services", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", + "services": [ + "AKS", + "WAF" + ], + "severity": "Low", + "text": "Customize node configuration for AKS node pools", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Cognitive Services Review Checklist", - "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Cognitive Services", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "services": [ - "Backup" + "WAF" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Backup Your Prompts", - "waf": "Reliability" + "text": "Use the Horizontal Pod Autoscaler when required", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Cognitive Services Review Checklist", - "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Cognitive Services", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", "services": [ - "Backup", - "ASR" + "WAF" ], "severity": "High", - "subcategory": "Backup", - "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", - "waf": "Reliability" + "text": "Consider an appropriate node size, not too large or too small", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Cognitive Services Review Checklist", - "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", - "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", - "service": "Cognitive Services", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", "services": [ - "Backup" + "AKS", + "WAF" ], - "severity": "Medium", - "subcategory": "Backup", - "text": "Backup Your ChatGPT conversations", - "waf": "Reliability" + "severity": "Low", + "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Cognitive Services Review Checklist", - "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", - "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", - "service": "Cognitive Services", - "services": [], - "severity": "Medium", - "subcategory": "DevOps", - "text": "CI/CD for custom speech", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", + "services": [ + "AKS", + "WAF" + ], + "severity": "Low", + "text": "Consider subscribing to EventGrid Events for AKS automation", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Cognitive Services Review Checklist", - "guid": "3687a046-7a1f-4893-9bda-43324f248116", - "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", - "service": "Cognitive Services", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", + "services": [ + "AKS", + "WAF" + ], "severity": "Low", - "subcategory": "QnA Service", - "text": "Move a knowledge base using export-import", - "waf": "Reliability" + "text": "For long running operation on an AKS cluster consider event termination", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", + "services": [ + "AKS", + "WAF" + ], + "severity": "Low", + "text": "If required consider using Azure Dedicated Hosts for AKS nodes", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "services": [ + "WAF" + ], "severity": "High", - "subcategory": "High Availability", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "Reliability" + "text": "Use ephemeral OS disks", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", + "services": [ + "AKS", + "WAF" + ], "severity": "High", - "subcategory": "High Availability", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", "services": [ - "AppSvc" + "Storage", + "AKS", + "WAF" ], - "severity": "High", - "subcategory": "High Availability", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "severity": "Low", + "text": "For hyper performance storage option use Ultra Disks on AKS", + "waf": "Performance" }, { - "category": "Application Deployment", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", + "services": [ + "Storage", + "SQL", + "WAF" + ], "severity": "Medium", - "subcategory": "CI/CD", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" - }, - { - "category": "BC and DR", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Select the right Function hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", - "service": "Azure Functions", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", + "services": [ + "Storage", + "WAF" + ], + "severity": "Medium", + "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", - "services": [], + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", + "services": [ + "Storage", + "WAF" + ], "severity": "Medium", - "subcategory": "High Availability", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", "services": [ - "AppSvc" + "ASR", + "WAF" ], - "severity": "High", - "subcategory": "High Availability", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "severity": "Medium", + "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", - "service": "Azure Functions", + "checklist": "WAF checklist", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", "services": [ - "AppSvc" + "WAF", + "Entra" ], - "severity": "High", - "subcategory": "High Availability", - "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", - "waf": "Reliability" + "severity": "Medium", + "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "waf": "Operations" }, { - "category": "BC and DR", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", + "checklist": "WAF checklist", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", "services": [ - "Storage" + "WAF", + "Entra" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", - "waf": "Reliability" + "severity": "Low", + "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "waf": "Operations" }, { - "category": "Application Deployment", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", - "services": [], - "severity": "Medium", - "subcategory": "CI/CD", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", + "checklist": "WAF checklist", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", "services": [ - "CosmosDB" + "WAF" ], - "severity": "Medium", - "subcategory": "Best Practices", - "text": "FTA Resiliency Playbook", - "waf": "Reliability" + "severity": "High", + "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", "services": [ - "CosmosDB" + "RBAC", + "Subscriptions", + "WAF", + "ACR" ], "severity": "High", - "subcategory": "High Availability", - "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", - "waf": "Reliability" + "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", "services": [ - "CosmosDB" + "WAF" ], "severity": "Medium", - "subcategory": "High Availability", - "text": "Run multiple replicas of the database (>1 ) in Prod", - "waf": "Reliability" + "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", - "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", "services": [ - "CosmosDB", - "ACR" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "High Availability", - "text": "Leverage Multi-Region Writes", - "waf": "Reliability" + "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "description": "Span Cosmos account across two or more regions with multi-region writes", - "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", "services": [ - "CosmosDB", - "ACR" + "AzurePolicy", + "WAF", + "Entra" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Distribute your data globally", - "waf": "Reliability" + "severity": "High", + "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", - "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", - "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", "services": [ - "CosmosDB" + "WAF" ], "severity": "High", - "subcategory": "High Availability", - "text": "Choose from several well-defined consistency models", - "waf": "Reliability" + "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", - "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", - "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", "services": [ - "CosmosDB" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "High Availability", - "text": "Enable Service managed failover", - "waf": "Reliability" + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", - "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", - "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "services": [ - "CosmosDB", - "Storage", - "Backup" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Backup Strategy", - "text": "Enable Automatic Backups", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Reliability" + "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", - "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", - "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", - "service": "CosmosDB", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "services": [ - "CosmosDB", - "Backup" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Backup Strategy", - "text": "Perform Periodic Backups", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "CosmosDB Review Checklist", - "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", - "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", - "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", - "service": "CosmosDB", + "checklist": "WAF checklist", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "services": [ - "CosmosDB", - "Backup" + "Entra", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Backup Strategy", - "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", - "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", - "waf": "Reliability" + "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "waf": "Security" }, { - "category": "Version Control", - "checklist": "Azure DevOps", - "description": "Implement branching policy in Azure DevOps", - "guid": "eda1dae2-cc85-4c47-a6b7-81cca0e6c465", - "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-policies-overview?view=azure-devops", + "ammp": true, + "checklist": "WAF checklist", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", "services": [ - "AzurePolicy" + "WAF", + "Entra" ], "severity": "High", - "subcategory": "Branching Policy", - "text": "Branch Policies", - "waf": "Operations" + "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "waf": "Security" }, { - "category": "Version Control", - "checklist": "Azure DevOps", - "description": "Understand branch strategy such as GitFlow or GitHub Flow", - "guid": "bc288bec-6a16-4ca7-8444-51e1add34529", - "link": "https://learn.microsoft.com/azure/devops/repos/git/git-branching-guidance?view=azure-devops", + "checklist": "WAF checklist", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", "services": [ - "AzurePolicy" + "RBAC", + "WAF", + "Entra" ], - "severity": "High", - "subcategory": "Branching Policy", - "text": "Branching strategy", - "waf": "Operations" + "severity": "Medium", + "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "Security" }, { - "category": "Version Control", - "checklist": "Azure DevOps", - "description": "Understand how teams work with git", - "guid": "ec723823-7a15-41c5-ab4e-401914387e5c", - "link": "https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow", + "checklist": "WAF checklist", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", "services": [ - "AzurePolicy" + "WAF", + "Entra" ], - "severity": "High", - "subcategory": "Branching Policy", - "text": "Understand GitFlow Branch Strategy", - "waf": "Operations" + "severity": "Medium", + "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Security" }, { - "category": "Version Control", - "checklist": "Azure DevOps", - "description": "Merge into higher branches after two or more reviewers in a PR", - "guid": "a9c26c9c-32ab-45bd-8c69-98a246e33899", - "link": "https://learn.microsoft.com/azure/devops/repos/git/review-pull-requests?view=azure-devops&tabs=browser", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", "services": [ - "AzurePolicy" + "VNet", + "WAF" ], - "severity": "High", - "subcategory": "Branching Policy", - "text": "Pull Request Review", - "waf": "Operations" + "severity": "Medium", + "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { - "category": "Version Control", - "checklist": "Azure DevOps", - "description": "Implement access control to the branches", - "guid": "7e41c77d-68cb-46a2-8ac1-9f916d697d8e", - "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-permissions?view=azure-devops", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", "services": [ - "AzurePolicy" + "VPN", + "Entra", + "DNS", + "NVA", + "Firewall", + "ExpressRoute", + "VNet", + "WAF" ], - "severity": "Medium", - "subcategory": "Branching Policy", - "text": "Access Control to the Branch", - "waf": "Operations" + "severity": "High", + "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Cost" }, { - "category": "Version Control", - "checklist": "Azure DevOps", - "description": "Perform SAST code scan", - "guid": "adfd27bd-e187-401a-a252-baa9b68a088c", - "link": "https://devblogs.microsoft.com/devops/integrate-security-into-your-developer-workflow-with-github-advanced-security-for-azure-devops/", - "services": [], + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "VNet", + "services": [ + "DDoS", + "WAF" + ], "severity": "High", - "subcategory": "Security", - "text": "Code Scan", + "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "category": "Version Control", - "checklist": "Azure DevOps", - "description": "Understand TFVC as Code Repo", - "guid": "9a8f822b-8eb9-4d1b-a77f-26e5e6beba8e", - "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops", - "services": [], - "severity": "Low", - "subcategory": "Practice", - "text": "TFVC as Code Repository", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", + "services": [ + "NVA", + "WAF" + ], + "severity": "Medium", + "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", + "waf": "Reliability" }, { - "category": "Version Control", - "checklist": "Azure DevOps", - "description": "Compare Git vs TFVC for your project", - "guid": "d4f3437b-c336-4d71-9f27-a71eee0b9b5d", - "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops", - "services": [], + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", + "services": [ + "VPN", + "ARS", + "ExpressRoute", + "WAF" + ], "severity": "Low", - "subcategory": "Practice", - "text": "Choose Right version control", - "waf": "Operations" + "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Security" }, { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "Set up your team management", - "guid": "8defd5d7-21d4-41d2-900c-807bf9eab40f", - "link": "https://learn.microsoft.com/azure/devops/organizations/settings/manage-teams?view=azure-devops", - "services": [], - "severity": "High", - "subcategory": "Team Planning", - "text": "Configure your teams", - "waf": "Operations" + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "services": [ + "ARS", + "VNet", + "WAF" + ], + "severity": "Low", + "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Security" }, { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "Start scheduling sprints", - "guid": "9ed5b354-78d4-447a-a26c-2863c00f1cac", - "link": "https://learn.microsoft.com/azure/devops/boards/sprints/define-sprints?view=azure-devops", - "services": [], + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", + "services": [ + "VNet", + "WAF", + "ACR" + ], "severity": "Medium", - "subcategory": "Team Planning", - "text": "Configure your sprints", - "waf": "Operations" - }, - { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "Set up your work item heirarchy", - "guid": "699ef1d5-a83d-4e5d-b36c-1c81870a0bc5", - "link": "https://learn.microsoft.com/azure/devops/organizations/settings/work/customize-process-work-item-type?view=azure-devops", - "services": [], - "severity": "Low", - "subcategory": "Team Planning", - "text": "Choose Work Item types", - "waf": "Operations" + "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "waf": "Performance" }, { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "WIT Processes available in Azure DevOps", - "guid": "c1e43a18-658d-4285-aed6-7179b825546d", - "link": "https://learn.microsoft.com/azure/devops/boards/work-items/guidance/choose-process?view=azure-devops&tabs=agile-process", - "services": [], - "severity": "High", - "subcategory": "Team Planning", - "text": "Select a WIT Process", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", + "services": [ + "WAF", + "Monitor" + ], + "severity": "Medium", + "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "waf": "Operations" }, { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "Use Azure Boards with GitHub", - "guid": "f2aee455-3afc-4833-a248-726dd68c5b5c", - "link": "https://learn.microsoft.com/azure/devops/cross-service/github-integration?view=azure-devops", - "services": [], + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "services": [ + "ExpressRoute", + "WAF", + "VNet" + ], + "severity": "Medium", + "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "services": [ + "Storage", + "WAF" + ], + "severity": "Medium", + "text": "Limit the number of routes per route table to 400.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", + "services": [ + "VNet", + "WAF" + ], + "severity": "High", + "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" + }, + { + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "services": [ + "LoadBalancer", + "WAF" + ], + "severity": "High", + "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", + "waf": "Reliability" + }, + { + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "services": [ + "LoadBalancer", + "WAF" + ], + "severity": "High", + "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", + "services": [ + "VPN", + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", + "services": [ + "WAF", + "ACR" + ], + "severity": "High", + "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "services": [ + "WAF" + ], + "severity": "Medium", + "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "services": [ + "VNet", + "WAF" + ], + "severity": "High", + "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", + "services": [ + "ASR", + "WAF" + ], + "severity": "High", + "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" + }, + { + "checklist": "WAF checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", + "services": [ + "WAF", + "ACR" + ], + "severity": "High", + "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "WAF checklist", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", + "services": [ + "DNS", + "WAF" + ], + "severity": "Medium", + "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "WAF checklist", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", + "services": [ + "DNS", + "WAF", + "ACR" + ], + "severity": "Medium", + "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "WAF checklist", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "services": [ + "DNS", + "WAF" + ], "severity": "Low", - "subcategory": "Tool Integration", - "text": "GitHub Integration", + "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", + "training": "https://learn.microsoft.com/training/courses/az-700t00", "waf": "Operations" }, { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "Understand the methologies", - "guid": "2925394b-69b9-4d37-aac4-3bc68d1d7665", - "link": "https://www.atlassian.com/agile/scrum/agile-vs-scrum", - "services": [], - "severity": "Medium", - "subcategory": "Process Planning", - "text": "Understand Agile Vs Scrum", - "waf": "Operations" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "WAF checklist", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", + "services": [ + "VM", + "DNS", + "VNet", + "WAF" + ], + "severity": "High", + "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "WAF checklist", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", + "services": [ + "DNS", + "WAF" + ], + "severity": "Medium", + "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/bastionHosts", + "checklist": "WAF checklist", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", + "services": [ + "Bastion", + "WAF" + ], + "severity": "Medium", + "text": "Use Azure Bastion to securely connect to your network.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/bastionHosts", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", + "services": [ + "Bastion", + "VNet", + "WAF" + ], + "severity": "Medium", + "text": "Use Azure Bastion in a subnet /26 or larger.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "WAF checklist", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", + "services": [ + "AzurePolicy", + "WAF", + "FrontDoor", + "ACR" + ], + "severity": "Medium", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "WAF checklist", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "services": [ + "AppGW", + "AzurePolicy", + "WAF", + "FrontDoor" + ], + "severity": "Low", + "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "WAF checklist", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "services": [ + "VNet", + "WAF" + ], + "severity": "High", + "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "services": [ + "DDoS", + "VNet", + "WAF" + ], + "severity": "High", + "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "services": [ + "DDoS", + "WAF" + ], + "severity": "High", + "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", + "services": [ + "AzurePolicy", + "VM", + "WAF" + ], + "severity": "High", + "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", + "services": [ + "VPN", + "ExpressRoute", + "WAF", + "Backup" + ], + "severity": "Medium", + "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", + "services": [ + "VPN", + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF", + "Cost" + ], + "severity": "High", + "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF", + "Cost" + ], + "severity": "High", + "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", + "services": [ + "VPN", + "WAF" + ], + "severity": "Medium", + "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "WAF checklist", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", + "services": [ + "VPN", + "WAF" + ], + "severity": "Medium", + "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF", + "Cost" + ], + "severity": "High", + "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Cost" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF", + "Monitor" + ], + "severity": "Medium", + "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", + "services": [ + "NetworkWatcher", + "WAF", + "ACR", + "Monitor" + ], + "severity": "Medium", + "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "Use ExpressRoute circuits from different peering locations for redundancy.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", + "services": [ + "VPN", + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", + "services": [ + "Storage", + "VNet", + "WAF" + ], + "severity": "High", + "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF", + "ACR" + ], + "severity": "High", + "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "Medium", + "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", + "services": [ + "WAF" + ], + "severity": "Medium", + "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF" + ], + "severity": "High", + "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", + "services": [ + "VNet", + "ExpressRoute", + "WAF", + "Monitor" + ], + "severity": "Medium", + "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "WAF", + "VNet" + ], + "severity": "Medium", + "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "checklist": "WAF checklist", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", + "services": [ + "WAF", + "ACR" + ], + "severity": "Low", + "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", + "services": [ + "Firewall", + "WAF" + ], + "severity": "High", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", + "services": [ + "ACR", + "Firewall", + "AzurePolicy", + "RBAC", + "WAF" + ], + "severity": "Medium", + "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", + "services": [ + "Firewall", + "WAF" + ], + "severity": "Low", + "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", + "services": [ + "DNS", + "Firewall", + "WAF" + ], + "severity": "High", + "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "services": [ + "Firewall", + "WAF" + ], + "severity": "High", + "text": "Use Azure Firewall Premium to enable additional security features.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Security" }, { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "Create Dashboard and PowerBI reports", - "guid": "7246b448-564b-44dd-94a7-59c7633bd2a1", - "link": "https://learn.microsoft.com/azure/devops/report/dashboards/overview?view=azure-devops", - "services": [], - "severity": "Medium", - "subcategory": "Reporting", - "text": "Dashboard", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", + "services": [ + "Firewall", + "WAF" + ], + "severity": "High", + "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", + "waf": "Security" }, { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "Set up backlog", - "guid": "a27a764a-90be-40e3-98ee-293c1bd363ca", - "link": "https://learn.microsoft.com/azure/devops/boards/backlogs/set-up-your-backlog?view=azure-devops", - "services": [], - "severity": "Medium", - "subcategory": "Reporting", - "text": "Refine your backlog", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", + "services": [ + "Firewall", + "WAF" + ], + "severity": "High", + "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Security" }, { - "category": "Azure Boards", - "checklist": "Azure DevOps", - "description": "Link your work items", - "guid": "aab75719-49ab-4919-9dc9-fc9d1bb84b37", - "link": "https://learn.microsoft.com/azure/devops/boards/queries/link-work-items-support-traceability?view=azure-devops&tabs=browser", - "services": [], - "severity": "Medium", - "subcategory": "Reporting", - "text": "Visualize Relationships", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", + "services": [ + "VWAN", + "NVA", + "Storage", + "Firewall", + "VNet", + "WAF" + ], + "severity": "High", + "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", + "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "View the velocity report", - "guid": "b5a67fcb-9ed5-4b35-978d-447a826c2863", - "link": "https://learn.microsoft.com/azure/devops/report/dashboards/team-velocity?view=azure-devops&tabs=in-context", - "services": [], - "severity": "Low", - "subcategory": "Reporting", - "text": "Review Team Velocity", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", + "services": [ + "Storage", + "Firewall", + "WAF" + ], + "severity": "Medium", + "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Operations" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Create your first pipeline", - "guid": "c00f1cac-699e-4f1d-9a83-de5de36c1c81", - "link": "https://learn.microsoft.com/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Ctfs-2018-2%2Cbrowser", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", + "services": [ + "AzurePolicy", + "Firewall", + "WAF" + ], "severity": "High", - "subcategory": "Continuous Integration", - "text": "Set up pipeline", + "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Operations" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Specify events that trigger pipelines", - "guid": "870a0bc5-c1e4-43a1-a658-d2858ed67179", - "link": "https://learn.microsoft.com/azure/devops/pipelines/build/triggers?view=azure-devops", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", + "services": [ + "Firewall", + "VNet", + "WAF" + ], "severity": "High", - "subcategory": "Continuous Integration", - "text": "Set Build triggers", - "waf": "Operations" - }, - { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Use YAML to create build pipeline", - "guid": "b825546d-f2ae-4e45-93af-c8339248726d", - "link": "https://learn.microsoft.com/azure/devops/pipelines/customize-pipeline?view=azure-devops", - "services": [], - "severity": "Low", - "subcategory": "Continuous Integration", - "text": "Customize YAML Pipeline", - "waf": "Operations" + "text": "Use a /26 prefix for your Azure Firewall subnets.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Use classic GUI editor to set up pipeline", - "guid": "d68c5b5c-2925-4394-a69b-9d379ac43bc6", - "link": "https://learn.microsoft.com/azure/devops/pipelines/get-started/pipelines-get-started?view=azure-devops&source=recommendations#define-pipelines-using-the-classic-interface", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", + "services": [ + "AzurePolicy", + "WAF" + ], "severity": "Medium", - "subcategory": "Continuous Integration", - "text": "Use GUI for pipeline", - "waf": "Operations" + "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "Performance" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Set up templates, parameters and expressions", - "guid": "8d1d7665-7246-4b44-a564-b4dd74a759c7", - "link": "https://learn.microsoft.com/azure/devops/pipelines/process/templates?view=azure-devops&pivots=templates-includes", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", + "services": [ + "Storage", + "WAF" + ], "severity": "Medium", - "subcategory": "Continuous Integration", - "text": "Configure Templates", - "waf": "Operations" + "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", + "waf": "Performance" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Set up jobs, stages and dependencies", - "guid": "633bd2a1-a27a-4764-a90b-e0e378ee293c", - "link": "https://learn.microsoft.com/azure/devops/pipelines/process/stages?view=azure-devops&tabs=yaml", - "services": [], - "severity": "High", - "subcategory": "Continuous Integration", - "text": "Jobs", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", + "services": [ + "WAF" + ], + "severity": "Medium", + "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Set up conditions and Demands", - "guid": "1bd363ca-aab7-4571-a49a-b9193dc9fc9d", - "link": "https://learn.microsoft.com/azure/devops/pipelines/process/conditions?view=azure-devops&tabs=yaml%2Cstages", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", + "services": [ + "WAF", + "Monitor" + ], "severity": "Medium", - "subcategory": "Continuous Integration", - "text": "Conditions and Demands", - "waf": "Operations" + "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Define Variables", - "guid": "1bb84b37-b5a6-47fc-a9ed-5b35478d447a", - "link": "https://learn.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", + "services": [ + "Firewall", + "WAF" + ], "severity": "High", - "subcategory": "Continuous Integration", - "text": "Variables", - "waf": "Operations" + "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", + "waf": "Performance" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Set up your deployment pipeline", - "guid": "826c2863-c00f-41ca-a699-ef1d5a83de5d", - "link": "https://learn.microsoft.com/azure/devops/pipelines/process/create-multistage-pipeline?view=azure-devops", - "services": [], - "severity": "High", - "subcategory": "Continuous Deployment", - "text": "Deployment Pipeline", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", + "services": [ + "ServiceBus", + "WAF" + ], + "severity": "Low", + "text": "Use web categories to allow or deny outbound access to specific topics.", + "waf": "Performance" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Select correct branches to deploy from", - "guid": "e36c1c81-870a-40bc-9c1e-43a18658d285", - "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deploy-multiple-branches?view=azure-devops", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", + "services": [ + "WAF" + ], "severity": "Medium", - "subcategory": "Continuous Deployment", - "text": "Release branch", - "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", - "waf": "Operations" + "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "Performance" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "use relevant template to deploy to azure", - "guid": "8ed67179-b825-4546-bf2a-ee4553afc833", - "link": "https://learn.microsoft.com/azure/devops/pipelines/overview-azure?view=azure-devops", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", + "services": [ + "DNS", + "Firewall", + "WAF" + ], "severity": "Medium", - "subcategory": "Continuous Deployment", - "text": "Deploy to Azure", - "waf": "Operations" + "text": "Enable Azure Firewall DNS proxy configuration.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Define Release Approvals and pre deployment checks", - "guid": "9248726d-d68c-45b5-a292-5394b69b9d37", - "link": "https://learn.microsoft.com/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass", - "services": [], - "severity": "Medium", - "subcategory": "Continuous Deployment", - "text": "Approvals and Checks", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", + "services": [ + "Firewall", + "WAF", + "Monitor" + ], + "severity": "High", + "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "Operations" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Define Gates and post deployment checks", - "guid": "9ac43bc6-8d1d-4766-9724-6b448564b4dd", - "link": "https://learn.microsoft.com/azure/devops/pipelines/release/approvals/?view=azure-devops&tabs=yaml", - "services": [], - "severity": "Medium", - "subcategory": "Continuous Deployment", - "text": "Gates", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "services": [ + "WAF", + "Backup" + ], + "severity": "Low", + "text": "Implement backups for your firewall rules", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", "waf": "Operations" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Define Azure Function and REST API Checks", - "guid": "74a759c7-633b-4d2a-8a27-a764a90be0e3", - "link": "https://learn.microsoft.com/azure/devops/pipelines/process/invoke-checks?view=azure-devops", - "services": [], - "severity": "Low", - "subcategory": "Continuous Deployment", - "text": "Azure Function Checks", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", + "services": [ + "Firewall", + "WAF", + "ACR" + ], + "severity": "High", + "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Reliability" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Review pipeline reports", - "guid": "78ee293c-1bd3-463c-aaab-7571949ab919", - "link": "https://learn.microsoft.com/azure/devops/pipelines/reports/pipelinereport?view=azure-devops", - "services": [], + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", + "services": [ + "DDoS", + "Firewall", + "VNet", + "WAF" + ], "severity": "High", - "subcategory": "Continuous Deployment", - "text": "Pipline Reports", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Operations" + "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", + "waf": "Reliability" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "configure Trend Result widget", - "guid": "3dc9fc9d-1bb8-44b3-9b5a-67fcb9ed5b35", - "link": "https://learn.microsoft.com/azure/devops/report/dashboards/analytics-widgets?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&view=azure-devops#test-results-trend-advanced", - "services": [], - "severity": "Medium", - "subcategory": "Analytics", - "text": "Pipeline Result Trend", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Operations" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", + "services": [ + "VNet", + "WAF" + ], + "severity": "High", + "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Connect with WIT to visualize work", - "guid": "478d447a-826c-4286-9c00-f1cac699ef1d", - "link": "https://learn.microsoft.com/azure/devops/pipelines/integrations/configure-pipelines-work-tracking?view=azure-devops&tabs=yaml", - "services": [], + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", + "services": [ + "PrivateLink", + "ExpressRoute", + "WAF" + ], "severity": "Medium", - "subcategory": "Analytics", - "text": "Work Tracking with Pipeline", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Operations" + "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Understand agent pools", - "guid": "5a83de5d-e36c-41c8-8870-a0bc5c1e43a1", - "link": "https://learn.microsoft.com/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=yaml%2Cbrowser", - "services": [], - "severity": "Medium", - "subcategory": "Continuous Deployment", - "text": " Agents and agent pools", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Operations" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", + "services": [ + "VNet", + "WAF" + ], + "severity": "High", + "text": "Don't enable virtual network service endpoints by default on all subnets.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Understand and provision Deployment Groups when required", - "guid": "8658d285-8ed6-4717-ab82-5546df2aee45", - "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deployment-groups/?view=azure-devops", - "services": [], - "severity": "Low", - "subcategory": "Continuous Deployment", - "text": "Deployment Groups", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "WAF checklist", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", + "services": [ + "DNS", + "NVA", + "PrivateLink", + "Firewall", + "WAF" + ], + "severity": "Medium", + "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Understand Kubernetes Deployment", - "guid": "53afc833-9248-4726-bd68-c5b5c2925394", - "link": "https://learn.microsoft.com/azure/devops/pipelines/ecosystems/kubernetes/deploy?view=azure-devops", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", "services": [ - "AKS" + "VPN", + "ExpressRoute", + "WAF", + "VNet" ], - "severity": "Low", - "subcategory": "Continuous Deployment", - "text": "Deploy to Kubernetes", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Operations" + "severity": "High", + "text": "Use at least a /27 prefix for your Gateway subnets.", + "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Perform Dynamic Security Testing", - "guid": "b69b9d37-9ac4-43bc-98d1-d76657246b44", - "link": "https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/", - "services": [], - "severity": "Medium", - "subcategory": "Security", - "text": "DAST Scan", - "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", + "services": [ + "VNet", + "WAF" + ], + "severity": "High", + "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Manage Service Connections", - "guid": "8564b4dd-74a7-459c-9633-bd2a1a27a764", - "link": "https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml", - "services": [], + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", + "services": [ + "VNet", + "WAF", + "ACR" + ], "severity": "Medium", - "subcategory": "Security", - "text": "Service Connections", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Set data retention policies for CI and CD", - "guid": "a90be0e3-78ee-4293-a1bd-363caaab7571", - "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/retention?view=azure-devops&tabs=yaml", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "WAF checklist", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", "services": [ - "AzurePolicy" + "NVA", + "VNet", + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Security", - "text": "Retention Policies", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Set up and pay for concurrent pipelines", - "guid": "949ab919-3dc9-4fc9-b1bb-84b37b5a67fc", - "link": "https://learn.microsoft.com/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops&tabs=ms-hosted", - "services": [], - "severity": "Low", - "subcategory": "Administration", - "text": "Parallel Pipelines", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", - "waf": "Operations" - }, - { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Set pipeline permissions", - "guid": "b9ed5b35-478d-4447-a826-c2863c00f1ca", - "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/permissions?view=azure-devops", - "services": [], + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", + "services": [ + "NetworkWatcher", + "VNet", + "WAF" + ], "severity": "Medium", - "subcategory": "Security", - "text": "Pipeline Permissions", - "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/", + "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "waf": "Security" }, { - "category": "Azure Pipelines", - "checklist": "Azure DevOps", - "description": "Add users to pipeline", - "guid": "c699ef1d-5a83-4de5-be36-c1c81870a0bc", - "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/set-permissions?view=azure-devops", - "services": [], - "severity": "Low", - "subcategory": "Security", - "text": "Pipeline Users", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Security" + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", + "services": [ + "VNet", + "WAF" + ], + "severity": "Medium", + "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "waf": "Reliability" }, { - "category": "Azure Artifact", - "checklist": "Azure DevOps", - "description": "Configure Artifacts", - "guid": "5c1e43a1-8658-4d28-98ed-67179b825546", - "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/artifacts-overview?view=azure-devops&tabs=nuget", - "services": [], + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", + "services": [ + "VWAN", + "WAF" + ], "severity": "Medium", - "subcategory": "Configuration", - "text": "Artifact In Pipeline", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", "waf": "Operations" }, { - "category": "Azure Artifact", - "checklist": "Azure DevOps", - "description": "Publish and consume artifact in pipeline", - "guid": "df2aee45-53af-4c83-9924-8726dd68c5b5", - "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/pipeline-artifacts?view=azure-devops&tabs=yaml", - "services": [], + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", + "services": [ + "VWAN", + "WAF", + "ACR" + ], "severity": "Medium", - "subcategory": "Configuration", - "text": "Publish and download Artifact", - "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", - "waf": "Operations" + "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Performance" }, { - "category": "Azure Artifact", - "checklist": "Azure DevOps", - "description": "Publish NuGet packages with artifacts", - "guid": "c2925394-b69b-49d3-99ac-43bc68d1d766", - "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/nuget?view=azure-devops&tabs=yaml", - "services": [], - "severity": "Low", - "subcategory": "Configuration", - "text": "NuGet", - "training": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "waf": "Operations" + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", + "services": [ + "Firewall", + "WAF" + ], + "severity": "Medium", + "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "category": "Azure Artifact", - "checklist": "Azure DevOps", - "description": "Publish Maven packages with artifacts", - "guid": "57246b44-8564-4b4d-b74a-759c7633bd2a", - "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/publish-maven-artifacts?view=azure-devops", - "services": [], - "severity": "Low", - "subcategory": "Configuration", - "text": "Maven", - "waf": "Operations" + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", + "services": [ + "VWAN", + "WAF" + ], + "severity": "Medium", + "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "Azure Artifact", - "checklist": "Azure DevOps", - "description": "Publish NPM packages with artifacts", - "guid": "1a27a764-a90b-4e0e-978e-e293c1bd363c", - "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/npm?view=azure-devops&tabs=yaml", - "services": [], - "severity": "Low", - "subcategory": "Configuration", - "text": "NPM", + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", + "services": [ + "VWAN", + "WAF", + "Monitor" + ], + "severity": "Medium", + "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Operations" }, { - "category": "Azure Artifact", - "checklist": "Azure DevOps", - "description": "Best Practices to work with Azure Artifact", - "guid": "aaab7571-949a-4b91-a3dc-9fc9d1bb84b3", - "link": "https://learn.microsoft.com/azure/devops/artifacts/concepts/best-practices?view=azure-devops", - "services": [], + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", + "services": [ + "VWAN", + "WAF" + ], "severity": "Medium", - "subcategory": "Configuration", - "text": "Best Practices", - "waf": "Operations" + "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "DevOps Practice", - "checklist": "Azure DevOps", - "description": "What is monitoring?", - "guid": "7b5a67fc-b9ed-45b3-9478-d447a826c286", - "link": "https://learn.microsoft.com/devops/operate/what-is-monitoring", + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", "services": [ - "Monitor" + "VPN", + "ExpressRoute", + "WAF" ], - "severity": "High", - "subcategory": "Practice", - "text": "What to monitor?", - "waf": "Operations" + "severity": "Medium", + "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "DevOps Practice", - "checklist": "Azure DevOps", - "description": "Progressive Exposure Strategy", - "guid": "3c00f1ca-c699-4ef1-b5a8-3de5de36c1c8", - "link": "https://learn.microsoft.com/devops/operate/safe-deployment-practices", - "services": [], + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", + "services": [ + "VWAN", + "WAF" + ], "severity": "Medium", - "subcategory": "Practice", - "text": "Safe Deployment Practices", - "waf": "Operations" + "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "DevOps Practice", - "checklist": "Azure DevOps", - "description": "Microsoft runs reliable systems with DevOps", - "guid": "1870a0bc-5c1e-443a-8865-8d2858ed6717", - "link": "https://learn.microsoft.com/devops/operate/how-microsoft-operates-devops", - "services": [], - "severity": "Low", - "subcategory": "Practice", - "text": "Case Study", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Operations" + "arm-service": "microsoft.network/virtualWans", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "DevOps Practice", - "checklist": "Azure DevOps", - "description": "Security in DevOps", - "guid": "9b825546-df2a-4ee4-953a-fc8339248726", - "link": "https://learn.microsoft.com/devops/operate/security-in-devops", - "services": [], - "severity": "Medium", - "subcategory": "Practice", - "text": "DevSecOps", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "services": [ + "AzurePolicy", + "WAF" + ], + "severity": "High", + "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "category": "DevOps Practice", - "checklist": "Azure DevOps", - "description": "Enable DevSecops with Azure And GitHub", - "guid": "dd68c5b5-c292-4539-9b69-b9d379ac43bc", - "link": "https://learn.microsoft.com/devops/devsecops/enable-devsecops-azure-github", - "services": [], - "severity": "Low", - "subcategory": "Practice", - "text": "DevSecops", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "services": [ + "AzurePolicy", + "RBAC", + "WAF" + ], + "severity": "Medium", + "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", + "training": "https://learn.microsoft.com/training/modules/governance-security/", "waf": "Security" }, { - "category": "DevOps Practice", - "checklist": "Azure DevOps", - "description": "Mirror RBAC in DevOps", - "guid": "68d1d766-5724-46b4-9856-4b4dd74a759c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/secure/best-practices/end-to-end-governance", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "services": [ - "RBAC" + "AzurePolicy", + "Subscriptions", + "WAF" ], - "severity": "Low", - "subcategory": "Practice", - "text": "Secure DevOps Govenance", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "severity": "Medium", + "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "category": "DevOps Practice", - "checklist": "Azure DevOps", - "description": "Governance when using CI/CD", - "guid": "7633bd2a-1a27-4a76-9a90-be0e378ee293", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/governance/end-to-end-governance-in-azure", - "services": [], - "severity": "Medium", - "subcategory": "Practice", - "text": "Azure DevOps Governance", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "services": [ + "AzurePolicy", + "WAF" + ], + "severity": "High", + "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", "services": [ - "EventHubs" + "AzurePolicy", + "Subscriptions", + "WAF" ], "severity": "Low", - "subcategory": "Data Protection", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "services": [ + "AzurePolicy", + "WAF" + ], + "severity": "High", + "text": "Use built-in policies where possible to minimize operational overhead.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "services": [ - "EventHubs" + "Entra", + "AzurePolicy", + "RBAC", + "Subscriptions", + "WAF" ], "severity": "Medium", - "subcategory": "Data Protection", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Event Hub Review", - "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "services": [ - "TrafficManager", "AzurePolicy", - "EventHubs", - "RBAC", - "Entra" + "Subscriptions", + "WAF" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Event Hub Review", - "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", "services": [ - "Storage", - "VM", - "EventHubs", - "Entra", - "AKV" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Event Hub Review", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", "services": [ - "Entra", - "RBAC", - "EventHubs" + "AzurePolicy", + "Subscriptions", + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Management", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "severity": "Medium", + "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", "services": [ - "VNet", - "Monitor", - "EventHubs" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "WAF checklist", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", "services": [ - "VNet", - "PrivateLink", - "EventHubs" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Event Hub Review", - "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "services": [ - "EventHubs" + "Entra", + "Monitor", + "AzurePolicy", + "RBAC", + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "services": [ - "EventHubs" + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Leverage FTA Resillency HandBook", + "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Event Hub Review", - "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "services": [ - "ACR", - "EventHubs" + "AzurePolicy", + "Storage", + "WAF", + "ARS" ], "severity": "High", - "subcategory": "Zone Redudancy", - "text": "Leverage Availability Zones if regionally applicable", - "waf": "Reliability" + "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", "services": [ - "EventHubs" + "AzurePolicy", + "VM", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Use the Premium or Dedicated SKUs for predicable performance", - "waf": "Reliability" + "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure Event Hub Review", - "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "service": "VM", "services": [ - "ASR", - "EventHubs" + "VM", + "WAF" ], - "severity": "High", - "subcategory": "Geo Redudancy", - "text": "Plan for Geo Disaster Recovery using Active Passive configuration", - "waf": "Reliability" + "severity": "Medium", + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure Event Hub Review", - "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", "services": [ - "ASR", - "EventHubs" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Geo Redudancy", - "text": "For Business Critical Applications, use Active Active configuration", - "waf": "Reliability" + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", + "arm-service": "microsoft.network/networkWatchers", + "checklist": "WAF checklist", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", "services": [ - "EventHubs" + "NetworkWatcher", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Reliability", - "text": "Design Resilient Event Hubs", - "waf": "Reliability" - }, - { - "category": "Operations Management", - "checklist": "Recovery Services Vault Checklist", - "guid": "cb7da8cf-aa62-4a15-a495-6da97dc3a242", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-plan-capacity-vmware", - "services": [], - "severity": "High", - "subcategory": "Replication", - "text": "Capacity planning is required to make sure you have sufficient bandwidth for replication and an estimated number of CPU cores & disk types that will be needed in Azure for failover", - "waf": "Reliability" + "text": "Use Network Watcher to proactively monitor traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Recovery Services Vault Checklist", - "guid": "67b23587-05a1-4652-aded-fa8a488cdec4", - "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-policy", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", "services": [ - "AzurePolicy", - "VM", - "ASR" + "WAF", + "Monitor" ], - "severity": "High", - "subcategory": "Replication", - "text": "Use Azure Policy to ensure that all critical Azure VMs are protected with ASR", - "waf": "Reliability" + "severity": "Medium", + "text": "Use Azure Monitor Logs for insights and reporting.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Recovery Services Vault Checklist", - "guid": "862bc3bc-14be-4b7f-96e8-d9b3bec228e7", - "link": "https://learn.microsoft.com/azure/site-recovery/recovery-plan-overview", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", "services": [ - "VM" + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Replication", - "text": "Define recovery plans to automate the failover sequence for VMs. You can also include automation scripts to reduce manual steps and improve recovery time", - "waf": "Reliability" + "text": "Use Azure Monitor alerts for the generation of operational alerts.", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Recovery Services Vault Checklist", - "guid": "437b1736-db55-4f67-a613-334bd09dc234", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=recovery-services-vault", - "services": [], + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", + "services": [ + "WAF", + "Monitor" + ], "severity": "Medium", - "subcategory": "Data Protection", - "text": "Enable and LOCK immutability for vaults. This ensures recovery points cannot be deleted before their intended expiry", - "waf": "Reliability" + "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Recovery Services Vault Checklist", - "guid": "19db6128-1265-404b-a47a-493a08042729", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", - "services": [], - "severity": "Medium", - "subcategory": "Data Protection", - "text": "Enable 'Always-on soft delete' for vaults protecting critical workloads", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "services": [ + "WAF", + "Backup" + ], + "severity": "Low", + "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Recovery Services Vault Checklist", - "guid": "4798b158-8b31-4aa5-9ceb-54445135a227", - "link": "https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-storage-redundancy", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", "services": [ - "Storage" + "AzurePolicy", + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Redudancy", - "text": "When creating Recovery Service Vaults choose the best storage redundancy option for your requirements. Vaults support local, geo and zone redundancy but this setting cannot be changed once the vault is protecting one or more resources", - "waf": "Reliability" + "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.", - "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", - "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", "services": [ - "AVD", - "ASR", - "Subscriptions", - "VM" + "AzurePolicy", + "VM", + "WAF", + "Monitor" ], - "severity": "High", - "subcategory": "Compute", - "text": "Determine the expected High Availability SLA for applications/desktops published through AVD", - "waf": "Reliability" + "severity": "Medium", + "text": "Monitor VM security configuration drift via Azure Policy.", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.", - "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", "services": [ - "AVD", - "Storage", + "VM", "ASR", - "VM" + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Compute", - "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools", - "waf": "Reliability" + "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "waf": "Operations" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.", - "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", "services": [ - "AVD", - "ASR" + "WAF", + "Backup" ], - "severity": "Low", - "subcategory": "Compute", - "text": "Separate critical applications in different AVD Host Pools", - "waf": "Reliability" + "severity": "Medium", + "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Operations" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.", - "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", - "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "WAF checklist", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", "services": [ - "AVD", - "ASR", - "ACR" + "AppGW", + "WAF", + "FrontDoor" ], "severity": "High", - "subcategory": "Compute", - "text": "Plan the best resiliency option for AVD Host Pool deployment", - "waf": "Reliability" + "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "waf": "Operations" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.", - "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "WAF checklist", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", "services": [ - "AVD", - "Backup", - "VM", - "ASR" + "AppGW", + "Sentinel", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Compute", - "text": "Assess the requirement to backup AVD Session Host VMs", - "waf": "Reliability" + "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "waf": "Operations" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.", - "guid": "5da58639-ca3a-4961-890b-29663c5e10d", - "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "services": [ - "VM", - "AVD", - "Cost", - "Backup", - "ASR" + "AKV", + "WAF" ], - "severity": "Medium", - "subcategory": "Compute", - "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts", - "waf": "Reliability" + "severity": "High", + "text": "Use Azure Key Vault to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.", - "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", - "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", "services": [ - "ACR", - "Storage", - "VM", - "AVD", - "ASR" + "AKV", + "WAF" ], - "severity": "Low", - "subcategory": "Dependencies", - "text": "Plan for Golden Image cross-region availability", - "waf": "Reliability" + "severity": "Medium", + "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.", - "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "AVD", - "ASR" + "AKV", + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Dependencies", - "text": "Assess Infrastructure & Application dependencies ", - "waf": "Reliability" + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).", - "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", - "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "AVD", - "Storage", - "ASR" + "AKV", + "RBAC", + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Assess which data need to be protected in the Profile and Office Containers", - "waf": "Reliability" + "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).", - "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Storage", - "AzurePolicy", - "AVD", - "Backup", - "ASR" + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Build a backup protection strategy for Profile and Office Containers", - "waf": "Reliability" + "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.", - "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "AVD", - "Storage", - "ASR" + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose", - "waf": "Reliability" + "text": "Establish an automated process for key and certificate rotation.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.", - "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", - "link": "https://docs.microsoft.com/azure/backup/backup-afs", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "AVD", - "Backup", - "Storage", - "ASR" + "AKV", + "PrivateLink", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Review Azure Files disaster recovery strategy", - "waf": "Reliability" + "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ", - "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", - "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", "services": [ - "AVD", - "Storage", - "ASR" + "AKV", + "Entra", + "WAF", + "Monitor" ], - "severity": "High", - "subcategory": "Storage", - "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency", - "waf": "Reliability" + "severity": "Medium", + "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "Azure Virtual Desktop Review", - "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.", - "guid": "23429db7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "ACR", - "Storage", - "AVD", - "Backup", - "ASR" + "AKV", + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Review Azure NetApp Files disaster recovery strategy", - "waf": "Reliability" + "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.", - "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", - "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "AVD" + "AKV", + "WAF" ], - "severity": "High", - "subcategory": "Golden Images", - "text": "Determine how applications will be deployed in AVD Host Pools", - "waf": "Operations" + "severity": "Medium", + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.", - "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", - "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "AVD" + "AKV", + "ASR", + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Golden Images", - "text": "Estimate the number of golden images that will be required", - "waf": "Operations" + "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images", - "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", "services": [ - "AVD" + "AKV", + "WAF" ], "severity": "Medium", - "subcategory": "Golden Images", - "text": "Determine which OS image/s you will use for Host Pool deployment", - "waf": "Reliability" + "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.", - "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", - "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries", + "checklist": "WAF checklist", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", "services": [ - "AVD", - "Storage", - "VM" + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Golden Images", - "text": "Select the proper store for custom images", - "waf": "Reliability" + "severity": "Medium", + "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.", - "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", - "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates", + "checklist": "WAF checklist", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", "services": [ - "AVD" + "Subscriptions", + "WAF", + "Defender" ], - "severity": "Low", - "subcategory": "Golden Images", - "text": "Design your build process for custom images", - "waf": "Operations" + "severity": "High", + "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.", - "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", - "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", + "checklist": "WAF checklist", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", "services": [ - "AVD" + "Subscriptions", + "WAF", + "Defender" ], - "severity": "Medium", - "subcategory": "Golden Images", - "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image", - "waf": "Operations" + "severity": "High", + "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.", - "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", - "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix", + "checklist": "WAF checklist", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", "services": [ - "AVD" + "Subscriptions", + "WAF", + "Defender" ], "severity": "High", - "subcategory": "Golden Images", - "text": "Include the latest version of FSLogix in the golden image update process", - "waf": "Reliability" + "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ", - "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", - "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", "services": [ - "AVD", - "RBAC" + "WAF" ], - "severity": "Low", - "subcategory": "Golden Images", - "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool", - "waf": "Performance" + "severity": "High", + "text": "Enable Endpoint Protection on IaaS Servers.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.", - "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", - "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", "services": [ - "AVD", - "Storage" + "Defender", + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Golden Images", - "text": "Determine if Microsoft OneDrive will be part of AVD deployment", - "waf": "Operations" + "severity": "Medium", + "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.", - "guid": "b5887953-5d22-4788-9d30-b66c67be5951", - "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "services": [ - "AVD" + "Entra", + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Golden Images", - "text": "Determine if Microsoft Teams will be part of AVD deployment", - "waf": "Performance" + "severity": "Medium", + "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.", - "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", - "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs", + "checklist": "WAF checklist", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", "services": [ - "AVD" + "WAF", + "ACR", + "Entra" ], - "severity": "Low", - "subcategory": "Golden Images", - "text": "Assess the requirement to support multiple languages", - "waf": "Reliability" + "severity": "High", + "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ", - "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", + "checklist": "WAF checklist", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "services": [ - "Cost", - "AVD", - "Storage" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "MSIX & AppAttach", - "text": "Do not use the same storage account/share as FSLogix profiles", - "waf": "Performance" + "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.", - "guid": "241addce-5793-477b-adb3-751ab2ac1fad", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", + "checklist": "WAF checklist", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", "services": [ - "AVD" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "MSIX & AppAttach", - "text": "Review performance considerations for MSIX", - "waf": "Performance" + "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.", - "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", "services": [ - "AVD", "Storage", - "VM", - "RBAC" + "WAF" ], - "severity": "Medium", - "subcategory": "MSIX & AppAttach", - "text": "Check proper session host permissions for MSIX share", + "severity": "High", + "text": "Enable secure transfer to storage accounts.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.", - "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", "services": [ - "AVD" + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "MSIX & AppAttach", - "text": "MSIX packages for 3rd-party applications", - "waf": "Cost" + "severity": "High", + "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.", - "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", "services": [ - "AVD" + "AKV", + "VM", + "WAF" ], - "severity": "Low", - "subcategory": "MSIX & AppAttach", - "text": "Disable auto-update for MSIX packages", + "severity": "High", + "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", "waf": "Operations" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.", - "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], - "severity": "Medium", - "subcategory": "MSIX & AppAttach", - "text": "Review operating systems support", - "waf": "Reliability" + "severity": "High", + "text": "Follow Metaprompting guardrails for resonsible AI", + "waf": "Operational Excellence" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.", - "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", - "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "Entra", + "WAF", + "APIM" ], - "severity": "Medium", - "subcategory": "Session Host", - "text": "Evaluate the usage of Gen2 VM for Host Pool deployment", - "waf": "Performance" + "severity": "High", + "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", + "waf": "Operational Excellence" }, { - "category": "Compute", - "checklist": "Azure Virtual Desktop Review", - "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.", - "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", - "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Session Host", - "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser", - "waf": "Performance" + "severity": "High", + "text": "Enable monitoring for your AOAI instances", + "waf": "Operational Excellence" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.", - "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.insights/metricalerts' | extend compliant = (properties.targetResourceType =~ 'Microsoft.CognitiveServices/accounts') | project id, compliant", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "AKV", + "Subscriptions", + "WAF", + "Monitor" ], "severity": "High", - "subcategory": "Capacity Planning", - "text": "Determine the Host Pool type to use", - "waf": "Cost" + "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", + "waf": "Operational Excellence" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.", - "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", - "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "WAF", + "Monitor" ], "severity": "High", - "subcategory": "Capacity Planning", - "text": "Estimate the number of different Host Pools to deploy ", - "waf": "Performance" + "text": "Monitor token usage to prevent service disruptions due to capacity", + "waf": "Operational Excellence" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.", - "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", - "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Capacity Planning", - "text": "For Personal Host Pool type, select the proper assignment type", - "waf": "Operations" + "severity": "Medium", + "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", + "waf": "Operational Excellence" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.", - "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", - "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF", + "APIM" ], "severity": "Low", - "subcategory": "Capacity Planning", - "text": "For Pooled Host Pool type, select the best load balancing method", - "waf": "Performance" + "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", + "waf": "Operational Excellence" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host", - "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", - "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "WAF" ], - "severity": "Medium", - "subcategory": "Capacity Planning", - "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores", - "waf": "Performance" + "severity": "High", + "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", + "waf": "Operational Excellence" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.", - "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", - "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage" + "WAF", + "Entra" ], "severity": "High", - "subcategory": "Capacity Planning", - "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users", + "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", "waf": "Security" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.", - "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits", - "services": [ - "AVD", - "Entra", - "ACR" - ], - "severity": "Medium", - "subcategory": "Capacity Planning", - "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant", - "waf": "Reliability" - }, - { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.", - "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], - "severity": "Low", - "subcategory": "Capacity Planning", - "text": "Estimate the number of Applications for each Application Group", - "waf": "Reliability" + "severity": "High", + "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", + "waf": "Operational Excellence" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.", - "guid": "38b19ab6-0693-4992-9394-5590883916ec", - "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage", - "VM" + "WAF" ], - "severity": "Low", - "subcategory": "Capacity Planning", - "text": "Evaluate the usage of FSLogix for Personal Host Pools", - "waf": "Reliability" + "severity": "High", + "text": "Evaluate usage of Provisioned throughput model ", + "waf": "Performance" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)", - "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", - "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "WAF" ], "severity": "High", - "subcategory": "Capacity Planning", - "text": "Run workload performance test to determine the best Azure VM SKU and size to use", - "waf": "Performance" + "text": "Review and implement Azure AI content safety", + "waf": "Operational Excellence" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ", - "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage" + "WAF" ], "severity": "High", - "subcategory": "Capacity Planning", - "text": "Verify AVD scalability limits for the environment", - "waf": "Reliability" + "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", + "waf": "Performance" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.", - "guid": "c936667e-13c0-4056-94b1-e945a459837e", - "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], - "severity": "Low", - "subcategory": "Capacity Planning", - "text": "Determine if Session Hosts will require GPU", + "severity": "Medium", + "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", "waf": "Performance" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.", - "guid": "b47a393a-0803-4272-a479-8b1578b219a4", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "ServiceBus", + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "Capacity Planning", - "text": "Use Azure VM SKUs able to leverage Accelerated Networking", + "severity": "Medium", + "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", "waf": "Performance" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.", - "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", - "link": "https://learn.microsoft.com/azure/virtual-desktop/overview", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], - "severity": "Medium", - "subcategory": "Clients & Users", - "text": "Assess how many users will connect to AVD and from which regions", + "severity": "High", + "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", "waf": "Performance" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.", - "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "services": [ - "ExpressRoute", - "AVD", - "VPN", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Clients & Users", - "text": "Assess external dependencies for each Host Pool", + "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", "waf": "Performance" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.", - "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", - "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], - "severity": "Low", - "subcategory": "Clients & Users", - "text": "Review user client OS used and AVD client type", + "severity": "High", + "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", "waf": "Performance" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.", - "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", - "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], - "severity": "High", - "subcategory": "Clients & Users", - "text": "Run a PoC to validate end-to-end user experience and impact of network latency", + "severity": "Medium", + "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", "waf": "Performance" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.", - "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", - "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF", + "ACR" ], "severity": "Low", - "subcategory": "Clients & Users", - "text": "Assess and document RDP settings for all user groups", - "waf": "Security" + "text": "Deploy multiple OAI instances across regions", + "waf": "Reliability" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.", - "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", - "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", "services": [ - "AVD" + "Entra", + "WAF", + "APIM" ], "severity": "High", - "subcategory": "General", - "text": "Determine in which Azure regions AVD Host Pools will be deployed.", - "waf": "Performance" + "text": "Implement retry & healthchecks with Gateway pattern like APIM", + "waf": "Reliability" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.", - "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", - "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], "severity": "Medium", - "subcategory": "General", - "text": "Determine metadata location for AVD service", + "text": "Ensure having adequate quotas of TPM & RPM for the workload", "waf": "Reliability" }, { - "category": "Foundation", - "checklist": "Azure Virtual Desktop Review", - "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.", - "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", - "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage", - "VM" + "WAF" ], - "severity": "Low", - "subcategory": "General", - "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions", - "waf": "Reliability" + "severity": "Medium", + "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", + "waf": "Operational Excellence" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.", - "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", - "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra", - "Storage", - "VNet" + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Active Directory", - "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool", + "text": "Deploy separate fine tuned models across regions if finetuning is employed", "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ", - "guid": "6db55f57-9603-4334-adf9-cc23418db612", - "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "ASR", + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Active Directory", - "text": "Create a specific OU in Active Directory for each Host Pool", - "waf": "Operations" + "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ", - "guid": "7126504b-b47a-4393-a080-327294798b15", - "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.search/searchservices' | extend compliant = (sku.name != 'free' and properties.replicaCount >= 3) | project id, compliant", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "Azure OpenAI", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Azure AI search service tiers should be choosen to have a SLA ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "WAF" ], - "severity": "Medium", - "subcategory": "Active Directory", - "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities", - "waf": "Operations" + "severity": "Low", + "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", + "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column", - "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", - "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "WAF" ], - "severity": "Medium", - "subcategory": "Active Directory", - "text": "Configure FSLogix settings using the built-in provided GPO ADMX template", - "waf": "Operations" + "severity": "High", + "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", + "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.", - "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra", - "VM" + "WAF", + "ACR" ], - "severity": "Medium", - "subcategory": "Active Directory", - "text": "Create a dedicated user account with only permissions to join VM to the domain", + "severity": "High", + "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ", - "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", - "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "RBAC", + "WAF" ], - "severity": "Medium", - "subcategory": "Active Directory", - "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)", + "severity": "High", + "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.", - "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", - "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra", - "Storage", - "AzurePolicy" + "WAF" ], - "severity": "High", - "subcategory": "Active Directory", - "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration", + "severity": "Medium", + "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", - "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/ai-onboarding", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "Sentinel", + "Defender", + "WAF", + "Monitor" ], "severity": "High", - "subcategory": "Active Directory", - "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID", - "waf": "Reliability" + "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", + "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.", - "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", - "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra", - "Storage" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Microsoft Entra ID", - "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario", + "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.", - "guid": "6ceb5443-5125-4922-9442-93bb628537a5", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra", - "Subscriptions", - "VNet" + "WAF" ], "severity": "High", - "subcategory": "Requirements", - "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked", - "waf": "Reliability" + "text": "Implement Prompt shields and groundedness detection using Content Safety ", + "waf": "Operational Excellence" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", - "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", - "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "WAF" ], "severity": "High", - "subcategory": "Requirements", - "text": "Review and document your identity scenario", + "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.", - "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "WAF" ], "severity": "Medium", - "subcategory": "Requirements", - "text": "Assess User Account types and requirements", + "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.", - "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", - "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "WAF" ], - "severity": "Medium", - "subcategory": "Requirements", - "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites", - "waf": "Reliability" + "severity": "High", + "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", + "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.", - "guid": "ea962a15-9394-46da-a7cc-3923266b2258", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra", - "VM" + "WAF" ], - "severity": "High", - "subcategory": "Requirements", - "text": "Select the proper AVD Session Host domain join type", + "severity": "Medium", + "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure Virtual Desktop Review", - "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)", - "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", - "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "AzurePolicy", + "RBAC", + "WAF" ], - "severity": "Low", - "subcategory": "Requirements", - "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.", - "waf": "Reliability" + "severity": "Medium", + "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.", - "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", - "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "Entra" + "WAF" ], - "severity": "Low", - "subcategory": "Management", - "text": "Use built-in provided administrative templates for AVD settings configuration", - "waf": "Operations" + "severity": "High", + "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.", - "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", - "link": "https://learn.microsoft.com/azure/virtual-desktop/management", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "VM" + "RBAC", + "WAF" ], - "severity": "Low", - "subcategory": "Management", - "text": "Plan AVD Session Hosts configuration management strategy", - "waf": "Operations" + "severity": "High", + "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the “More Info” column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.", - "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", - "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.privateEndpointConnections != '[]' and properties.publicNetworkAccess !~ 'enabled')", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor" + "PrivateLink", + "WAF" ], - "severity": "Medium", - "subcategory": "Management", - "text": "Evaluate Intune for AVD Session Hosts management", - "waf": "Operations" + "severity": "High", + "text": "Configure private endpoint for AI services to restrict service access within your network", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.", - "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", - "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "Azure OpenAI", "services": [ - "Cost", - "AVD", - "Monitor", - "VM" + "Firewall", + "VNet", + "WAF" ], - "severity": "Medium", - "subcategory": "Management", - "text": "Assess the requirements for host pool auto-scaling capability", - "waf": "Reliability" + "severity": "High", + "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.", - "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", - "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "Azure OpenAI", "services": [ - "Cost", - "AVD", - "Monitor", - "VM" + "WAF" ], - "severity": "Low", - "subcategory": "Management", - "text": "Consider the usage of Start VM on Connect for Personal Host Pools", - "waf": "Cost" + "severity": "High", + "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.", - "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", - "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "Azure OpenAI", "services": [ - "AzurePolicy", - "VM", - "AVD", - "Monitor", - "Cost" + "WAF" ], - "severity": "Low", - "subcategory": "Management", - "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts", - "waf": "Cost" + "severity": "Medium", + "text": "Use prompt compression tools like LLMLingua or gprtrim", + "waf": "Cost Optimization" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ", - "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", - "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (isnotnull(identity))", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", "services": [ - "Storage", - "VPN", - "DNS", - "AVD", - "Monitor", - "VWAN", - "ExpressRoute", - "Cost" + "AKV", + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Management", - "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop", - "waf": "Cost" + "severity": "High", + "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.", - "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", - "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "Azure OpenAI", "services": [ - "Cost", - "AVD", - "Monitor", - "Entra" + "WAF" ], - "severity": "Low", - "subcategory": "Management", - "text": "Periodically check Azure Advisor recommendations for AVD", - "waf": "Operations" + "severity": "Medium", + "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.", - "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", - "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "Azure OpenAI", "services": [ - "AVD", + "WAF", "Monitor" ], "severity": "Medium", - "subcategory": "Management", - "text": "Plan for a Session Host emergency patching and update strategy", - "waf": "Operations" + "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.", - "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", - "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor" + "WAF" ], - "severity": "Low", - "subcategory": "Management", - "text": "Configure the Scheduled Agent Updates feature", - "waf": "Reliability" + "severity": "Medium", + "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.", - "guid": "d1e8c38e-c936-4667-913c-005674b1e944", - "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (tags != '{}')", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "VM" + "WAF" ], - "severity": "Medium", - "subcategory": "Management", - "text": "Create a validation (canary) Host Pool", - "waf": "Operations" + "severity": "Low", + "text": "Azure AI Services are properly tagged for better management", + "waf": "Operational Excellence" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.", - "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "VM" + "WAF" ], - "severity": "Medium", - "subcategory": "Management", - "text": "Determine Host Pool deployment strategy", - "waf": "Operations" + "severity": "Low", + "text": "Azure AI Service accounts follows organizational naming conventions", + "waf": "Operational Excellence" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.", - "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", - "link": "https://docs.microsoft.com/azure/virtual-desktop/faq", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "VM" + "WAF" ], - "severity": "Medium", - "subcategory": "Management", - "text": "Turn on Session Host VMs at least every 90 days for token refresh", - "waf": "Operations" + "severity": "High", + "text": "Diagnostic logs in Azure AI services resources should be enabled", + "waf": "Operational Excellence" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.", - "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", - "link": "https://learn.microsoft.com/azure/virtual-desktop/insights", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.disableLocalAuth == true)", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor" + "WAF", + "Entra" ], "severity": "High", - "subcategory": "Monitoring", - "text": "Enable monitoring for AVD", - "waf": "Reliability" + "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ", - "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", - "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "VM" + "AKV", + "WAF", + "Entra" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace", - "waf": "Reliability" + "severity": "High", + "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ", - "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", - "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "Storage" + "AKV", + "WAF" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling", - "waf": "Reliability" + "severity": "High", + "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", + "waf": "Security" }, { - "category": "Monitoring and Management", - "checklist": "Azure Virtual Desktop Review", - "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.", - "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", - "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor" + "WAF" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Configure Azure Service Health for AVD alerts ", - "waf": "Reliability" + "severity": "High", + "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", + "waf": "Cost Optimization" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ", - "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", - "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "Azure OpenAI", "services": [ - "ExpressRoute", - "AVD", - "VPN", - "NVA" + "WAF" ], - "severity": "Medium", - "subcategory": "Networking", - "text": "Determine if hybrid connectivity is required to connect to on-premises environment", - "waf": "Reliability" + "severity": "High", + "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", + "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.", - "guid": "c8639648-a652-4d6c-85e5-02965388e5de", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "Azure OpenAI", "services": [ - "AVD", - "VWAN", - "VNet" + "WAF" ], - "severity": "Medium", - "subcategory": "Networking", - "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool", - "waf": "Performance" + "severity": "High", + "text": "Setup a process to regularly update and patch the LLM libraries and other system components", + "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ", - "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", - "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "Azure OpenAI", "services": [ - "VPN", - "AVD" + "AzurePolicy", + "WAF" ], - "severity": "Medium", - "subcategory": "Networking", - "text": "Assess which on-premises resources are required from AVD Host Pools", - "waf": "Reliability" + "severity": "High", + "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", + "waf": "Operational Excellence" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.", - "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", - "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "Azure OpenAI", "services": [ - "AVD", - "Firewall", - "NVA", - "VNet" + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Need to control/restrict Internet outbound traffic for AVD hosts?", - "waf": "Security" + "text": "Understand difference in cost of base models and fine tuned models and token step sizes", + "waf": "Cost Optimization" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.", - "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", - "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF", + "Cost" ], "severity": "High", - "subcategory": "Networking", - "text": "Ensure AVD control plane endpoints are accessible", - "waf": "Reliability" + "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", + "waf": "Cost Optimization" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.", - "guid": "73676ae4-6691-4e88-95ad-a42223e13810", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "services": [ - "AVD", - "Defender" + "WAF", + "Cost", + "Monitor" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ", - "waf": "Security" + "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", + "waf": "Cost Optimization" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.", - "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", - "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "Azure OpenAI", "services": [ - "AVD", - "Firewall", - "NVA", - "VNet" + "WAF" ], - "severity": "Low", - "subcategory": "Networking", - "text": "Review custom UDR and NSG for AVD Host Pool subnets", - "waf": "Security" + "severity": "Medium", + "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", + "waf": "Cost Optimization" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.", - "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", - "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "Storage", + "WAF" ], - "severity": "High", - "subcategory": "Networking", - "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic", - "waf": "Reliability" + "severity": "Medium", + "text": "Plan and manage AI Search Vector storage", + "waf": "Operational Excellence" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ", - "guid": "516785c6-fa96-4c96-ad88-408f372734c8", - "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "WAF", + "ACR" ], - "severity": "Low", - "subcategory": "Networking", - "text": "Check the network bandwidth required for each user and in total for the VM SKU", - "waf": "Performance" + "severity": "Medium", + "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", + "waf": "Operational Excellence" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).", - "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", - "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "Azure OpenAI", "services": [ "Storage", - "AVD", - "PrivateLink", - "Cost", - "VNet" + "WAF" ], - "severity": "Medium", - "subcategory": "Networking", - "text": "Evaluate usage Private Endpoint for Azure Files share", - "waf": "Security" + "severity": "High", + "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", + "waf": "Cost Optimization" }, { - "category": "Networking", - "checklist": "Azure Virtual Desktop Review", - "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", - "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", - "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "Azure OpenAI", "services": [ - "VPN", - "AVD" + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks", - "waf": "Performance" + "text": "Evaluate the quality of prompts and applications when switching between model versions", + "waf": "Operational Excellence" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.", - "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Active Directory", - "text": "Review Active Directory GPO to secure RDP sessions", - "waf": "Security" + "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", + "waf": "Operational Excellence" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", - "guid": "b1172576-9ef6-4691-a483-5ac932223ece", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "Azure OpenAI", "services": [ - "AVD", - "Defender" + "WAF" ], - "severity": "High", - "subcategory": "Host Configuration", - "text": "Ensure anti-virus and anti-malware solutions are used", - "waf": "Security" + "severity": "Medium", + "text": "Evaluate your Azure AI Search results based on different search parameters", + "waf": "Operational Excellence" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.", - "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", - "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "Azure OpenAI", "services": [ - "AVD", - "AKV", - "Storage", - "VM" + "WAF" ], - "severity": "Low", - "subcategory": "Host Configuration", - "text": "Assess disk encryption requirements for AVD Session Hosts", - "waf": "Security" + "severity": "Medium", + "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", + "waf": "Operational Excellence" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against “bottom of the stack” threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.", - "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "VM" + "WAF" ], "severity": "Medium", - "subcategory": "Host Configuration", - "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts", - "waf": "Security" + "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", + "waf": "Operational Excellence" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.", - "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", - "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "Azure OpenAI", "services": [ - "AVD", - "VM" + "WAF" ], - "severity": "High", - "subcategory": "Host Configuration", - "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11", + "severity": "Medium", + "text": "Red team your GenAI applications", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.", - "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", - "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], - "severity": "Low", - "subcategory": "Host Configuration", - "text": "Consider enabling screen capture protection to prevent sensitive information from being captured", - "waf": "Security" + "severity": "Medium", + "text": "Provide end users with scoring options for LLM responses and track these scores. ", + "waf": "Operational Excellence" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.", - "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF" ], - "severity": "Medium", - "subcategory": "Host Configuration", - "text": "Restrict device redirection and drive mapping", - "waf": "Security" + "severity": "High", + "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", + "waf": "Cost Optimization" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.", - "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "Azure OpenAI", "services": [ - "AVD" + "APIM", + "ACR", + "Entra", + "LoadBalancer", + "WAF" ], "severity": "Medium", - "subcategory": "Management", - "text": "When possible, prefer Remote Apps over Full Desktops (DAG)", - "waf": "Security" + "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", + "waf": "Operational Excellence" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.", - "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", + "service": "Azure OpenAI", "services": [ - "AVD", - "Defender" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Management", - "text": "Need to control/restrict user Internet navigation from AVD session hosts?", - "waf": "Security" + "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.", - "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", - "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF", + "Monitor" ], - "severity": "High", - "subcategory": "Management", - "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts", - "waf": "Security" + "severity": "Medium", + "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.", - "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "Azure OpenAI", "services": [ - "Storage", - "VM", - "AVD", - "Defender", - "AKV", - "Subscriptions" + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Management", - "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture", - "waf": "Security" + "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ", - "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", + "service": "Azure OpenAI", "services": [ - "AVD", - "Monitor", - "Entra" + "WAF" ], "severity": "Medium", - "subcategory": "Management", - "text": "Enable diagnostic and audit logging", - "waf": "Security" + "text": "Tune content filters to minimize false positives from overly aggressive filters", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.", - "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", - "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", + "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra", - "RBAC" + "AKV", + "WAF" ], - "severity": "Low", - "subcategory": "Management", - "text": "Assess the requirement to use custom RBAC roles for AVD management", + "severity": "Medium", + "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ", - "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' and kind =~ 'contentsafety' | project id, compliant = 1", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", "services": [ - "AVD", - "Defender" + "LoadBalancer", + "WAF" ], "severity": "Medium", - "subcategory": "Management", - "text": "Restrict users from installing un-authorized applications", + "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", - "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", - "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "Azure OpenAI", "services": [ - "AVD", - "Entra" + "WAF" ], "severity": "Medium", - "subcategory": "Microsoft Entra ID", - "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users", + "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Virtual Desktop Review", - "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.", - "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", - "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "services": [ - "AVD" + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Zero Trust", - "text": "Review and Apply Zero Trust principles and guidance", - "waf": "Security" + "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", + "waf": "Cost Optimization" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.", - "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", - "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", + "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage" + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Azure Files", - "text": "Check best-practices for Azure Files", - "waf": "Performance" + "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", + "waf": "Cost Optimization" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.", - "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", - "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "services": [ - "Cost", - "AVD", - "Storage", - "ACR" + "WAF", + "Cost" ], - "severity": "Low", - "subcategory": "Azure Files", - "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.", - "waf": "Performance" + "severity": "Medium", + "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", + "waf": "Cost Optimization" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "If a second region is required for DR purposes verify NetApp availability in there as well.", - "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", - "link": "https://azure.microsoft.com/global-infrastructure/services/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Azure NetApp Files", - "text": "If NetApp Files storage is required, check storage service availability in your specific region.", - "waf": "Reliability" + "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", + "waf": "Cost Optimization" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.", - "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", - "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Azure NetApp Files", - "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency", - "waf": "Reliability" + "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", + "waf": "Cost Optimization" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.", - "guid": "6647e977-db49-48a8-bc35-743f17499d42", - "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", + "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage", - "VNet" + "WAF" ], - "severity": "High", - "subcategory": "Azure NetApp Files", - "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration", - "waf": "Reliability" + "severity": "Medium", + "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", + "waf": "Operational Excellence" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ", - "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", - "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "2744293b-b628-4537-a551-19b08e8f5855", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", + "service": "Azure OpenAI", "services": [ - "AVD", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Capacity Planning", - "text": "Determine which type of managed disk will be used for the Session Hosts", - "waf": "Performance" + "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", + "waf": "Operational Excellence" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.", - "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", - "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", "services": [ - "AVD", - "Storage", - "VM" + "AzurePolicy", + "WAF" ], - "severity": "High", - "subcategory": "Capacity Planning", - "text": "Determine which storage backend solution will be used for FSLogix Profiles", - "waf": "Performance" + "severity": "Medium", + "text": "Implement an error handling policy at the global level", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.", - "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", - "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", "services": [ - "AVD", - "Storage" + "AzurePolicy", + "WAF" ], - "severity": "High", - "subcategory": "Capacity Planning", - "text": "Do not share storage and profiles between different Host Pools", - "waf": "Performance" + "severity": "Medium", + "text": "Ensure all APIs policies include a element.", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.", - "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", - "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", "services": [ - "AVD", - "Storage" + "AzurePolicy", + "WAF", + "ACR" ], - "severity": "High", - "subcategory": "Capacity Planning", - "text": "Verify storage scalability limits and Host Pool requirements", - "waf": "Reliability" + "severity": "Medium", + "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.", - "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", - "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", "services": [ - "Cost", - "AVD", - "Storage" + "WAF" ], - "severity": "High", - "subcategory": "Capacity Planning", - "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.", - "waf": "Performance" + "severity": "Medium", + "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", - "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", - "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", "services": [ - "AVD", - "Storage", - "ASR" + "WAF", + "Monitor" ], "severity": "High", - "subcategory": "FSLogix", - "text": "Do not use Office Containers (ODFC) if not strictly required and justified", - "waf": "Reliability" + "text": "Enable Diagnostics Settings to export logs to Azure Monitor", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.", - "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", - "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "services": [ - "AVD", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "FSLogix", - "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).", - "waf": "Security" + "text": "Enable Application Insights for more detailed telemetry", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.", - "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", - "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", "services": [ - "AVD", - "Storage" + "WAF", + "Monitor" ], "severity": "High", - "subcategory": "FSLogix", - "text": "Review and confirm configured maximum profile size in FSLogix", - "waf": "Cost" + "text": "Configure alerts on the most critical metrics", + "waf": "Operations" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.", - "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", - "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", "services": [ - "AVD", "AKV", - "Storage", - "ACR" + "WAF" ], "severity": "High", - "subcategory": "FSLogix", - "text": "Review FSLogix registry keys and determine which ones to apply", - "waf": "Reliability" + "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", + "waf": "Security" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.", - "guid": "5e985b85-9c77-43e7-b261-623b775a917e", - "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", "services": [ - "AVD", - "Storage" + "WAF", + "Entra" ], "severity": "High", - "subcategory": "FSLogix", - "text": "Avoid usage of concurrent or multiple connections", - "waf": "Reliability" - }, - { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ", - "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", - "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference", - "services": [ - "AVD", - "Storage", - "VM" - ], - "severity": "Low", - "subcategory": "FSLogix", - "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.", - "waf": "Performance" + "text": "Protect incoming requests to APIs (data plane) with Azure AD", + "waf": "Security" }, { - "category": "Storage", - "checklist": "Azure Virtual Desktop Review", - "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.", - "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", - "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", "services": [ - "AVD", - "Storage" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "FSLogix", - "text": "Review the usage of FSLogix redirection.", - "waf": "Cost" + "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", + "waf": "Security" }, { - "category": "Application Deployment", - "checklist": "Azure AKS Review", - "guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", "services": [ - "AKS" + "WAF" ], "severity": "Medium", - "subcategory": "Development", - "text": "Use canary or blue/green deployments", - "waf": "Operations" - }, - { - "category": "Application Deployment", - "checklist": "Azure AKS Review", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", - "services": [ - "AKS" - ], - "severity": "Low", - "subcategory": "Development", - "text": "If required for AKS Windows workloads HostProcess containers can be used", - "waf": "Reliability" - }, - { - "category": "Application Deployment", - "checklist": "Azure AKS Review", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", - "services": [ - "AKS" - ], - "severity": "Low", - "subcategory": "Development", - "text": "Use KEDA if running event-driven workloads", - "waf": "Performance" + "text": "Create appropriate groups to control the visibility of the products", + "waf": "Security" }, { - "category": "Application Deployment", - "checklist": "Azure AKS Review", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", "services": [ - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Development", - "text": "Use Dapr to ease microservice development", + "severity": "Medium", + "text": "Use Backends feature to eliminate redundant API backend configurations", "waf": "Operations" }, { - "category": "Application Deployment", - "checklist": "Azure AKS Review", - "guid": "3acbe04b-be20-49d3-afda-47778424d116", - "link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", "services": [ - "AKS" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Infrastructure as Code", - "text": "Use automation through ARM/TF to create your Azure resources", + "text": "Use Named Values to store common values that can be used in policies", "waf": "Operations" }, { - "category": "BC and DR", - "checklist": "Azure AKS Review", - "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", "services": [ - "AKS", - "ASR" + "WAF", + "ACR" ], - "severity": "High", - "subcategory": "Disaster Recovery", - "text": "Schedule and perform DR tests regularly", + "severity": "Medium", + "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure AKS Review", - "guid": "170265f4-bb46-4a39-9af7-f317284797b1", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", "services": [ - "LoadBalancer", - "TrafficManager", - "AKS", - "FrontDoor" + "WAF" ], "severity": "Medium", - "subcategory": "High Availability", - "text": "Use Azure Traffic Manager or Azure Front Door as a global load balancer for region failover", + "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure AKS Review", - "graph": "resources | where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(properties.agentPoolProfiles[0].availabilityZones) | distinct id,compliant", - "guid": "578a219a-46be-4b54-9350-24922634292b", - "link": "https://learn.microsoft.com/azure/aks/availability-zones", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", "services": [ - "AKS" + "WAF", + "Backup" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Use Availability Zones if they are supported in your Azure region", + "severity": "High", + "text": "Ensure there is an automated backup routine", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", "services": [ - "AKS" + "AzurePolicy", + "WAF" ], - "severity": "High", - "subcategory": "High Availability", - "text": "Use the SLA-backed AKS offering", + "severity": "Medium", + "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure AKS Review", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", "services": [ - "Cost", - "AKS" + "AzurePolicy", + "EventHubs", + "WAF" ], "severity": "Low", - "subcategory": "High Availability", - "text": "Use Disruption Budgets in your pod and deployment definitions", - "waf": "Reliability" + "text": "If you need to log at high performance levels, consider Event Hubs policy", + "waf": "Operations" }, { - "category": "BC and DR", - "checklist": "Azure AKS Review", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", "services": [ - "ACR", - "AKS" + "AzurePolicy", + "WAF" ], - "severity": "High", - "subcategory": "High Availability", - "text": "If using a private registry, configure region replication to store images in multiple regions", - "waf": "Reliability" + "severity": "Medium", + "text": "Apply throttling policies to control the number of requests per second", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Azure AKS Review", - "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", "services": [ - "AKS", - "Storage", - "ASR" + "WAF" ], - "severity": "High", - "subcategory": "Disaster Recovery", - "text": "Use Zone-Redundant Storage (ZRS) with stateful workloads", - "waf": "Reliability" + "severity": "Medium", + "text": "Configure autoscaling to scale out the number of instances when the load increases", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Azure AKS Review", - "guid": "bc14aea6-e65d-48d9-a3ad-c218e6436b06", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", "services": [ - "AKS" + "WAF" ], - "severity": "High", - "subcategory": "Requirements", - "text": "Define non-functional requirements such as SLAs, RTO (Recovery Time Objective) and RPO (Recovery Point Objective).", - "waf": "Reliability" + "severity": "Medium", + "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", + "waf": "Performance" }, { - "category": "Cost Governance", - "checklist": "Azure AKS Review", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", "services": [ - "Cost", - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Cost", - "text": "Use an external application such as kubecost to allocate costs to different users", - "waf": "Cost" + "severity": "Medium", + "text": "Use the premium tier for production workloads.", + "waf": "Reliability" }, { - "category": "Cost Governance", - "checklist": "Azure AKS Review", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", "services": [ - "Cost", - "AKS" + "AzurePolicy", + "WAF" ], - "severity": "Low", - "subcategory": "Cost", - "text": "Use scale down mode to delete/deallocate nodes", - "waf": "Cost" + "severity": "Medium", + "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", + "waf": "Reliability" }, { - "category": "Cost Governance", - "checklist": "Azure AKS Review", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", "services": [ - "Cost", - "AKS" + "Entra", + "WAF", + "APIM" ], - "severity": "Medium", - "subcategory": "Cost", - "text": "When required use multi-instance partitioning GPU on AKS Clusters", - "waf": "Cost" + "severity": "High", + "text": "Be aware of APIM's limits", + "waf": "Reliability" }, { - "category": "Cost Governance", - "checklist": "Azure AKS Review", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", "services": [ - "Cost", - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Cost", - "text": "If running a Dev/Test cluster use NodePool Start/Stop", - "waf": "Cost" + "severity": "High", + "text": "Ensure that the self-hosted gateway deployments are resilient.", + "waf": "Reliability" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", + "service": "APIM", "services": [ - "AKS", - "AzurePolicy" + "Entra", + "WAF", + "FrontDoor", + "APIM" ], "severity": "Medium", - "subcategory": "Compliance", - "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", - "waf": "Security" + "text": "Use Azure Front Door in front of APIM for multi-region deployment", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", + "service": "APIM", "services": [ - "AKS" + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Compliance", - "text": "Separate applications from the control plane with user/system node pools", + "text": "Deploy the service within a Virtual Network (VNet)", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", + "service": "APIM", "services": [ - "AKS" + "Entra", + "APIM", + "VNet", + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Add taint to your system nodepool to make it dedicated", + "severity": "Medium", + "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", + "service": "APIM", "services": [ - "ACR", - "AKS" + "Entra", + "APIM", + "PrivateLink", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Compliance", - "text": "Use a private registry for your images, such as ACR", + "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", + "service": "APIM", "services": [ - "AKS" + "WAF" ], - "severity": "Medium", - "subcategory": "Compliance", - "text": "Scan your images for vulnerabilities", + "severity": "High", + "text": "Disable Public Network Access", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "cc639637-a652-42ac-89e8-06965388e9de", - "link": "https://learn.microsoft.com/azure/security-center/container-security", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", "services": [ - "AKS", - "Defender" + "WAF" ], "severity": "Medium", - "subcategory": "Compliance", - "text": "Use Azure Security Center to detect security posture vulnerabilities", - "waf": "Security" + "text": "Simplify management with PowerShell automation scripts", + "waf": "Operations" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "42d4aefe-2383-470e-b019-c30df24996b2", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", + "service": "APIM", "services": [ - "AKS" + "Entra", + "WAF", + "APIM" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "If required configure FIPS", - "waf": "Security" + "severity": "Medium", + "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", + "waf": "Operations" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", + "service": "APIM", "services": [ - "AKS" + "Entra", + "WAF", + "APIM" ], - "severity": "High", - "subcategory": "Compliance", - "text": "Define app separation requirements (namespace/nodepool/cluster)", - "waf": "Security" + "severity": "Medium", + "text": "Promote usage of Visual Studio Code APIM extension for faster API development", + "waf": "Operations" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", + "service": "APIM", "services": [ - "AKV", - "AKS" + "WAF" ], "severity": "Medium", - "subcategory": "Secrets", - "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", - "waf": "Security" + "text": "Implement DevOps and CI/CD in your workflow", + "waf": "Operations" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", + "service": "APIM", "services": [ - "AKV", - "AKS" + "WAF" ], - "severity": "High", - "subcategory": "Secrets", - "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", + "severity": "Medium", + "text": "Secure APIs using client certificate authentication", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", + "service": "APIM", "services": [ - "AKV", - "AKS" + "WAF" ], "severity": "Medium", - "subcategory": "Secrets", - "text": "If required add Key Management Service etcd encryption", + "text": "Secure backend services using client certificate authentication", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", + "service": "APIM", "services": [ - "AKV", - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Secrets", - "text": "If required consider using Confidential Compute for AKS", + "severity": "Medium", + "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure AKS Review", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", + "service": "APIM", "services": [ - "AKV", - "AKS", - "Defender" + "WAF" ], "severity": "Medium", - "subcategory": "Secrets", - "text": "Consider using Defender for Containers", + "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", "waf": "Security" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", "services": [ - "AKS", - "Entra" + "WAF" + ], + "severity": "High", + "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", + "waf": "Security" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", + "services": [ + "AKV", + "WAF" ], "severity": "High", - "subcategory": "Identity", - "text": "Use managed identities instead of Service Principals", + "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", "waf": "Security" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", "services": [ - "AKS", + "WAF", "Entra" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Integrate authentication with AAD (using the managed integration)", + "text": "Use managed identities to authenticate to other Azure resources whenever possible", "waf": "Security" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "WAF checklist", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", "services": [ - "AKS", - "Entra" + "AppGW", + "Entra", + "WAF", + "APIM" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "Limit access to admin kubeconfig (get-credentials --admin)", + "severity": "High", + "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", "waf": "Security" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", "services": [ - "AKS", - "RBAC", - "Entra" + "AppSvc", + "WAF" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "Integrate authorization with AAD RBAC", - "waf": "Security" + "severity": "Low", + "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", + "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", "services": [ - "AKS", - "RBAC", - "Entra" + "ASR", + "WAF", + "Backup" ], - "severity": "High", - "subcategory": "Identity", - "text": "Use namespaces for restricting RBAC privilege in Kubernetes", - "waf": "Security" + "severity": "Medium", + "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", + "service": "App Services", "services": [ - "AKS", - "Entra" + "WAF", + "ACR" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", - "waf": "Security" + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Services", "services": [ - "AKS", - "Entra" + "AppSvc", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Identity", - "text": "For AKS non-interactive logins use kubelogin (preview)", - "waf": "Security" + "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/azure/app-service/manage-backup", + "service": "App Services", "services": [ - "AKS", - "Entra" + "AppSvc", + "WAF", + "Backup" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "Disable AKS local accounts", - "waf": "Security" + "severity": "High", + "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", "services": [ - "AKS", - "Entra" + "AppSvc", + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Identity", - "text": "Configure if required Just-in-time cluster access", - "waf": "Security" + "severity": "High", + "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", "services": [ - "AKS", - "Entra" + "AppSvc", + "ASR", + "WAF" ], "severity": "Low", - "subcategory": "Identity", - "text": "Configure if required AAD conditional access for AKS", - "waf": "Security" + "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", + "service": "App Services", "services": [ - "AKS", - "Entra" + "AppSvc", + "WAF" ], - "severity": "Low", - "subcategory": "Identity", - "text": "If required for Windows AKS workloads configure gMSA ", - "waf": "Security" + "severity": "High", + "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure AKS Review", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", "services": [ - "AKS", - "Entra" + "AppSvc", + "WAF" ], "severity": "Medium", - "subcategory": "Identity", - "text": "For finer control consider using a managed Kubelet Identity", - "waf": "Security" + "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Services", "services": [ - "ACR", - "AKS", - "AppGW" + "AppSvc", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Best practices", - "text": "If using AGIC, do not share an AppGW across clusters", + "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", + "service": "App Services", "services": [ - "AKS" + "WAF", + "Monitor" ], - "severity": "High", - "subcategory": "Best practices", - "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", + "severity": "Medium", + "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", "services": [ - "AKS" + "WAF", + "Monitor" ], - "severity": "Medium", - "subcategory": "Best practices", - "text": "For Windows workloads use Accelerated Networking", - "waf": "Performance" + "severity": "Low", + "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "services": [ - "LoadBalancer", - "AKS" + "AppSvc", + "WAF", + "AKV" ], "severity": "High", - "subcategory": "Best practices", - "text": "Use the standard ALB (as opposed to the basic one)", - "waf": "Reliability" + "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "services": [ - "AKS", - "VNet" + "AppSvc", + "WAF", + "AKV", + "Entra" ], - "severity": "Medium", - "subcategory": "Best practices", - "text": "If using Azure CNI, consider using different Subnets for NodePools", + "severity": "High", + "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", "services": [ - "Cost", - "AKS", - "PrivateLink", - "VNet" + "AppSvc", + "WAF", + "AKV", + "Entra" ], - "severity": "Medium", - "subcategory": "Cost", - "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", + "severity": "High", + "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", "services": [ - "VPN", - "AKS" + "AppSvc", + "Subscriptions", + "WAF" ], "severity": "Medium", - "subcategory": "HA", - "text": "If hybrid connectivity is required, use 2xER or ER+VPN for better availability", - "waf": "Reliability" + "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "TrafficManager", + "WAF" ], - "severity": "High", - "subcategory": "IPAM", - "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", - "waf": "Reliability" + "severity": "Medium", + "text": "Do not store sensitive data on local disk", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", "services": [ - "AKS", - "VNet" + "AppSvc", + "WAF", + "ACR", + "Entra" ], - "severity": "High", - "subcategory": "IPAM", - "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", - "waf": "Performance" + "severity": "Medium", + "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "WAF" ], "severity": "High", - "subcategory": "IPAM", - "text": "If using Azure CNI, check the maximum pods/node (default 30)", - "waf": "Performance" + "text": "Deploy code to App Service from a trusted and secure environment.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", "services": [ - "AKS", - "VNet" + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "IPAM", - "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", + "severity": "High", + "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", "services": [ - "AKS" + "AKV", + "WAF", + "Entra" ], "severity": "High", - "subcategory": "IPAM", - "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", - "waf": "Reliability" + "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", "services": [ - "AKS" + "WAF", + "ACR", + "Entra" ], - "severity": "Low", - "subcategory": "Operations", - "text": "If required add your own CNI plugin", + "severity": "High", + "text": "Pull container images from Azure Container Registry using a Managed Identity.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "Entra", + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Operations", - "text": "If required configure Public IP per node in AKS", - "waf": "Performance" + "severity": "Medium", + "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "Entra", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Scalability", - "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", - "waf": "Reliability" + "text": "Send App Service activity logs to Log Analytics", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "NVA", + "Firewall", + "VNet", + "Monitor", + "WAF" ], - "severity": "Low", - "subcategory": "Scalability", - "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", - "waf": "Reliability" + "severity": "Medium", + "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", "services": [ - "AKS" + "NVA", + "Storage", + "Firewall", + "VNet", + "PrivateLink", + "WAF" ], - "severity": "Medium", - "subcategory": "Scalability", - "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", - "waf": "Reliability" + "severity": "Low", + "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "services": [ - "AKS", - "NVA" + "AppSvc", + "PrivateLink", + "WAF" ], "severity": "High", - "subcategory": "Security", - "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", + "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "AppGW", + "Monitor", + "WAF", + "FrontDoor" ], - "severity": "Medium", - "subcategory": "Security", - "text": "If using a public API endpoint, restrict the IP addresses that can access it", + "severity": "High", + "text": "Use a Web Application Firewall (WAF) in front of App Service.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "PrivateLink", + "WAF" ], "severity": "High", - "subcategory": "Security", - "text": "Use private clusters if your requirements mandate it", + "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", "services": [ - "AKS", - "AzurePolicy" + "AppSvc", + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", + "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", "services": [ - "AKS", - "AzurePolicy" + "AppSvc", + "WAF" ], "severity": "High", - "subcategory": "Security", - "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", + "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", "services": [ - "AKS", - "AzurePolicy" + "Storage", + "WAF" ], "severity": "High", - "subcategory": "Security", - "text": "Use Kubernetes network policies to increase intra-cluster security", + "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", "services": [ - "WAF", - "AKS" + "AppSvc", + "WAF" ], "severity": "High", - "subcategory": "Security", - "text": "Use a WAF for web workloads (UIs or APIs)", + "text": "Turn off remote debugging in production environments.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", "services": [ - "DDoS", - "AKS", - "VNet" + "AppSvc", + "WAF", + "Defender" ], "severity": "Medium", - "subcategory": "Security", - "text": "Use DDoS Standard in the AKS Virtual Network", + "text": "Enable Defender for Cloud - Defender for App Service", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", "services": [ - "AKS" + "AppGW", + "DDoS", + "NVA", + "VNet", + "EventHubs", + "WAF" ], - "severity": "Low", - "subcategory": "Security", - "text": "If required add company HTTP Proxy", + "severity": "Medium", + "text": "Enable DDOS Protection Standard on the WAF VNet", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure AKS Review", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "ACR", + "PrivateLink", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "Consider using a service mesh for advanced microservice communication management", + "text": "Pull container images over a Virtual Network from Azure Container Registry.", "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", - "services": [ - "Monitor", - "AKS" - ], - "severity": "High", - "subcategory": "Alerting", - "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", - "waf": "Operations" - }, - { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", - "services": [ - "AKS", - "Entra" - ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Check regularly Azure Advisor for recommendations on your cluster", - "waf": "Operations" - }, - { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", "services": [ - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Enable AKS auto-certificate rotation", - "waf": "Operations" + "severity": "Medium", + "text": "Conduct a penetration test on the web application.", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", "services": [ - "AKS" + "WAF" ], - "severity": "High", - "subcategory": "Compliance", - "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", - "waf": "Operations" + "severity": "Medium", + "text": "Deploy validated and vulnerability-scanned code.", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", "services": [ - "AKS" + "WAF" ], "severity": "High", - "subcategory": "Compliance", - "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", - "waf": "Operations" + "text": "Use up-to-date platforms, languages, protocols and frameworks", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", + "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", + "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "WAF" ], - "severity": "High", - "subcategory": "Compliance", - "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", - "waf": "Operations" + "severity": "Medium", + "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", + "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", + "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", + "service": "App Services", "services": [ - "AKS" + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", - "waf": "Operations" + "severity": "Medium", + "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", + "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", + "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "ACR", + "Backup", + "AzurePolicy", + "WAF" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Consider using AKS command invoke on private clusters", - "waf": "Operations" + "severity": "High", + "text": "Apply Azure Policy to enforce compliance across App Service configurations.", + "waf": "Governance" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", + "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", + "link": "https://learn.microsoft.com/azure/cost-management-billing/", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "WAF", + "Cost", + "Monitor" ], "severity": "Low", - "subcategory": "Compliance", - "text": "For planned events consider using Node Auto Drain", - "waf": "Operations" - }, - { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", - "services": [ - "AKS" - ], - "severity": "High", - "subcategory": "Compliance", - "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", - "waf": "Operations" + "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", + "waf": "Cost" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "WAF checklist", + "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", + "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", + "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", + "service": "App Services", "services": [ - "AKS" + "AppSvc", + "ARS", + "Cost", + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Use custom Node RG (aka 'Infra RG') name", - "waf": "Operations" + "severity": "Medium", + "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", + "waf": "Cost" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", "services": [ - "AKS" + "Subscriptions", + "WAF", + "Entra" ], - "severity": "Medium", - "subcategory": "Compliance", - "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", - "waf": "Operations" + "severity": "High", + "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", "services": [ - "AKS" + "AVS", + "WAF" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Taint Windows nodes", - "waf": "Operations" + "severity": "Medium", + "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", "services": [ - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Keep windows containers patch level in sync with host patch level", - "waf": "Operations" + "severity": "High", + "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "description": "Via Diagnostic Settings at the cluster level", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", "services": [ - "Monitor", - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", - "waf": "Operations" + "severity": "Medium", + "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", "services": [ - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Compliance", - "text": "If required use nodePool snapshots", - "waf": "Cost" + "severity": "Medium", + "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", "services": [ - "Cost", - "AKS" + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Cost", - "text": "Consider spot node pools for non time-sensitive workloads", - "waf": "Operations" + "severity": "High", + "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", "services": [ - "Cost", - "AKS" + "RBAC", + "AVS", + "WAF" ], - "severity": "Low", - "subcategory": "Cost", - "text": "Consider AKS virtual node for quick bursting", - "waf": "Operations" + "severity": "Medium", + "text": "Has an RBAC model been created for use within VMware vSphere", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", "services": [ - "Monitor", - "AKS" + "RBAC", + "WAF" ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", - "waf": "Operations" + "severity": "Medium", + "text": "RBAC permissions should be granted on ADDS groups and not on specific users", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", "services": [ - "Monitor", - "AKS" + "RBAC", + "AVS", + "WAF" ], "severity": "High", - "subcategory": "Monitoring", - "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", - "waf": "Operations" + "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", "services": [ - "Monitor", - "AKS" + "RBAC", + "WAF" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Monitor CPU and memory utilization of the nodes", - "waf": "Operations" + "severity": "High", + "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", "services": [ - "Monitor", - "AKS" + "AVS", + "WAF" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "If using Azure CNI, monitor % of pod IPs consumed per node", - "waf": "Operations" + "severity": "High", + "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "waf": "Performance" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", "services": [ - "Storage", - "ServiceBus", - "EventHubs", + "VPN", + "NetworkWatcher", + "ExpressRoute", "Monitor", - "AKS" + "WAF" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Monitor OS disk queue depth in nodes", + "severity": "High", + "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", "waf": "Operations" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", "services": [ - "LoadBalancer", + "VM", + "AVS", + "NetworkWatcher", + "ExpressRoute", "Monitor", - "AKS", - "NVA" + "WAF" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", + "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", "waf": "Operations" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", "services": [ + "VM", + "AVS", + "NetworkWatcher", "Monitor", - "AKS" + "WAF" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Subscribe to resource health notifications for your AKS cluster", + "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", "waf": "Operations" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", "services": [ - "AKS" + "ARS", + "WAF" ], "severity": "High", - "subcategory": "Resources", - "text": "Configure requests and limits in your pod specs", - "waf": "Operations" - }, - { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "services": [ - "AKS" - ], - "severity": "Medium", - "subcategory": "Resources", - "text": "Enforce resource quotas for namespaces", + "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", "waf": "Operations" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", "services": [ - "AKS", - "Subscriptions" + "RBAC", + "AVS", + "WAF", + "Entra" ], "severity": "High", - "subcategory": "Resources", - "text": "Ensure your subscription has enough quota to scale out your nodepools", - "waf": "Operations" + "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", - "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", "services": [ - "AKS" + "RBAC", + "AVS", + "WAF", + "Entra" ], "severity": "High", - "subcategory": "Resources", - "text": "Configure Liveness and Readiness probes for all deployments", - "waf": "Operations" + "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", "services": [ - "AKS" + "AVS", + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Scalability", - "text": "Use the Cluster Autoscaler", - "waf": "Performance" + "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", "services": [ - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Scalability", - "text": "Customize node configuration for AKS node pools", - "waf": "Performance" + "severity": "High", + "text": "Limit use of CloudAdmin account to emergency access only", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", "services": [ - "AKS" + "RBAC", + "WAF" ], "severity": "Medium", - "subcategory": "Scalability", - "text": "Use the Horizontal Pod Autoscaler when required", - "waf": "Performance" - }, - { - "category": "Operations", - "checklist": "Azure AKS Review", - "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", - "service": "AKS", - "services": [ - "AKS" - ], - "severity": "High", - "subcategory": "Scalability", - "text": "Consider an appropriate node size, not too large or too small", - "waf": "Performance" + "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", "services": [ - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Scalability", - "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", - "waf": "Performance" + "severity": "Medium", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", "services": [ - "AKS" + "VM", + "AVS", + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Scalability", - "text": "Consider subscribing to EventGrid Events for AKS automation", - "waf": "Performance" + "severity": "High", + "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", "services": [ - "AKS" + "WAF" ], - "severity": "Low", - "subcategory": "Scalability", - "text": "For long running operation on an AKS cluster consider event termination", - "waf": "Performance" + "severity": "Medium", + "text": "Is East-West traffic filtering implemented within NSX-T", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", "services": [ - "AKS" + "AppGW", + "AVS", + "Firewall", + "WAF" ], - "severity": "Low", - "subcategory": "Scalability", - "text": "If required consider using Azure Dedicated Hosts for AKS nodes", - "waf": "Performance" + "severity": "High", + "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", "services": [ - "AKS", - "Storage" + "AVS", + "WAF" ], "severity": "High", - "subcategory": "Storage", - "text": "Use ephemeral OS disks", - "waf": "Performance" + "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", "services": [ - "AKS", - "Storage" + "AVS", + "WAF", + "Monitor" ], - "severity": "High", - "subcategory": "Storage", - "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", - "waf": "Performance" + "severity": "Medium", + "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", "services": [ - "AKS", - "Storage" + "VPN", + "DDoS", + "ExpressRoute", + "VNet", + "WAF" ], - "severity": "Low", - "subcategory": "Storage", - "text": "For hyper performance storage option use Ultra Disks on AKS", - "waf": "Performance" + "severity": "Medium", + "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", "services": [ - "SQL", - "AKS", - "Storage" + "AVS", + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", - "waf": "Performance" + "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", "services": [ - "AKS", - "Storage" + "AVS", + "WAF", + "Defender" ], "severity": "Medium", - "subcategory": "Storage", - "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", - "waf": "Performance" + "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", "services": [ - "AKS", - "Storage" + "AVS", + "WAF", + "Arc" ], "severity": "Medium", - "subcategory": "Storage", - "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", - "waf": "Performance" + "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", - "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", - "service": "Purview", - "services": [], - "severity": "Medium", - "subcategory": "Best Practices", - "text": "Leverage FTA Resillency Handbook", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", + "services": [ + "AVS", + "SQL", + "WAF" + ], + "severity": "Low", + "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", "services": [ - "ASR" + "AKV", + "WAF" ], - "severity": "High", - "subcategory": "Disaster Recovery", - "text": "Plan for Data Center level outage", - "waf": "Reliability" + "severity": "Low", + "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", - "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", "services": [ - "ASR" + "AVS", + "WAF" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Practice Failover for BCDR", - "waf": "Reliability" + "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "97b15b8a-219a-44ab-bb57-879024d22678", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", "services": [ - "Backup" + "WAF" ], "severity": "High", - "subcategory": "Backup and Restore ", - "text": "Plan a backup strategy and take regular backups", + "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", "waf": "Reliability" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", - "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", "services": [ - "EventHubs" + "AzurePolicy", + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "Purview Accounts Replications", - "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", + "severity": "High", + "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", "waf": "Reliability" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", - "link": "https://learn.microsoft.com/purview/deployment-best-practices", - "service": "Purview", - "services": [], - "severity": "Medium", - "subcategory": "Data catalog", - "text": "Follow Purview accounts architectures and deployment best practices", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", + "services": [ + "ASR", + "WAF" + ], + "severity": "High", + "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", "waf": "Reliability" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", - "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", + "services": [ + "WAF" + ], "severity": "Medium", - "subcategory": "Data catalog", - "text": "Follow Collection Architectures and best practices", - "waf": "Reliability" + "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", - "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", + "services": [ + "AzurePolicy", + "WAF" + ], "severity": "Medium", - "subcategory": "Data catalog", - "text": "Follow Assest lifecycle best practices", - "waf": "Reliability" + "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", + "services": [ + "AVS", + "WAF", + "Cost" + ], "severity": "Medium", - "subcategory": "Data catalog", - "text": "Follow automation best practices", - "waf": "Reliability" + "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", + "waf": "Cost" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", "services": [ - "Backup" + "AVS", + "WAF", + "Cost" ], - "severity": "Medium", - "subcategory": "Data catalog", - "text": "Follow Backup and Migration Best practices", - "waf": "Reliability" + "severity": "Low", + "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", + "waf": "Cost" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", - "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", + "services": [ + "WAF" + ], "severity": "Medium", - "subcategory": "Data catalog", - "text": "Follow Purview Glossary Best Practices", - "waf": "Reliability" + "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", - "link": "https://learn.microsoft.com/purview/concept-workflow", - "service": "Purview", - "services": [], - "severity": "Low", - "subcategory": "Data catalog", - "text": "Leverage Workflows ", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Ensure all required resource reside within the same Azure availability zone(s)", + "waf": "Performance" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", - "link": "https://learn.microsoft.com/purview/concept-best-practices-security", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "service": "AVS", + "services": [ + "VM", + "AVS", + "WAF", + "Defender" + ], "severity": "Medium", - "subcategory": "Data catalog", - "text": "Follow Purview Security Best Practices", - "waf": "Reliability" + "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", - "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "service": "AVS", + "services": [ + "VM", + "AVS", + "WAF", + "Arc" + ], "severity": "Medium", - "subcategory": "Data Map", - "text": "Follow Purview Data Lineage Best Practices", - "waf": "Reliability" + "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", - "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "service": "AVS", + "services": [ + "AVS", + "WAF" + ], + "severity": "High", + "text": "Enable Diagnostic and metric logging on Azure VMware Solution", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "service": "AVS", + "services": [ + "VM", + "AVS", + "WAF", + "Monitor" + ], "severity": "Medium", - "subcategory": "Data Map", - "text": "Follow Best Practices for Scanning Registered Sources", - "waf": "Reliability" + "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "service": "AVS", + "services": [ + "VM", + "AVS", + "Backup", + "AzurePolicy", + "WAF" + ], "severity": "Medium", - "subcategory": "Data Map", - "text": "Follow Classification Best Practices in Governance Portal", - "waf": "Reliability" + "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", - "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", - "service": "Purview", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "service": "AVS", + "services": [ + "AVS", + "Defender", + "WAF", + "Monitor" + ], "severity": "Medium", - "subcategory": "Data Map", - "text": "Perform Sensitivity Labelling in the Purview Data Map", - "waf": "Reliability" + "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", - "link": "https://learn.microsoft.com/purview/concept-data-share", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "service": "AVS", "services": [ - "Storage" + "WAF", + "Defender" ], - "severity": "Low", - "subcategory": "Data Sharing", - "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", - "waf": "Reliability" + "severity": "Medium", + "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", - "services": [], - "severity": "Low", - "subcategory": "Data Estate", - "text": "Leverage Data Estate Insights", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "service": "AVS", + "services": [ + "AVS", + "WAF" + ], + "severity": "High", + "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", - "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", - "service": "Purview", - "services": [], - "severity": "Low", - "subcategory": "Data Estate", - "text": "Use Data stewardship and Catalog adoption", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "service": "AVS", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", - "services": [], - "severity": "Low", - "subcategory": "Data Estate", - "text": "Use Inventory and Ownership", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "service": "AVS", + "services": [ + "WAF" + ], + "severity": "Medium", + "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", + "waf": "Security" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", - "link": "https://learn.microsoft.com/purview/glossary-insights", - "service": "Purview", - "services": [], - "severity": "Low", - "subcategory": "Data Estate", - "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "service": "AVS", + "services": [ + "AVS", + "WAF", + "Monitor" + ], + "severity": "High", + "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b130a888-9579-4e76-a896-e710a7da7be9", - "link": "https://learn.microsoft.com/purview/compliance-manager", - "service": "Purview", - "services": [], - "severity": "Medium", - "subcategory": "Data Quality ", - "text": "Generate assessment scores", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "service": "AVS", + "services": [ + "AVS", + "WAF", + "Monitor" + ], + "severity": "High", + "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", - "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", - "service": "Purview", - "services": [], - "severity": "Medium", - "subcategory": "Data Quality ", - "text": "Profiling- get summaries of data content", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "service": "AVS", + "services": [ + "AVS", + "WAF", + "Monitor" + ], + "severity": "High", + "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", - "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "service": "AVS", "services": [ - "AzurePolicy" + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Data Policy", - "text": "Follow Microsoft Purview Data Owner access policies", - "waf": "Reliability" + "severity": "High", + "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", - "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "service": "AVS", "services": [ - "AzurePolicy" + "Storage", + "AVS", + "WAF" ], - "severity": "Low", - "subcategory": "Data Policy", - "text": "Follow Self-service access policies", - "waf": "Reliability" + "severity": "Medium", + "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", + "waf": "Operations" }, { - "category": "Operations management", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", - "link": "https://learn.microsoft.com/purview/concept-policies-devops", - "service": "Purview", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", "services": [ - "AzurePolicy" + "AVS", + "WAF" ], "severity": "Low", - "subcategory": "Data Policy", - "text": "Follow DevOps policies", - "waf": "Reliability" + "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", + "waf": "Operations" }, { - "category": "BC and DR", - "checklist": "Container Apps Review", - "guid": "af416482-663c-4ed6-b195-b44c7068e09c", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", - "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", - "service": "Container Apps", - "services": [], + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", + "services": [ + "AzurePolicy", + "Storage", + "WAF", + "VM" + ], "severity": "High", - "subcategory": "High Availability", - "text": "Leverage Availability Zones if regionally applicable", - "waf": "Reliability" + "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "waf": "Operations" }, { - "category": "BC and DR", - "checklist": "Container Apps Review", - "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", - "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", - "service": "Container Apps", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Use more than one replica and enable Zone Redundancy.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", + "services": [ + "WAF" + ], + "severity": "Medium", + "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "waf": "Operations" }, { - "category": "BC and DR", - "checklist": "Container Apps Review", - "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", + "services": [ + "Storage", + "WAF", + "Backup" + ], + "severity": "Medium", + "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "waf": "Operations" }, { - "category": "BC and DR", - "checklist": "Container Apps Review", - "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", "services": [ - "TrafficManager", - "FrontDoor" + "AVS", + "WAF", + "Arc" ], - "severity": "High", - "subcategory": "High Availability", - "text": "Use Front Door or Traffic Manager to route traffic to the closest region", - "waf": "Reliability" + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", "services": [ - "Entra" + "AVS", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Entra ID", - "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", - "waf": "Reliability" + "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", "services": [ - "Entra" + "AVS", + "WAF" ], "severity": "Medium", - "subcategory": "AAD B2C", - "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", - "waf": "Reliability" + "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", "services": [ - "Entra" + "AzurePolicy", + "AVS", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "AAD B2C", - "text": "Custom brand assets should be hosted on a CDN", - "waf": "Performance" + "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", "services": [ - "Entra" + "AVS", + "WAF", + "Defender" ], - "severity": "Low", - "subcategory": "AAD B2C", - "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", - "waf": "Reliability" + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", "services": [ - "Entra", - "VM" + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Windows Server AD", - "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", "services": [ - "Entra" + "WAF" ], "severity": "Medium", - "subcategory": "Windows Server AD", - "text": "Don't replicate! Replication can create issues with directory synchronization", + "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", "services": [ - "Entra" + "ASR", + "WAF" ], "severity": "Medium", - "subcategory": "Windows Server AD", - "text": "Have active-active for multi-regions", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", "services": [ - "Entra" + "WAF" ], - "severity": "Medium", - "subcategory": "Entra Domain Services", - "text": "Add Azure AD Domain service stamps to additional regions and locations", + "severity": "High", + "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", "services": [ - "Entra" + "ASR", + "WAF" ], "severity": "Medium", - "subcategory": "Entra Domain Services", - "text": "Use Replica Sets for DR", + "text": "Use the geopolitical region pair as the secondary disaster recovery environment", "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", "service": "AVS", "services": [ - "Entra", - "AVS", - "Subscriptions" + "WAF" ], "severity": "High", - "subcategory": "Identity", - "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", - "waf": "Security" + "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "75089c20-990d-4927-b105-885576f76fc2", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", "service": "AVS", "services": [ - "Entra", - "AVS" + "NVA", + "AVS", + "ExpressRoute", + "WAF" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", - "waf": "Security" + "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", "service": "AVS", "services": [ - "Entra", - "AVS" + "WAF", + "Backup" ], - "severity": "High", - "subcategory": "Identity", - "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", - "waf": "Security" + "severity": "Medium", + "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", "service": "AVS", "services": [ - "Entra", - "AVS" + "AVS", + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", - "waf": "Security" + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", "service": "AVS", "services": [ - "Entra", - "AVS" + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Identity", - "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", - "waf": "Security" + "text": "Deploy your backup solution outside of vSan, on Azure native components", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", "service": "AVS", "services": [ - "Entra", - "AVS" + "AVS", + "WAF" ], - "severity": "High", - "subcategory": "Identity", - "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", - "waf": "Security" + "severity": "Low", + "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", "service": "AVS", "services": [ - "Entra", - "AVS", - "RBAC" + "WAF" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "Has an RBAC model been created for use within VMware vSphere", - "waf": "Security" + "severity": "Low", + "text": "For manual deployments, all configuration and deployments must be documented", + "waf": "Operations" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", "service": "AVS", "services": [ - "Entra", "AVS", - "RBAC" + "WAF" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "RBAC permissions should be granted on ADDS groups and not on specific users", - "waf": "Security" + "severity": "Low", + "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "waf": "Operations" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", "service": "AVS", "services": [ - "Entra", - "AVS", - "RBAC" + "WAF" ], - "severity": "High", - "subcategory": "Identity", - "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", - "waf": "Security" + "severity": "Low", + "text": "For automated deployments, deploy a minimal private cloud and scale as needed", + "waf": "Operations" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Design Review", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", "service": "AVS", "services": [ - "Entra", - "AVS", - "RBAC" + "WAF" ], - "severity": "High", - "subcategory": "Identity", - "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", - "waf": "Security" + "severity": "Low", + "text": "For automated deployments, request or reserve quota prior to starting the deployment", + "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", "service": "AVS", "services": [ - "AVS" + "AzurePolicy", + "WAF" ], - "severity": "High", - "subcategory": "Architecture", - "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", - "waf": "Performance" + "severity": "Low", + "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", + "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Design Review", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", "service": "AVS", "services": [ - "VPN", - "Monitor", - "AVS", - "ExpressRoute", - "NetworkWatcher" + "AKV", + "WAF" ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", + "severity": "Low", + "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Design Review", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", "service": "AVS", "services": [ - "VM", - "Monitor", + "AKV", "AVS", "ExpressRoute", - "NetworkWatcher" + "WAF" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", + "severity": "Low", + "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Design Review", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", "service": "AVS", "services": [ - "Monitor", "AVS", - "NetworkWatcher", - "VM" + "WAF" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", + "severity": "Low", + "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Design Review", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", "service": "AVS", "services": [ - "ARS", - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Routing", - "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", + "severity": "Low", + "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", "waf": "Operations" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", "service": "AVS", "services": [ - "Entra", "AVS", - "RBAC" + "Subscriptions", + "WAF" ], - "severity": "High", - "subcategory": "Security (identity)", - "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", - "waf": "Security" + "severity": "Medium", + "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", "service": "AVS", "services": [ - "Entra", - "AVS", - "RBAC" + "AzurePolicy", + "Storage", + "WAF" ], - "severity": "High", - "subcategory": "Security (identity)", - "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", - "waf": "Security" + "severity": "Medium", + "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", "service": "AVS", "services": [ - "Entra", - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Security (identity)", - "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", - "waf": "Security" + "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", "service": "AVS", "services": [ - "Entra", - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Security (identity)", - "text": "Limit use of CloudAdmin account to emergency access only", - "waf": "Security" + "severity": "Medium", + "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", "service": "AVS", "services": [ - "Entra", - "AVS", - "RBAC" + "WAF" ], "severity": "Medium", - "subcategory": "Security (identity)", - "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", - "waf": "Security" + "text": "Define and enforce scale in/out maximum limits for your environment in the automations", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", "service": "AVS", "services": [ - "Entra", - "AVS" + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Security (identity)", - "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", - "waf": "Security" + "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "waf": "Operations" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", "service": "AVS", "services": [ - "Entra", - "AVS", - "VM" + "VM", + "WAF" ], "severity": "High", - "subcategory": "Security (identity)", - "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", - "waf": "Security" + "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", "service": "AVS", "services": [ - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Security (network)", - "text": "Is East-West traffic filtering implemented within NSX-T", - "waf": "Security" + "severity": "High", + "text": "When using MON, you cannot enable MON on more than 100 Network extensions", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", "service": "AVS", "services": [ - "AppGW", - "AVS", - "Firewall" + "VPN", + "WAF" ], - "severity": "High", - "subcategory": "Security (network)", - "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", - "waf": "Security" + "severity": "Medium", + "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", "service": "AVS", "services": [ - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Security (network)", - "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", - "waf": "Security" + "severity": "Medium", + "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", "service": "AVS", "services": [ - "Monitor", - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Security (network)", - "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", - "waf": "Security" + "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", - "guid": "334fdf91-c234-4182-a652-75269440b4be", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", "service": "AVS", "services": [ - "VPN", + "Storage", + "VM", "AVS", - "ExpressRoute", - "DDoS", - "VNet" + "WAF" ], "severity": "Medium", - "subcategory": "Security (network)", - "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", - "waf": "Security" + "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", "service": "AVS", "services": [ - "AVS" + "Storage", + "ExpressRoute", + "WAF" ], "severity": "Medium", - "subcategory": "Security (network)", - "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", - "waf": "Security" + "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", "service": "AVS", "services": [ - "AVS", - "Defender" + "Storage", + "ExpressRoute", + "WAF" ], "severity": "Medium", - "subcategory": "Security (guest/VM)", - "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", - "waf": "Security" + "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", "service": "AVS", "services": [ - "Arc", - "AVS" + "ASR", + "WAF" ], - "severity": "Medium", - "subcategory": "Security (guest/VM)", - "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", - "waf": "Security" + "severity": "High", + "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", "service": "AVS", "services": [ - "SQL", - "AVS" + "WAF" ], - "severity": "Low", - "subcategory": "Security (guest/VM)", - "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", - "waf": "Security" + "severity": "High", + "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", "service": "AVS", "services": [ - "AKV", - "AVS" + "ExpressRoute", + "WAF" ], - "severity": "Low", - "subcategory": "Security (guest/VM)", - "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", - "waf": "Security" + "severity": "High", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "5ac94222-3e13-4810-9230-81a941741583", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", "service": "AVS", "services": [ - "AVS" + "ExpressRoute", + "WAF" ], - "severity": "Medium", - "subcategory": "Security (guest/VM)", - "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", - "waf": "Security" + "severity": "High", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "WAF checklist", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", "service": "AVS", "services": [ - "AVS" + "WAF" ], "severity": "High", - "subcategory": "Governance (platform)", - "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", + "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", "services": [ - "AVS", - "AzurePolicy", - "Storage" + "WAF" ], "severity": "High", - "subcategory": "Governance (platform)", - "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "text": "Select the right Function hosting plan based on your business & SLO requirements", "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", + "service": "Azure Functions", "services": [ - "AVS", - "ASR" + "WAF" ], "severity": "High", - "subcategory": "Governance (platform)", - "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Governance (platform)", - "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", - "waf": "Operations" + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", "services": [ - "AVS", - "AzurePolicy" + "AppSvc", + "WAF" ], - "severity": "Medium", - "subcategory": "Governance (platform)", - "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", - "waf": "Operations" + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", + "service": "Azure Functions", "services": [ - "Cost", - "AVS" + "AppSvc", + "WAF" ], - "severity": "Medium", - "subcategory": "Governance (platform)", - "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", - "waf": "Cost" + "severity": "High", + "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", "services": [ - "Cost", - "AVS" + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "Governance (platform)", - "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", - "waf": "Cost" + "severity": "Medium", + "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Governance (platform)", - "text": "Consider the use of Azure Private-Link when using other Azure Native Services", - "waf": "Security" + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", + "waf": "Operations" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", - "service": "AVS", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "WAF checklist", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", "services": [ - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Governance (platform)", - "text": "Ensure all required resource reside within the same Azure availability zone(s)", - "waf": "Performance" + "severity": "Medium", + "text": "Follow reliability support recommendations in Azure Bot Service", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "service": "AVS", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "WAF checklist", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", "services": [ - "AVS", - "VM", - "Defender" + "WAF" ], "severity": "Medium", - "subcategory": "Governance (guest/VM)", - "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", - "waf": "Security" + "text": "Deploying bots with local data residency and regional compliance", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "service": "AVS", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "WAF checklist", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", "services": [ - "Arc", - "AVS", - "VM" + "WAF" ], "severity": "Medium", - "subcategory": "Governance (guest/VM)", - "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", - "waf": "Security" + "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "WAF checklist", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", "services": [ - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Governance (guest/VM)", - "text": "Enable Diagnostic and metric logging on Azure VMware Solution", - "waf": "Operations" + "severity": "Medium", + "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "WAF checklist", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", "services": [ - "Monitor", - "AVS", - "VM" + "TrafficManager", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Governance (guest/VM)", - "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", - "waf": "Operations" + "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "WAF checklist", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", "services": [ - "Backup", - "AVS", - "AzurePolicy", - "VM" + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Governance (guest/VM)", - "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", - "waf": "Operations" + "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "WAF checklist", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", "services": [ - "Monitor", - "AVS", - "Defender" + "WAF" ], "severity": "Medium", - "subcategory": "Compliance", - "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", - "waf": "Security" + "text": "Use more than 1 app instance for your apps", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "WAF checklist", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", "services": [ - "AVS", - "Defender" + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Compliance", - "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", - "waf": "Security" + "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "WAF checklist", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", "services": [ - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Compliance", - "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", - "waf": "Security" + "severity": "Medium", + "text": "Set up autoscaling in Spring Cloud Gateway", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "WAF checklist", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", "services": [ - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Compliance", - "text": "Are data processing implications (service provider / service consumer model) clear and documented", - "waf": "Security" + "severity": "Low", + "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure VMware Solution Design Review", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "WAF checklist", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Compliance", - "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", - "waf": "Security" + "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS" + "Storage", + "WAF" ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", - "waf": "Operations" + "severity": "Medium", + "text": "Consider the 'Azure security baseline for storage'", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS" + "Storage", + "WAF", + "PrivateLink" ], "severity": "High", - "subcategory": "Monitoring", - "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "waf": "Operations" + "text": "Consider using private endpoints for Azure Storage", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS" + "RBAC", + "Storage", + "Subscriptions", + "WAF" ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", - "waf": "Operations" + "severity": "Medium", + "text": "Ensure older storage accounts are not using 'classic deployment model'", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS" + "Storage", + "WAF", + "Defender" ], "severity": "High", - "subcategory": "Monitoring", - "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", - "waf": "Operations" + "text": "Enable Microsoft Defender for all of your storage accounts", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS", - "Storage" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", - "waf": "Operations" + "text": "Enable 'soft delete' for blobs", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS" + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "Monitoring", - "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", - "waf": "Operations" + "severity": "Medium", + "text": "Disable 'soft delete' for blobs", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "services": [ - "AVS", - "AzurePolicy", - "VM", - "Storage" + "WAF" ], "severity": "High", - "subcategory": "Operations", - "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", - "waf": "Operations" - }, - { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", - "service": "AVS", - "services": [ - "AVS" - ], - "severity": "Medium", - "subcategory": "Operations", - "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", - "waf": "Operations" + "text": "Enable 'soft delete' for containers", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", "services": [ - "AVS", - "Backup", - "Storage" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Operations", - "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", - "waf": "Operations" + "text": "Disable 'soft delete' for containers", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "services": [ - "Arc", - "AVS" + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Operations", - "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", - "waf": "Operations" + "severity": "High", + "text": "Enable resource locks on storage accounts", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS" + "AzurePolicy", + "Storage", + "Subscriptions", + "WAF" ], - "severity": "Medium", - "subcategory": "Operations", - "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", - "waf": "Operations" + "severity": "High", + "text": "Consider immutable blobs", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", "services": [ - "AVS" + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Operations", - "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", - "waf": "Operations" + "severity": "High", + "text": "Require HTTPS, i.e. disable port 80 on the storage account", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS", - "AzurePolicy" + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Operations", - "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", - "waf": "Operations" + "severity": "High", + "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Design Review", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "services": [ - "AVS", - "Defender" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Azure Storage", "services": [ - "AVS", - "Backup" + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Backup", - "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", - "waf": "Reliability" + "severity": "High", + "text": "Enforce the latest TLS version for a storage account", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", "services": [ - "AVS", - "ASR" + "Storage", + "WAF", + "Entra" ], - "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", - "waf": "Reliability" + "severity": "High", + "text": "Use Microsoft Entra ID tokens for blob access", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "services": [ - "AVS", - "ASR" + "RBAC", + "WAF" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", - "waf": "Reliability" + "text": "Least privilege in IaM permissions", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", "services": [ - "AVS", - "ASR" + "Storage", + "WAF", + "Entra" ], "severity": "High", - "subcategory": "Disaster Recovery", - "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", - "waf": "Reliability" + "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", "services": [ - "AVS", - "ASR" + "Entra", + "Storage", + "AKV", + "WAF", + "Monitor" ], - "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Use the geopolitical region pair as the secondary disaster recovery environment", - "waf": "Reliability" + "severity": "High", + "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", "services": [ - "AVS", - "ASR" + "Storage", + "AzurePolicy", + "Monitor", + "AKV", + "WAF" ], "severity": "High", - "subcategory": "Disaster Recovery", - "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", - "waf": "Reliability" + "text": "Consider using Azure Monitor to audit control plane operations on the storage account", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "services": [ - "ExpressRoute", - "AVS", - "ASR", - "NVA" + "AKV", + "Storage", + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", - "waf": "Reliability" + "text": "When using storage account keys, consider enabling a 'key expiration policy'", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "services": [ - "AVS", - "Backup" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Business Continuity", - "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", - "waf": "Reliability" + "text": "Consider configuring an SAS expiration policy", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", "services": [ - "AVS", - "Backup" + "AzurePolicy", + "Storage", + "WAF", + "AKV" ], "severity": "Medium", - "subcategory": "Business Continuity", - "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", - "waf": "Reliability" + "text": "Consider linking SAS to a stored access policy", + "waf": "Security" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", "services": [ - "AVS", - "Backup" + "AKV", + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Business Continuity", - "text": "Deploy your backup solution outside of vSan, on Azure native components", - "waf": "Reliability" - }, - { - "category": "BCDR", - "checklist": "Azure VMware Solution Design Review", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", - "services": [ - "AVS" - ], - "severity": "Low", - "subcategory": "Business Continuity", - "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", - "waf": "Reliability" + "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", "services": [ - "AVS" + "Storage", + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Deployment strategy", - "text": "For manual deployments, all configuration and deployments must be documented", - "waf": "Operations" + "severity": "High", + "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "services": [ - "AVS" + "AzurePolicy", + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "Deployment strategy", - "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", - "waf": "Operations" + "severity": "High", + "text": "Strive for short validity periods for ad-hoc SAS", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "services": [ - "AVS" + "WAF" ], - "severity": "Low", - "subcategory": "Automated Deployment", - "text": "For automated deployments, deploy a minimal private cloud and scale as needed", - "waf": "Operations" + "severity": "Medium", + "text": "Apply a narrow scope to a SAS", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", "services": [ - "AVS" + "WAF" ], - "severity": "Low", - "subcategory": "Automated Deployment", - "text": "For automated deployments, request or reserve quota prior to starting the deployment", - "waf": "Operations" + "severity": "Medium", + "text": "Consider scoping SAS to a specific client IP address, wherever possible", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", "services": [ - "AVS", - "AzurePolicy" + "Storage", + "WAF" ], "severity": "Low", - "subcategory": "Automated Deployment", - "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", - "waf": "Operations" + "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "services": [ - "AKV", - "AVS" + "RBAC", + "Storage", + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Automated Connectivity", - "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", - "waf": "Operations" + "severity": "High", + "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "services": [ - "ExpressRoute", - "AKV", - "AVS" + "WAF" ], - "severity": "Low", - "subcategory": "Automated Connectivity", - "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", - "waf": "Operations" + "severity": "Medium", + "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", "services": [ - "AVS" + "AzurePolicy", + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "Automated Connectivity", - "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", - "waf": "Operations" + "severity": "High", + "text": "Avoid overly broad CORS policies", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", "services": [ - "AVS" + "Storage", + "WAF" ], - "severity": "Low", - "subcategory": "Automated Connectivity", - "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", - "waf": "Operations" + "severity": "High", + "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", "services": [ - "AVS", - "Subscriptions" + "WAF" ], "severity": "Medium", - "subcategory": "Automated Scale", - "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", - "waf": "Performance" + "text": "Determine which/if platform encryption should be used.", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", "services": [ - "AVS", - "AzurePolicy", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Automated Scale", - "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", - "waf": "Performance" + "text": "Determine which/if client-side encryption should be used.", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", "services": [ - "AVS" + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", - "waf": "Performance" + "severity": "High", + "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", + "waf": "Security" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", "services": [ - "AVS" + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", - "waf": "Performance" + "severity": "High", + "text": "Leverage a storagev2 account type for better performance and reliability", + "waf": "Reliability" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", "services": [ - "AVS" + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Define and enforce scale in/out maximum limits for your environment in the automations", - "waf": "Performance" + "severity": "High", + "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", + "waf": "Reliability" }, { - "category": "Platform Automation", - "checklist": "Azure VMware Solution Design Review", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Azure Storage", "services": [ - "Monitor", - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", - "waf": "Operations" + "text": "For write operation after failover, use customer-Managed Failover ", + "waf": "Reliability" }, { - "category": "Migration", - "checklist": "Azure VMware Solution Design Review", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Azure Storage", "services": [ - "AVS", - "VM" + "WAF" ], - "severity": "High", - "subcategory": "Architecture", - "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "severity": "Medium", + "text": "Understand Microsoft-Managed Failover details", "waf": "Reliability" }, { - "category": "Migration", - "checklist": "Azure VMware Solution Design Review", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Azure Storage", "services": [ - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Architecture", - "text": "When using MON, you cannot enable MON on more than 100 Network extensions", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "severity": "Medium", + "text": "Enable Soft Delete", "waf": "Reliability" }, { - "category": "Migration", - "checklist": "Azure VMware Solution Design Review", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "WAF checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "services": [ - "VPN", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Networking", - "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", - "waf": "Performance" + "severity": "High", + "text": "Enable 2 replicas to have 99.9% availability for read operations", + "waf": "Reliability" }, { - "category": "Migration", - "checklist": "Azure VMware Solution Design Review", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "WAF checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", - "waf": "Performance" + "text": "Enable 3 replicas to have 99.9% availability for read/write operations", + "waf": "Reliability" }, { - "category": "Migration", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "WAF checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", "services": [ - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Process", - "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", + "severity": "High", + "text": "Leverage Availability Zones by enabling read and/or write replicas", "waf": "Reliability" }, { - "category": "Data Storage", - "checklist": "Azure VMware Solution Design Review", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "WAF checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "services": [ - "AVS", - "VM", - "Storage" + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Architecture", - "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", + "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", "waf": "Reliability" }, { - "category": "Data Storage", - "checklist": "Azure VMware Solution Design Review", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "WAF checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", "services": [ - "ExpressRoute", - "AVS", - "Storage" + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Architecture", - "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", + "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", "waf": "Reliability" }, { - "category": "Data Storage", - "checklist": "Azure VMware Solution Design Review", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "WAF checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", "services": [ - "ExpressRoute", - "AVS", - "Storage" + "TrafficManager", + "WAF" ], "severity": "Medium", - "subcategory": "Architecture", - "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", + "text": "Use Azure Traffic Manager to coordinate requests", "waf": "Reliability" }, { - "category": "Stretched Cluster", - "checklist": "Azure VMware Solution Design Review", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "WAF checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", "services": [ - "AVS", - "ASR" + "Storage", + "WAF", + "Backup" ], "severity": "High", - "subcategory": "Architecture", - "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", + "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", "waf": "Reliability" }, { - "category": "Stretched Cluster", - "checklist": "Azure VMware Solution Design Review", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", + "service": "Cognitive Services", "services": [ - "AVS" + "WAF" ], - "severity": "High", - "subcategory": "Architecture", - "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", + "severity": "Medium", + "text": "Leverage FTA HandBook for Cognitive Services", "waf": "Reliability" }, { - "category": "Stretched Cluster", - "checklist": "Azure VMware Solution Design Review", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Cognitive Services", "services": [ - "ExpressRoute", - "AVS" + "WAF", + "Backup" ], - "severity": "High", - "subcategory": "Architecture", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", + "severity": "Medium", + "text": "Backup Your Prompts", "waf": "Reliability" }, { - "category": "Stretched Cluster", - "checklist": "Azure VMware Solution Design Review", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Cognitive Services", "services": [ - "ExpressRoute", - "AVS" + "ASR", + "WAF" ], "severity": "High", - "subcategory": "Architecture", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", + "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", "waf": "Reliability" }, { - "category": "Stretched Cluster", - "checklist": "Azure VMware Solution Design Review", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", + "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", + "service": "Cognitive Services", "services": [ - "AVS" + "WAF", + "Backup" ], - "severity": "High", - "subcategory": "Architecture", - "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", + "severity": "Medium", + "text": "Backup Your ChatGPT conversations", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Redis Resiliency checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", + "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", + "service": "Cognitive Services", "services": [ - "ACR" + "WAF" ], - "severity": "High", - "subcategory": "High Availability", - "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", + "severity": "Medium", + "text": "CI/CD for custom speech", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Redis Resiliency checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "WAF checklist", + "guid": "3687a046-7a1f-4893-9bda-43324f248116", + "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", + "service": "Cognitive Services", "services": [ - "Storage" + "WAF" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", + "severity": "Low", + "text": "Move a knowledge base using export-import", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Redis Resiliency checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", + "arm-service": "Microsoft.App/containerApps", + "checklist": "WAF checklist", + "guid": "af416482-663c-4ed6-b195-b44c7068e09c", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", + "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", + "service": "Container Apps", "services": [ - "Storage" + "WAF" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Redis Resiliency checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", + "arm-service": "Microsoft.App/containerApps", + "checklist": "WAF checklist", + "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", + "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", + "service": "Container Apps", "services": [ - "ASR" + "WAF" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", + "severity": "High", + "text": "Use more than one replica and enable Zone Redundancy.", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Data Factory Review Checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", - "service": "Azure Data Factory", - "services": [], - "severity": "Medium", - "subcategory": "Best Practices", - "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", + "arm-service": "Microsoft.App/containerApps", + "checklist": "WAF checklist", + "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", + "services": [ + "WAF" + ], + "severity": "High", + "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", - "services": [], + "arm-service": "Microsoft.App/containerApps", + "checklist": "WAF checklist", + "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", + "services": [ + "TrafficManager", + "WAF", + "FrontDoor" + ], "severity": "High", - "subcategory": "Availablity Zone", - "text": "Use zone redundant pipelines in regions that support Availability Zones", + "text": "Use Front Door or Traffic Manager to route traffic to the closest region", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Data Factory Review Checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", - "service": "Azure Data Factory", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", + "service": "CosmosDB", "services": [ - "Backup" + "WAF" ], "severity": "Medium", - "subcategory": "DevOps Integration", - "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", + "text": "FTA Resiliency Playbook", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", "services": [ - "VM" + "WAF" ], - "severity": "Medium", - "subcategory": "Network", - "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", + "severity": "High", + "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Data Factory Review Checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", + "service": "CosmosDB", "services": [ - "VNet" + "WAF" ], "severity": "Medium", - "subcategory": "Network", - "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", + "text": "Run multiple replicas of the database (>1 ) in Prod", "waf": "Reliability" }, { - "category": "Governance and Security", - "checklist": "Azure Data Factory Review Checklist", - "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Azure Data Factory", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", + "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", + "service": "CosmosDB", "services": [ - "AKV" + "WAF", + "ACR" ], - "severity": "Low", - "subcategory": "Integration", - "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", + "severity": "Medium", + "text": "Leverage Multi-Region Writes", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "974a759c-763e-47d2-9161-3a7649907e0e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ASB_v1.docx", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "description": "Span Cosmos account across two or more regions with multi-region writes", + "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", "services": [ - "ServiceBus" + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Leverage FTA Handbook.", + "text": "Distribute your data globally", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "49907e0e-338e-4e25-9c17-d32e8aaab757", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/operational-excellence", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", + "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", + "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", + "service": "CosmosDB", "services": [ - "ServiceBus" + "WAF" ], - "severity": "Medium", - "subcategory": "Best Practices", - "text": "Implement geo-replication on the sender and receiver side to protect against outages and disasters", + "severity": "High", + "text": "Choose from several well-defined consistency models", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "1549ab81-53d8-49f8-ad17-b84b33b5a67f", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", + "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", + "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", + "service": "CosmosDB", "services": [ - "ServiceBus", - "Storage", - "ASR" + "WAF", + "CosmosDB" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "If you need mission-critical messaging with queues and topics, Service Bus Premium is recommended with Geo-Disaster Recovery.", + "text": "Enable Service managed failover", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "7b9ed5b3-1f38-4c40-9a82-2c2463cf0f18", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", + "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", + "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", + "service": "CosmosDB", "services": [ - "ServiceBus" + "Storage", + "CosmosDB", + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Implement high availability for the Service Bus namespace", + "text": "Enable Automatic Backups", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "ac699ef1-d5a8-43de-9de3-2c1881470607", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", + "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", + "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", + "service": "CosmosDB", "services": [ - "ServiceBus" + "WAF", + "Backup" ], - "severity": "High", - "subcategory": "Best Practices", - "text": "Ensure related messages are delivered in guaranteed order", + "severity": "Medium", + "text": "Perform Periodic Backups", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "c5c0e4e6-1465-48d2-958e-d67139b82110", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "WAF checklist", + "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", + "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", + "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", + "service": "CosmosDB", "services": [ - "ServiceBus" + "CosmosDB", + "WAF", + "Backup" ], - "severity": "Low", - "subcategory": "Best Practices", - "text": "Evaluate different Java Messaging Service (JMS) features through the JMS API", + "severity": "Medium", + "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "2df26ee4-11e6-4f88-9e52-f4722dd68c5b", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", "services": [ - "ServiceBus" + "WAF", + "Monitor" ], - "severity": "Low", - "subcategory": "Best Practices", - "text": "Use .NET Nuget packages to communicate with Service Bus messaging entities", - "waf": "Reliability" + "severity": "Medium", + "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "5c2521e5-4a69-4b9d-939a-c4e7c68d1d75", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", "services": [ - "ServiceBus" + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Implement resilience for transient fault handling when sending or receiving messages", - "waf": "Reliability" + "text": "check backup instances with the underlying datasource not found", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "description": "This will be turned on automatically for a new SB namespace created from the portal with the Premium SKUs in a zone-enabled region. Both the Service Bus metadata and the messages data are replicated across datacenters in the availability zones configuration", - "guid": "338ee253-c17d-432e-aaaa-b7571549ab81", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", "services": [ - "ACR", - "ServiceBus" + "WAF" ], - "severity": "High", - "subcategory": "Best Practices", - "text": "Leverage Availability Zones if regionally applicable", - "waf": "Reliability" + "severity": "Medium", + "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "description": "If enabled, Implements namespace metadata replication to a secondary region. Does not replicate queue/topic message data. Premium sku only.", - "guid": "53d89f89-d17b-484b-93b5-a67f7b9ed5b3", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#geo-disaster-recovery", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", "services": [ - "ServiceBus", "Storage", - "ASR" + "ASR", + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Geo-Disaster Recovery", - "text": "Plan for Metadata replication during regional failure", - "waf": "Reliability" + "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "description": "If an outage cannot be tolerated, do not use the build-in metadata replication option. Leverage a replication pattern to replicate Service Bus messages across two or more sets of cross-region namespaces", - "guid": "1f38c403-a822-4c24-93cf-0f18ac699ef1", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-federation-overview", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", "services": [ - "ACR", - "ServiceBus", - "ASR" + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Geo-Disaster Recovery", - "text": "Plan for Message replication during regional failure", - "waf": "Reliability" + "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus uses a message broker to handle messages that are sent to a Service Bus queue or topic. By default, all messages that are sent to a queue or topic are handled by the same message broker process. This architecture can place a limitation on the overall throughput of the message queue. However, you can also partition a queue or topic when it is created", - "guid": "d5a83de4-de32-4c18-a147-0607c5c0e4e6", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/data-partitioning-strategies#partitioning-azure-service-bus", + "arm-service": "Microsoft.Insights/components", + "checklist": "WAF checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", "services": [ - "ServiceBus", - "Storage" + "AzurePolicy", + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "For applications which require high throughput, use Patritioning ", - "waf": "Reliability" + "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "14658d24-58ed-4671-99b8-21102df26ee4", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", "services": [ - "ServiceBus" + "Storage", + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Evaluate Premier-tier benefits of Azure Service Bus", - "waf": "Reliability" + "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "11e6f883-e52f-4472-8dd6-8c5b5c2521e5", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-messaging-exceptions", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", "services": [ - "ServiceBus" + "AzurePolicy", + "Storage", + "WAF" ], - "severity": "High", - "subcategory": "Best Practices", - "text": "Ensure that Service Bus Messaging Exceptions are handled properly", - "waf": "Reliability" + "severity": "Medium", + "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "4a69b9d3-39ac-44e7-a68d-1d75657202b4", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", "services": [ - "ServiceBus", - "PrivateLink", - "Storage" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Connect to Service Bus with the Advanced Messaging Queue Protocol (AMQP) and use Service Endpoints or Private Endpoints when possible.", - "waf": "Reliability" + "text": "Make sure advisor is configured for VM right sizing ", + "waf": "Cost" }, { - "category": "Operations Management", - "checklist": "Service Bus Review Checklist", - "guid": "f4564b4d-974a-4759-a763-e7d261613a76", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-performance-improvements?tabs=net-standard-sdk-2", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "check by searching the Meter Category Licenses in the Cost analysys", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", "services": [ - "ServiceBus" + "AzurePolicy", + "VM", + "WAF", + "Cost" ], - "severity": "High", - "subcategory": "Best Practices", - "text": "Review the Best Practices for performance improvements using Service Bus Messaging", - "waf": "Reliability" + "severity": "Medium", + "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", + "waf": "Cost" }, { - "category": "Security", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", "services": [ - "ServiceBus" + "LoadBalancer", + "WAF" ], - "severity": "Low", - "subcategory": "Data Protection", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Security" + "severity": "Medium", + "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "Cost" }, { - "category": "Security", - "checklist": "Service Bus Review Checklist", - "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", "services": [ - "ServiceBus" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Data Protection", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Security" + "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "Cost" }, { - "category": "Security", - "checklist": "Service Bus Review Checklist", - "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", "services": [ - "TrafficManager", - "ServiceBus", - "AzurePolicy", - "RBAC", - "Entra" + "VM", + "WAF", + "Cost", + "ARS" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Security" + "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", + "waf": "Cost" }, { - "category": "Security", - "checklist": "Service Bus Review Checklist", - "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", - "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", - "service": "Service Bus", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", "services": [ - "ServiceBus", - "Entra" + "WAF" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "Only larger disks can be reserved => 1 TiB -", + "waf": "Cost" }, { - "category": "Security", - "checklist": "Service Bus Review Checklist", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", "services": [ - "Storage", - "ServiceBus", - "RBAC", - "Entra", - "Subscriptions" + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Management", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" + "severity": "Medium", + "text": "After the right-sizing optimization", + "waf": "Cost" }, { - "category": "Security", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", + "arm-service": "Microsoft.Sql/servers", + "checklist": "WAF checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", "services": [ - "ServiceBus", - "Monitor", - "VNet" + "AzurePolicy", + "SQL", + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "Cost" }, { - "category": "Security", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", "services": [ - "ServiceBus", - "PrivateLink", - "VNet" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", + "waf": "Cost" }, { - "category": "Security", - "checklist": "Service Bus Review Checklist", - "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", "services": [ - "ServiceBus" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" - }, - { - "category": "BC and DR", - "checklist": "Device Provisioning Service Review", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "text": "Consider using a VMSS to match demand rather than flat sizing", + "waf": "Cost" }, { - "category": "BC and DR", - "checklist": "Device Provisioning Service Review", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "WAF checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", + "services": [ + "AKS", + "WAF" + ], + "severity": "Medium", + "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", + "waf": "Cost" }, { - "category": "BC and DR", - "checklist": "Device Provisioning Service Review", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", + "services": [ + "WAF" + ], + "severity": "Medium", + "text": "Move recovery points to vault-archive where applicable (Validate)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "category": "BC and DR", - "checklist": "Device Provisioning Service Review", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "WAF checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", "services": [ - "AppSvc" + "VM", + "LoadBalancer", + "WAF" ], - "severity": "High", - "subcategory": "High Availability", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "severity": "Medium", + "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", + "waf": "Cost" }, { - "category": "Application Deployment", - "checklist": "Device Provisioning Service Review", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", - "services": [], + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", + "services": [ + "WAF" + ], "severity": "Medium", - "subcategory": "CI/CD", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" + "text": "Functions - Reuse connections", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", - "guid": "976f32a7-30d1-6caa-c2a0-207fdc26571b", - "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", - "services": [ - "AVS", - "Backup", - "Storage" + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", + "services": [ + "WAF" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", - "waf": "Reliability" + "text": "Functions - Cache data locally", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Microsoft backup service", - "guid": "fc8af7a1-c724-e255-c18d-4ca22a6f27f0", - "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", "services": [ - "AVS", - "Backup" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Business Continuity", - "text": "Use MABS as your backup solution", - "waf": "Reliability" + "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Best practice - this is Backup, not disaster recovery", - "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae", - "link": "Best practice to deploy backup in the same region as your AVS deployment", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", "services": [ - "AVS", - "Backup", - "ASR" + "WAF" ], "severity": "Medium", - "subcategory": "Business Continuity", - "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", - "waf": "Reliability" + "text": "Functions - Keep your functions warm", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Best practice - in case AVS is unavailable", - "guid": "4d2f79a5-4ccf-0dfc-557c-49619b99a540", - "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Business Continuity", - "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS", - "waf": "Reliability" + "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", - "guid": "ff431c40-962c-5182-d536-0c2f0c4ce9e0", - "link": "Will Disaster Recovery Site Recovery, HCX Disaster Recovery, SRM or back tools be used?", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Business Continuity", - "text": "Escalation process with Microsoft in the event of a regional DR", - "waf": "Reliability" + "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Compare SRM with HCX", - "guid": "f379436d-3051-daa0-01fb-dc4e0e04d677", - "link": "https://docs.microsoft.com/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", "services": [ - "AVS", - "ASR" + "WAF" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution", - "waf": "Reliability" + "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Recovery into Azure instead of Vmware solution", - "guid": "367f71d8-3cf6-51a0-91a5-3db3d570cc19", - "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", "services": [ - "AVS", - "ASR" + "EventHubs", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", - "waf": "Reliability" + "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Avoid manual tasks as much as possible", - "guid": "ee02ada0-1887-bb3a-b84c-423f45a09ef9", - "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", "services": [ - "AVS", - "ASR" + "AppSvc", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Use Automated recovery plans with either of the Disaster solutions,", - "waf": "Reliability" + "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Any other datacenter in the same region", - "guid": "0c2b74e5-9c28-780d-1df3-12d3de4aaa76", - "link": "https://docs.microsoft.com/azure/azure-vmware/connect-multiple-private-clouds-same-region", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", "services": [ - "AVS", - "ASR" + "WAF" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Configure a secondary disaster recovery environment", - "waf": "Reliability" + "text": "Consider archiving tiers for less used data", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", - "guid": "c2a34ec4-2933-4e6c-dc36-e20e67abbe3f", - "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", "services": [ - "AVS", - "ASR" + "WAF" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Assign IP ranges unique to each region", - "waf": "Reliability" + "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", + "waf": "Cost" }, { - "category": "BCDR", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "ExpressRoute Global Reach can be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or routing must be done through network virtual appliances?", - "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c", - "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", "services": [ - "ExpressRoute", - "AVS", - "ASR", - "NVA" + "WAF" ], "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Use Global Reach between DR regions", - "waf": "Reliability" + "text": "Consider using standard SSD rather than Premium or Ultra where possible", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "An ExR Global Reach connection will be established to the ExR circuit, no other connections", - "guid": "a2c12df2-07fa-3edd-2cec-fda0b55fb952", - "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", "services": [ - "VWAN", - "AVS" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Direct (no vWAN, no H&S)", - "text": "Global Reach to ExR circuit - no Azure resources", - "waf": "Performance" + "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use ExR to connect on-premises (other) location to Azure", - "guid": "f62ce162-ba5a-429d-674e-fafa1af5f706", - "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", "services": [ - "ExpressRoute", - "AVS" + "ASR", + "WAF" ], "severity": "Medium", - "subcategory": "ExpressRoute", - "text": "Connect to Azure using ExR", - "waf": "Performance" + "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use the migration assesment tool and timeline to determine bandwidth required", - "guid": "cf01c73b-1247-0a7a-740c-e1ea29bda340", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", "services": [ - "ExpressRoute", - "AVS" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "ExpressRoute", - "text": "Bandwidth sizing", - "waf": "Performance" + "text": "Storage accounts: check hot tier and/or GRS necessary", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "What traffic is routed through a firewall, what goes directly into Azure", - "guid": "aab216ee-8941-315e-eada-c7e1f2243bd1", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", "services": [ - "ExpressRoute", - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "ExpressRoute", - "text": "Traffic routing ", - "waf": "Performance" + "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "AVS to ExR circuit, no traffic inspection", - "guid": "1f956e45-f62d-5c95-3a95-3bab718907f8", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "WAF checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", "services": [ - "ExpressRoute", - "AVS" + "EventHubs", + "WAF", + "Cost", + "Monitor" ], "severity": "Medium", - "subcategory": "ExpressRoute", - "text": "Global Reach ", - "waf": "Performance" + "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Name of the vNet and a unique address space /24 minimum", - "guid": "91f7a87b-21ac-d712-959c-8df2ba034253", - "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "WAF checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", "services": [ - "AVS", - "VNet" + "Storage", + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Hub & Spoke", - "text": "VNet name & address space", - "waf": "Performance" + "text": "Export cost data to a storage account for additional data analysis.", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Subnet must be called GatewaySubnet", - "guid": "58a027e2-f37f-b540-45d5-e44843aba26b", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "WAF checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", "services": [ - "ExpressRoute", - "VNet", - "AVS", - "VPN" + "SQL", + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Hub & Spoke", - "text": "Gateway subnet", - "waf": "Performance" + "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Create a VPN gateway on the hub Gateway subnet", - "guid": "d4806549-0913-3e79-b580-ac2d3706e65a", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "WAF checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", "services": [ - "VPN", - "ExpressRoute", - "AVS", - "VNet" + "WAF" ], "severity": "Medium", - "subcategory": "Hub & Spoke", - "text": "VPN Gateway", - "waf": "Performance" + "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Create an ExR Gateway in the hub Gateway subnet.", - "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "WAF checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", "services": [ - "ExpressRoute", - "VNet", - "AVS", - "VPN" + "WAF" ], "severity": "Medium", - "subcategory": "Hub & Spoke", - "text": "ExR Gateway", - "waf": "Performance" + "text": "Create multiple Apache Spark pool definitions of various sizes.", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "How will Internet traffic be routes, Az Firewall, NVA, Secure Hub, On-Premises firewall?", - "guid": "cc2e11b9-7911-7da1-458c-d7fcef794aad", - "link": "https://learn.microsoft.com/azure/azure-vmware/enable-public-internet-access", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "WAF checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", "services": [ - "AVS", - "NVA" + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Internet", - "text": "Egress point", - "waf": "Performance" + "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Allow remote connectivity to AVS via the portal, specifically to vCenter, NSX-T and HCX", - "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f", - "link": "https://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", "services": [ - "AVS", - "Bastion" + "VM", + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Jumpbox & Bastion", - "text": "Remote connectivity to AVS", - "waf": "Performance" + "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Name the jumpbox and identify the subnet where it will be hosted", - "guid": "6f8e93a2-44b1-bb1d-28a1-4d5b3c2ea857", - "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", "services": [ - "AVS", - "Bastion", - "VNet" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Jumpbox & Bastion", - "text": "Configure a jumbox and Azure Bastion", - "waf": "Performance" + "text": "Right-sizing all VMs", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Provides secure / seamless RDP/SSH connectivity to your vm's directly through the portal.", - "guid": "ba430d58-4541-085c-3641-068c00be9bc5", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", "services": [ - "AVS", "VM", - "Bastion" + "WAF" ], "severity": "Medium", - "subcategory": "Jumpbox & Bastion", - "text": "Security measure allowing RDP access via the portal", - "waf": "Performance" + "text": "Swap VM sized with normalized and most recent sizes", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Using a VPN to connect to Azure to enable VMware communications (HCX) (not recommended)", - "guid": "9988598f-2a9f-6b12-9b46-488415ceb325", - "link": "https://learn.microsoft.com/azure/azure-vmware/configure-site-to-site-vpn-gateway", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", "services": [ - "VPN", - "AVS" + "VM", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "VPN", - "text": "Connect to Azure using a VPN", - "waf": "Performance" + "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use the migration assesment tool and timeline to determine bandwidth required (eg 3rd party tool in link)", - "guid": "956ce5e9-a862-fe2b-a50d-a22923569357", - "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed.", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", "services": [ - "VPN", - "AVS" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "VPN", - "text": "Bandwidth sizing", - "waf": "Performance" + "text": "Containerizing an application can improve VM density and save money on scaling it", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Cost" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "What traffic is routed through a firewall, what goes directly into Azure", - "guid": "e095116f-0bdc-4b51-4d71-b9e469d56f59", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "WAF checklist", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", + "services": [ + "WAF" + ], + "severity": "High", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "WAF checklist", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", "services": [ - "VPN", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "VPN", - "text": "Traffic routing ", - "waf": "Performance" + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Name and unique address space for the vWAN, name for the vWAN hub", - "guid": "4dc480ac-cecd-39c4-fdc6-680b300716ab", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "WAF checklist", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", "services": [ - "VWAN", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "vWAN hub", - "text": "vWAN name, hub name and address space", - "waf": "Performance" + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Select either boh or the appropriate connection type.", - "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "WAF checklist", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", "services": [ - "VPN", - "VWAN", - "AVS" + "AppSvc", + "WAF" ], - "severity": "Medium", - "subcategory": "vWAN hub", - "text": "ExR and/or VPN gateway provisioned", - "waf": "Performance" + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "category": "Connectivity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Add Azure firewall to vWAN (recommended)", - "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "WAF checklist", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", "services": [ - "VWAN", - "AVS", - "Firewall" + "WAF" ], "severity": "Medium", - "subcategory": "vWAN hub", - "text": "Secure vWAN", - "waf": "Security" + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Active directory or other identity provider servers", - "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3", - "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "WAF checklist", + "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", "services": [ - "Entra", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Access", - "text": "External Identity (user accounts)", - "waf": "Security" + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Not required for LDAPS, required for Kerberos", - "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997", - "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "WAF checklist", + "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", "services": [ - "Entra", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Access", - "text": "If using AD domain, ensure Sites & Services has been configured", - "waf": "Security" + "severity": "High", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Authentication for users, must be secure.", - "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1", - "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "WAF checklist", + "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Device Update for IoT Hub", "services": [ - "Entra", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Access", - "text": "Use LDAPS not ldap ( vCenter)", - "waf": "Security" + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Authentication for users, must be secure.", - "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635", - "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "WAF checklist", + "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Device Update for IoT Hub", "services": [ - "Entra", - "AVS" + "AppSvc", + "WAF" ], - "severity": "Medium", - "subcategory": "Access", - "text": "Use LDAPS not ldap (NSX-T)", - "waf": "Security" + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "CN or SAN names, no wildcards, contains private key - CER or PFX", - "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c", - "link": "https://youtu.be/4jvfbsrhnEs", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", "services": [ - "Entra", - "AVS" + "EventHubs", + "WAF" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Security certificate installed on LDAPS servers ", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Standard Azure Roles Based Access Controls", - "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73", - "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", "services": [ - "Entra", - "AVS", - "RBAC" + "EventHubs", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "RBAC applied to Azure roles", + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Create roles in vCenter required to meet minimum viable access guidelines", - "guid": "b04ca129-83a9-3494-7512-347dd2d766db", - "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", "services": [ "Entra", - "AVS", - "RBAC" + "TrafficManager", + "EventHubs", + "AzurePolicy", + "RBAC", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "RBAC model in vCenter", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", - "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb", - "link": "Best practice", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", "services": [ + "VM", "Entra", - "AVS", - "RBAC" + "Storage", + "EventHubs", + "AKV", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "CloudAdmin role usage", + "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "For roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", - "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", "services": [ - "Entra", - "AVS", - "RBAC" + "EventHubs", + "RBAC", + "WAF" ], - "severity": "Medium", - "subcategory": "Security ", - "text": "Is Privileged Identity Management implemented", + "severity": "High", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "For the Azure VMware Solution PIM roles", - "guid": "0842d45f-41a8-8274-1155-2f6ed554d315", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", "services": [ - "Entra", - "AVS", - "RBAC" + "EventHubs", + "VNet", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Security ", - "text": "Is Privileged Identity Management audit reporting implemented", + "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Best practice, also see Monitoring/Alerts", - "guid": "915cbcd7-0640-eb7c-4162-9f33775de559", - "link": "Best practice", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", "services": [ - "Monitor", - "Entra", - "AVS" + "EventHubs", + "PrivateLink", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Security ", - "text": "Limit use of CloudAdmin account to emergency access only", + "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Operational procedure", - "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a", - "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", "services": [ - "Entra", - "AVS" + "EventHubs", + "WAF" ], "severity": "Medium", - "subcategory": "Security ", - "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "Security" }, { - "category": "Management", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", - "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82", - "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", "services": [ - "Arc", - "AVS", - "VM" + "WAF" ], "severity": "Medium", - "subcategory": "Operations", - "text": "AVS VM Management (Azure Arc)", - "waf": "Operations" + "text": "Leverage FTA Resillency HandBook", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", - "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0", - "link": "https://docs.microsoft.com/azure/governance/policy/overview", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", "services": [ - "Monitor", - "AVS", - "AzurePolicy" + "EventHubs", + "WAF", + "ACR" ], - "severity": "Medium", - "subcategory": "Operations", - "text": "Azure policy", - "waf": "Operations" + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", - "guid": "1e59c639-9b7e-a60b-5e93-3798c1aff5db", - "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Operations", - "text": "Resource locks", - "waf": "Operations" + "text": "Use the Premium or Dedicated SKUs for predicable performance", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "For manual deployments, all configuration and deployments must be documented", - "guid": "8f2c46aa-ca1b-cad3-3ac9-213dfc0a265e", - "link": "Make sure to create your own runbook on the deployment of AVS.", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", "services": [ - "AVS" + "EventHubs", + "ASR", + "WAF" ], - "severity": "Medium", - "subcategory": "Operations", - "text": "Run books", - "waf": "Operations" + "severity": "High", + "text": "Plan for Geo Disaster Recovery using Active Passive configuration", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", - "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030", - "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", "services": [ - "AKV", - "AVS" + "EventHubs", + "ASR", + "WAF" ], "severity": "Medium", - "subcategory": "Operations", - "text": "Naming conventions for auth keys", - "waf": "Operations" + "text": "For Business Critical Applications, use Active Active configuration", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "For automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "guid": "e22a2d99-eb71-7d7c-07af-6d4cdb1d4443", - "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "WAF checklist", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", "services": [ - "Monitor", - "AVS" + "EventHubs", + "WAF" ], "severity": "Medium", - "subcategory": "Alerts", - "text": "Create warning alerts for critical thresholds ", - "waf": "Operations" + "text": "Design Resilient Event Hubs", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "guid": "6d02f159-627d-79bf-a931-fab6d947eda2", - "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", + "checklist": "WAF checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", "services": [ - "Monitor", - "AVS" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Alerts", - "text": "Create critical alert vSAN consumption", - "waf": "Operations" + "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Provides platform alerts (generated by Microsoft)", - "guid": "1cc97b39-2c7e-246f-6d73-789cfebfe951", - "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/", + "checklist": "WAF checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", "services": [ - "Monitor", - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Alerts", - "text": "Configured for Azure Service Health alerts and notifications", - "waf": "Operations" + "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", - "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509", - "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", + "checklist": "WAF checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", "services": [ - "AzurePolicy", - "VM", - "Monitor", - "AVS", - "Backup" + "WAF" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Backup policy", - "waf": "Operations" + "text": "Custom brand assets should be hosted on a CDN", + "waf": "Performance" }, - { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Keep in mind the lead time for requesting new nodes", - "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6", - "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", + { + "checklist": "WAF checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", "services": [ - "Monitor", - "AVS", - "AzurePolicy" + "WAF" ], - "severity": "Medium", - "subcategory": "Capacity", - "text": "Policy around ESXi host density and efficiency", - "waf": "Operations" + "severity": "Low", + "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Azure Cost Management can be used - one option, put AVS in it's own Subscription. ", - "guid": "7f8f175d-13f4-5298-9e61-0bc7e9fcc279", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern", + "checklist": "WAF checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "services": [ - "Cost", - "Monitor", - "AVS", - "Subscriptions" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Costs", - "text": "Ensure a good cost management process is in place for Azure VMware Solution - ", - "waf": "Operations" + "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Create dashboards to enable core Azure VMware Solution monitoring insights", - "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74", - "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards", + "checklist": "WAF checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "services": [ - "Monitor", - "AVS", - "NetworkWatcher" + "WAF" ], "severity": "Medium", - "subcategory": "Dashboard", - "text": "Connection monitor dashboard", - "waf": "Operations" + "text": "Don't replicate! Replication can create issues with directory synchronization", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Send to an Azure Storage account or Azure EventHub for processing (direct to Log Analytics is pending)", - "guid": "f9afdcc9-649d-d840-9fb5-a3c0edcc697d", - "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", + "checklist": "WAF checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "services": [ - "Monitor", - "AVS", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Logs & Metrics", - "text": "Configure Azure VMware Solution logging ", - "waf": "Operations" + "text": "Have active-active for multi-regions", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Must be on-premises, implement if available", - "guid": "7cbac8c3-4eda-d5d9-9bda-c6b5abba9fb6", - "link": "Is vROPS or vRealize Network Insight going to be used? ", + "checklist": "WAF checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "services": [ - "Monitor", - "AVS" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Logs & Metrics", - "text": "vRealize Operations", - "waf": "Operations" + "text": "Add Azure AD Domain service stamps to additional regions and locations", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", - "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2", - "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", + "checklist": "WAF checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "services": [ - "Monitor", - "AVS", - "VM" + "WAF" ], "severity": "Medium", - "subcategory": "Logs & Metrics", - "text": "AVS VM logging", - "waf": "Operations" + "text": "Use Replica Sets for DR", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Between on-premises to Azure are monitored using 'connection monitor'", - "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "WAF checklist", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", "services": [ - "VPN", - "Monitor", - "AVS", - "ExpressRoute", - "NetworkWatcher" + "WAF" ], - "severity": "Medium", - "subcategory": "Network", - "text": "Monitor ExpressRoute and/or VPN connections ", - "waf": "Operations" + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "To monitor the Azure VMware Solution back-end ExpressRoute connection (Azure native to AVS)", - "guid": "99209143-60fe-19f0-5633-8b5671277ba5", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "WAF checklist", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "services": [ - "ExpressRoute", - "Monitor", - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Network", - "text": "Monitor from an Azure native resource to an Azure VMware Solution VM", - "waf": "Operations" + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "To monitor end-to-end, on-premises to AVS workloads", - "guid": "b9e5867c-57d3-036f-fb1b-3f0a71664efe", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "WAF checklist", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", "services": [ - "Monitor", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Network", - "text": "Monitor from an on-premises resource to an Azure VMware Solution VM", - "waf": "Operations" + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Track requests to Azure VMware Solution and Azure VMware Solution based workloads", - "guid": "4af7c5f7-e5e9-bedf-a8cf-314b81735962", - "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "WAF checklist", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "services": [ - "Monitor", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Auditing and logging is implemented for inbound internet ", - "waf": "Operations" + "severity": "High", + "text": "Learn how to trigger a manual failover.", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", - "guid": "74be60a3-cfac-f057-eda6-3ee087e805d5", - "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "WAF checklist", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", "services": [ - "Monitor", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Security", - "text": "Session monitoring ", - "waf": "Operations" + "severity": "High", + "text": "Learn how to fail back after a failover.", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Enable Diagnostic and metric logging on Azure VMware Solution", - "guid": "a434b3b5-f258-0845-cd76-d7df6ef5890e", - "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Monitor", - "AVS" + "AKV", + "WAF", + "Backup" ], - "severity": "Medium", - "subcategory": "VMWare", - "text": "Logging and diagnostics", - "waf": "Operations" + "severity": "High", + "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", + "waf": "Reliability" }, { - "category": "Monitoring", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Monitor AVS workloads (each VM in AVS)", - "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a", - "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", "services": [ - "Monitor", - "AVS", - "VM" + "AKV", + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "VMware", - "text": "Log Analytics Agents deployed on Azure VMware Solution guest VM workloads", - "waf": "Operations" + "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Decision on traffic flow", - "guid": "a1354b87-e18e-bf5c-c50b-8ddf0540e971", - "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", "services": [ - "AVS" + "AKV", + "WAF" ], "severity": "Medium", - "subcategory": "Hub & Spoke", - "text": "North/South routing through Az Firewall or 3rd party ", - "waf": "Security" + "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)", - "guid": "29a8a499-ec31-f336-3266-0895f035e379", - "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", "services": [ - "AVS" + "AKV", + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Hub & Spoke", - "text": "East West (Internal to Azure)", - "waf": "Security" + "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Requires a 3rd party NVA with Azure Route server - Scenario 2 (see link)", - "guid": "ebd3cc3c-ac3d-4293-950d-cecd8445a523", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", "services": [ - "ARS", - "AVS", - "NVA" + "Storage", + "Backup", + "AKV", + "Subscriptions", + "WAF" ], "severity": "Medium", - "subcategory": "Hub & Spoke", - "text": "ExR without Global Reach", - "waf": "Operations" + "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", - "guid": "ffb5c5ca-bd89-ff1b-8b73-8a54d503d506", - "link": "https://learn.microsoft.com/azure/route-server/route-server-faq", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", "services": [ - "ARS", - "AVS" + "AKV", + "WAF" ], - "severity": "Medium", - "subcategory": "Hub & Spoke", - "text": "Route server ", - "waf": "Operations" + "severity": "High", + "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Via on-premises, Az Firewall, 3rd Party, NSX-T pubic IP", - "guid": "a4070dad-3def-818d-e9f7-be440d10e7de", - "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-design-public-internet-access", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", "services": [ - "AVS" + "AKV", + "WAF" ], - "severity": "Medium", - "subcategory": "Internet", - "text": "Egress point(s)", - "waf": "Security" + "severity": "Low", + "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Az Firewall, 3rd party NVA, Application Gateway, Azure Frontdoor ", - "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937", - "link": "Research and choose optimal solution for each application", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", "services": [ - "AppGW", - "AVS", - "FrontDoor", - "NVA" + "AKV", + "WAF", + "Backup" ], - "severity": "Medium", - "subcategory": "Internet", - "text": "Internet facing applications", - "waf": "Security" + "severity": "Low", + "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", - "guid": "e778a2ec-b4d7-1d27-574c-14476b167d37", - "link": "https://docs.microsoft.com/azure/route-server/route-server-faq#route-server-limits", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", "services": [ - "ARS", - "AVS" + "AKV", + "WAF", + "Backup" ], - "severity": "Medium", - "subcategory": "Routing", - "text": "When route server Route limit understood? ", - "waf": "Security" + "severity": "Low", + "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "(VPN Gateway, AppGW, FrontDoor, Load balancer, VMs (etc) (Remove: enabled on ExR/VPN Gateway subnet in Azure)", - "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a", - "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", "services": [ - "FrontDoor", - "VPN", - "VM", - "ExpressRoute", - "AVS", - "LoadBalancer", - "DDoS", - "AppGW", - "VNet" + "AKV", + "EventHubs", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "Is DDoS standard protection of public facing IP addresses? ", - "waf": "Security" + "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "To manage Azure VMware Solution, vCenter, NSX manager and HCX manager", - "guid": "d43da920-4ecc-a4e9-dd45-a2986ce81d32", - "link": "Best practice: Bastion or 3rd party tool", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "WAF checklist", + "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", + "guid": "d0642c1c-312b-4116-94ab-439e1c836819", + "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", + "service": "Key Vault", "services": [ - "AVS" + "AKV", + "RBAC", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "Use a dedicated privileged access workstation (PAW)", + "text": "RBAC is recommended to control access to your key vault. Familiarize yourself with the Key Vault's access control guidance.", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use NSX-T for inter-vmware-traffic inspection", - "guid": "a2dac74f-5380-6e39-25e6-f13b99ece51f", - "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-F6685367-7AA1-4771-927E-ED77727CFDA3.html", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", "services": [ - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Traffic Inspection", - "text": "East West (Internal to AVS)", - "waf": "Security" + "severity": "High", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Decision on whether or not to use Secure hub for E/W and Internet traffic - requires Global Reach", - "guid": "3f621543-dfac-c471-54a6-7b2849b6909a", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", "services": [ - "VWAN", - "AVS", - "Firewall" + "WAF" ], - "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "Use Secure Hub (Azure Firewall or 3rd party)", - "waf": "Security" + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)", - "guid": "d7af5670-1b39-d95d-6da2-8d660dfbe16b", - "link": "https://learn.microsoft.com/azure/firewall-manager/secure-cloud-network", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", "services": [ - "VWAN", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "East West (Internal to Azure)", - "waf": "Security" + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "category": "Other Services/Operations", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", - "guid": "7d049005-eb35-4a93-50a5-3b31a9f61161", - "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", "services": [ - "AVS", - "Subscriptions" + "AppSvc", + "WAF" ], - "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Scale out operations planning", - "waf": "Performance" + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "category": "Other Services/Operations", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", - "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece", - "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale", + "arm-service": "Microsoft.Web/sites", + "checklist": "WAF checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", "services": [ - "AVS", - "AzurePolicy", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Scale in operations planning", - "waf": "Performance" + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" }, { - "category": "Other Services/Operations", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", - "guid": "3233e49e-62ce-97f3-8737-8230e771b694", - "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "WAF checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Scale serialized operations planning", - "waf": "Performance" + "text": "Leverage Flexible Server", + "waf": "Reliability" }, { - "category": "Other Services/Operations", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", - "guid": "68161d66-5707-319b-e77d-9217da892593", - "link": "Best practice (testing)", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "WAF checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", "services": [ - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Scale rd operations planning", - "waf": "Performance" + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", + "waf": "Reliability" }, { - "category": "Other Services/Operations", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Define and enforce scale in/out maximum limits for your environment in the automations", - "guid": "c32cb953-e860-f204-957a-c79d61202669", - "link": "Operational planning - understand workload requirements", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "WAF checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Scale maximum operations planning", - "waf": "Performance" + "text": "Leverage Data-in replication for cross-region DR scenarios", + "waf": "Reliability" }, { - "category": "Other Services/Operations", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", - "guid": "7bd65a5e-7b5d-652d-dbea-fc6f73a42857", - "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", "services": [ - "Monitor", - "AVS" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Automated Scale", - "text": "Monitor scaling operations ", - "waf": "Performance" + "text": "Ensure you are using Application Gateway v2 SKU", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "Other Services/Operations", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Consider the use of Azure Private-Link when using other Azure Native Services", - "guid": "95e374af-8a2a-2672-7ab7-b4a1be43ada7", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", "services": [ - "PrivateLink", - "AVS" + "LoadBalancer", + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Private link", - "waf": "Performance" + "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", + "waf": "Security" }, { - "category": "Other Services/Operations", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", - "guid": "71eff90d-5ad7-ac60-6244-2a6f7d3c51f2", - "link": "Best practice", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "WAF checklist", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", "services": [ - "AVS" + "LoadBalancer", + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Provisioning Vmware VLANs", - "waf": "Performance" + "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "In which region will AVS be deployed", - "guid": "04e3a2f9-83b7-968a-1044-2811811a924b", - "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", "services": [ - "AVS" + "AppGW", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Region selected", - "waf": "Reliability" + "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Are there regulatory or compliance policies in play", - "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b", - "link": "Internal policy or regulatory compliance", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", "services": [ - "AVS", - "AzurePolicy" + "AppGW", + "Entra", + "NVA", + "VNet", + "Subscriptions", + "WAF" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Data residency compliant with selected regions", - "waf": "Reliability" + "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Request through the support blade", - "guid": "92bd5ad6-441f-a983-7aa9-05dd669d760b", - "link": "https://learn.microsoft.com/azure/migrate/concepts-azure-vmware-solution-assessment-calculation", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/application-gateway/tutorial-protect-application-gateway-ddos", + "service": "App Gateway", "services": [ - "AVS" + "DDoS", + "WAF" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Request for number of AVS hosts submitted ", - "waf": "Reliability" + "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "PG approval for deployment", - "guid": "28370f63-1cb8-2e35-907f-c5516b6954fa", - "link": "Support request through portal or get help from Account Team", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Region and number of AVS nodes approved", + "text": "Configure autoscaling with a minimum amount of instances of two.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Portal/subscription/resource providers/ Microsoft.AVS", - "guid": "96c76997-30a6-bb92-024d-f4f93f5f57fa", - "link": "Done through the subscription/resource providers/ AVS register in the portal", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", "services": [ - "AVS", - "Subscriptions" + "AppGW", + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Resource provider for AVS registered", + "text": "Deploy Application Gateway across Availability Zones", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Connectivity, subscription & governanace model", - "guid": "5898e3ff-5e6b-bee1-6f85-22fee261ce63", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone", + "arm-service": "microsoft.network/frontdoors", + "checklist": "WAF checklist", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", "services": [ - "AVS", - "Subscriptions" + "AppGW", + "AzurePolicy", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Landing zone architecture", - "waf": "Reliability" + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "The name of the RG where AVS will exist", - "guid": "d0181fb8-9cb8-bf4b-f5e5-b5f9bf7ae4ea", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal", + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "WAF checklist", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", "services": [ - "AVS" + "TrafficManager", + "WAF" ], - "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Resource group name selected", + "severity": "High", + "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Reliability" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Each resource created as part of the deployment will also utilize this prefix in the name", - "guid": "0f0d20c2-5a19-726c-de20-0984e070d9d6", - "link": "Best practice - naming standards", + "checklist": "WAF checklist", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "services": [ - "AVS" + "AVD", + "WAF", + "Entra" ], - "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Deployment prefix selected", - "waf": "Reliability" + "severity": "Low", + "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "/22 unique non-overlapping IPv4 address space", - "guid": "7fbf2ab7-a36c-5957-c27a-67038557af2a", - "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations", + "checklist": "WAF checklist", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "services": [ - "AVS" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Network space for AVS management layer", - "waf": "Reliability" + "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "vNets used by workloads running in AVS (non-stretched)", - "guid": "0c87f999-e517-21ef-f355-f210ad4134d2", - "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html", + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "WAF checklist", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", "services": [ - "AVS", - "VNet" + "LoadBalancer", + "WAF" ], - "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Network space for AVS NSX-T segments", + "severity": "High", + "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", "waf": "Reliability" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Choose AV36, AV36P, AV52, AV36T (AV36T = Trial)", - "guid": "946c8966-f902-6f53-4f37-00847e8895c2", - "link": "https://azure.microsoft.com/pricing/details/azure-vmware/", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", "services": [ - "AVS" + "AppGW", + "WAF" ], - "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "AVS SKU (region dependent)", - "waf": "Performance" + "severity": "High", + "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use the Azure migration assessment tool to determine the minimum number of nodes required (consider BCDR as well)", - "guid": "31833808-26ba-9c31-416f-d54a89a17f5d", - "link": "https://learn.microsoft.com/azure/migrate/how-to-assess", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", "services": [ - "AVS" + "AppGW", + "AzurePolicy", + "WAF" ], - "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Number of hosts to be deployed", - "waf": "Performance" + "severity": "High", + "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Understand how and if you should be using reserved instances (cost control)", - "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f", - "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", "services": [ - "Cost", - "AVS" + "AppGW", + "WAF" ], - "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Reserverd Instances", - "waf": "Cost" + "severity": "High", + "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", - "guid": "94ac48ab-ade5-3fa7-f800-263feeb97070", - "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "App Gateway", "services": [ - "AVS", - "ASR" + "AppGW", + "AzurePolicy", + "WAF" ], - "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Capacity ", - "waf": "Performance" + "severity": "High", + "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Identify which of the networking scenarios make ", - "guid": "1f9d4bd5-14b8-928c-b4cb-eb211f9b8de5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", "services": [ - "AVS" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "Networking & Connectivity See docs describing scenrario 1 through 5", - "waf": "Reliability" + "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "waf": "Security" }, { - "category": "Planning", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", - "guid": "070db19b-8a2a-fd6a-c39b-4488d8780da9", - "link": "Please Check Partner Ecosystem", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", "services": [ - "AVS" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Pre-deployment", - "text": "3rd party application compatibility ", - "waf": "Reliability" + "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", + "waf": "Security" }, { - "category": "Security", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", - "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646", - "link": "General recommendation for storing encryption keys.", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", "services": [ - "AKV", - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Encryption", - "text": "Use Azure Key Vault with in-guest encryption ", + "severity": "Low", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", - "guid": "c1a81638-18df-0ce9-a73a-4b9a8a8dd392", - "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#data-at-rest-encryption", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", "services": [ - "SQL", - "AVS" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Encryption", - "text": "Use in-guest encryption", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", - "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e", - "link": "https://docs.microsoft.com/azure/key-vault/general/authentication", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", "services": [ - "ExpressRoute", - "AKV", - "AVS" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Encryption", - "text": "Keyvault use for secrets", + "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Older OS security patching configured for workloads running on Azure VMware Solution are eligible for ESU", - "guid": "4f8b20e9-a2a1-f80f-af9b-8aa3b26dca08", - "link": "https://docs.microsoft.com/windows-server/get-started/extended-security-updates-deploy", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", "services": [ - "AVS" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Extended support", - "text": "Ensure extended security update support ", - "waf": "Security" + "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Use a SIEM/SOAR", - "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a", - "link": "https://learn.microsoft.com/azure/sentinel/overview", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", "services": [ + "AppGW", "Sentinel", - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Investigation", - "text": "Enable Azure Sentinel or 3rd party SIEM ", - "waf": "Security" + "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "MS Defender For Cloud, for workloads running on Azure VMware Solution", - "guid": "f42b0b09-c591-238a-1580-2de3c485ebd2", - "link": "https://learn.microsoft.com/azure/azure-vmware/azure-security-integration#prerequisites", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", "services": [ - "AVS", - "Defender" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "Enable Advanced Threat Detection ", - "waf": "Security" + "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Are the applicable policies enabled (compliance baselines added to MDfC)", - "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b", - "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", "services": [ - "AVS", - "AzurePolicy" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Security", - "text": "Policy & Regulatory Compliance", - "waf": "Security" + "text": "Use WAF Policies instead of the legacy WAF configuration.", + "waf": "Operations" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Azure to Azure (E/W), Azure to On-premises), AVS to Internet, AVS to Azure", - "guid": "607c1ca9-da92-ae19-5a4c-eb1e876acbe7", - "link": "https://techcommunity.microsoft.com/t5/azure-migration-and/firewall-integration-in-azure-vmware-solution/ba-p/2254961#:~:text=Azure%20VMware%20Solution%20customers%20have%20multiple%20security%20options,the%20box%20to%20provide%20East-West%20and%20North-South%20firewalling.", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", "services": [ - "AVS" + "AppGW", + "VPN", + "ExpressRoute", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Firewalls", - "text": "Azure / 3rd party firewall", + "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "To allow HCX appliance to connect/sync", - "guid": "1d87925c-c02b-7fde-a425-7e95ad846a27", - "link": "https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-2CFE1654-9CC9-4EDB-A625-21317299E559.html", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "graph": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Firewalls", - "text": "Firewalls allow for East/West traffic inside AVS", + "severity": "High", + "text": "You should encrypt traffic to the backend servers.", "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Decision on which tool to use (SRM requires additional license - enables automation & other features)", - "guid": "468b3495-2f6e-b65a-38ef-3ba631bcaa46", - "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-B842696B-89EF-4183-9C73-B77157F56055.html", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Networking", - "text": "HCX and/or SRM", - "waf": "Reliability" + "severity": "High", + "text": "You should use a Web Application Firewall.", + "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Read up on requirements for Service Mesh requirements and how HCX ", - "guid": "be2ced52-da08-d366-cf7c-044c19e29509", - "link": "https://docs.vmware.com/en/VMware-HCX/4.6/hcx-user-guide/GUID-76BCD059-A31A-4041-9105-ACFB56213E7C.html", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Configuring and Managing the HCX Interconnect", - "waf": "Reliability" + "text": "Redirect HTTP to HTTPS", + "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "If you are planning on using stretch networks ensure that your on-premises environment requirements", - "guid": "7dcac579-fc5c-5c9c-f1f7-9b1149ff2c37", - "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Restrictions and limitations for network extensions", - "waf": "Performance" + "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", + "waf": "Operations" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Do workloads require MoN?", - "guid": "cf45c0b9-6c4b-3bfb-86c5-62fe54061c73", - "link": "https://learn.microsoft.com/azure/azure-vmware/vmware-hcx-mon-guidance", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "Networking", - "text": "Mobility optimized networking", - "waf": "Performance" + "severity": "High", + "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", + "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Operating system level of Vmware environment", - "guid": "b7cf11f3-b12e-5189-991a-06df5250d2ca", - "link": "https://learn.microsoft.com/azure/site-recovery/vmware-physical-azure-support-matrix", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], - "severity": "Medium", - "subcategory": "On-premises pre-requisites", - "text": "Support matrix (OS versions etc).", + "severity": "Low", + "text": "Create custom error pages to display a personalized user experience", "waf": "Operations" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Required that all switches are dynamic", - "guid": "45fe9252-aa1b-4e30-45c6-bc02f3b76acf", - "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/vsan-network-design-guide/GUID-91E1CD6F-33A6-4AC6-BC22-3E4807296F86.html#:~:text=Migrate%20Management%20Network%201%20Add%20hosts%20to%20the,each%20host.%20...%204%20Finish%20the%20configuration.%20", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "On-premises pre-requisites", - "text": "Standard switches converted to dynamic switches", - "waf": "Operations" + "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", + "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "See sections on sizing and capacity in the link.", - "guid": "e9f6d736-ee44-e2ac-e7f9-e361f8c857f3", - "link": "https://learn.microsoft.com/azure/azure-vmware/plan-private-cloud-deployment", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "App Gateway", "services": [ - "AVS" + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "On-premises pre-requisites", - "text": "Capacity for HCX appliance", + "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", "waf": "Performance" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Check hardware restrictions to ensure compatibility with AVS/OS ", - "guid": "1be2cdd6-15a7-9a33-aea7-113859035ce9", - "link": "https://kb.vmware.com/s/article/2007240#:~:text=ESXi%2FESX%20hosts%20and%20compatible%20virtual%20machine%20hardware%20versions,%20Not%20Supported%20%204%20more%20rows", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", "services": [ - "AVS" + "WAF" ], "severity": "Medium", - "subcategory": "On-premises pre-requisites", - "text": "Hardware compatibility", - "waf": "Operations" + "text": "Use transport layer load balancing", + "waf": "Performance" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Need to be converted", - "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7", - "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", "services": [ - "AVS", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "VSAN RDM disks are converted - not supported.", - "waf": "Operations" + "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", + "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Need to be converted", - "guid": "eb2f9313-afb2-ab35-aa24-6d97a3cb0611", - "link": "3rd-Party tools", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", "services": [ - "AVS", - "VM", - "Storage" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Storage", - "text": "VM with SCSI shared bus are not supported", - "waf": "Operations" + "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", + "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Remove Direct IO before migration", - "guid": "3f2a5cff-c8a6-634a-1f1b-53ef9d321381", - "link": "Contact VMware", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "WAF checklist", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", "services": [ - "AVS", - "VM", - "Storage" + "AppGW", + "WAF" ], - "severity": "Medium", - "subcategory": "Storage", - "text": "VM with Direct IO require removing DirectPath device", - "waf": "Operations" + "severity": "Low", + "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", + "waf": "Security" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Cannot migrate clusters ", - "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266", - "link": "Contact VMware", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "WAF checklist", + "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", + "service": "PostgreSQL", "services": [ - "AVS", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Shared VMDK files are not supported", - "waf": "Operations" + "text": "Leverage Flexible Server", + "waf": "Reliability" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Convert to a different format", - "guid": "ab6c89cd-a26f-b894-fe59-61863975458e", - "link": "Contact VMware", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "WAF checklist", + "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", + "service": "PostgreSQL", "services": [ - "AVS", - "Storage" + "WAF" ], - "severity": "Medium", - "subcategory": "Storage", - "text": "RDM with 'physical compatibility mode' are not supported.", - "waf": "Operations" + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", + "waf": "Reliability" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning 'RAID-1 FTT-1' is default with Thin Provisioning", - "guid": "7628d446-6b10-9678-9cec-f407d990de43", - "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "WAF checklist", + "guid": "31b67c67-be59-4519-8083-845d587cb391", + "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", + "service": "PostgreSQL", "services": [ - "AVS", - "AzurePolicy", - "VM", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Default storage policy", - "waf": "Operations" + "text": "Leverage cross-region read replicas for BCDR", + "waf": "Reliability" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "The default storage policy is set to RAID-1 (Mirroring) FTT-1, with Object Space Reservation set to Thin provisioning.", - "guid": "37fef358-7ab9-43a9-542c-22673955200e", - "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", + "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", + "service": "Purview", "services": [ - "AVS", - "AzurePolicy", - "VM", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Ensure that the appropriate VM template storage policy is used", - "waf": "Operations" + "text": "Leverage FTA Resillency Handbook", + "waf": "Reliability" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", - "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7", - "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "services": [ - "AVS", - "AzurePolicy", - "Storage" + "WAF" ], - "severity": "Medium", - "subcategory": "Storage", - "text": "Failure to tolerate policy", - "waf": "Operations" + "severity": "High", + "text": "Plan for Data Center level outage", + "waf": "Reliability" }, { - "category": "VMware", - "checklist": "Azure VMware Solution Implementation Checklist", - "description": "ANF can be used to extend storage for Azure VMware Solution,", - "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863", - "link": "https://learn.microsoft.com/azure/azure-vmware/netapp-files-with-azure-vmware-solution", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", + "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "services": [ - "AVS", - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Use ANF for external storage", - "waf": "Operations" + "text": "Practice Failover for BCDR", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "97b15b8a-219a-44ab-bb57-879024d22678", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "services": [ - "Storage" + "WAF", + "Backup" ], - "severity": "Medium", - "subcategory": " Overview", - "text": "Consider the 'Azure security baseline for storage'", - "waf": "Security" + "severity": "High", + "text": "Plan a backup strategy and take regular backups", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", + "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", + "service": "Purview", "services": [ - "PrivateLink", - "Storage" + "EventHubs", + "WAF" ], - "severity": "High", - "subcategory": "Networking", - "text": "Consider using private endpoints for Azure Storage", - "waf": "Security" + "severity": "Low", + "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", + "link": "https://learn.microsoft.com/purview/deployment-best-practices", + "service": "Purview", "services": [ - "Storage", - "Subscriptions", - "RBAC" + "WAF" ], "severity": "Medium", - "subcategory": "Governance", - "text": "Ensure older storage accounts are not using 'classic deployment model'", - "waf": "Security" + "text": "Follow Purview accounts architectures and deployment best practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", + "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", + "service": "Purview", "services": [ - "Storage", - "Defender" + "WAF" ], - "severity": "High", - "subcategory": "Governance", - "text": "Enable Microsoft Defender for all of your storage accounts", - "waf": "Security" + "severity": "Medium", + "text": "Follow Collection Architectures and best practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", + "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", + "service": "Purview", "services": [ - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Data Availability", - "text": "Enable 'soft delete' for blobs", - "waf": "Security" + "text": "Follow Assest lifecycle best practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", + "service": "Purview", "services": [ - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Confidentiality", - "text": "Disable 'soft delete' for blobs", - "waf": "Security" + "text": "Follow automation best practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "services": [ - "Storage" + "WAF", + "Backup" ], - "severity": "High", - "subcategory": "Data Availability", - "text": "Enable 'soft delete' for containers", - "waf": "Security" + "severity": "Medium", + "text": "Follow Backup and Migration Best practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", + "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", + "service": "Purview", "services": [ - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Confidentiality", - "text": "Disable 'soft delete' for containers", - "waf": "Security" + "text": "Follow Purview Glossary Best Practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", + "link": "https://learn.microsoft.com/purview/concept-workflow", + "service": "Purview", "services": [ - "Storage" + "WAF" ], - "severity": "High", - "subcategory": "Data Availability", - "text": "Enable resource locks on storage accounts", - "waf": "Security" + "severity": "Low", + "text": "Leverage Workflows ", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security", + "service": "Purview", "services": [ - "Subscriptions", - "Storage", - "AzurePolicy" + "WAF" ], - "severity": "High", - "subcategory": "Data Availability, Compliance", - "text": "Consider immutable blobs", - "waf": "Security" + "severity": "Medium", + "text": "Follow Purview Security Best Practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", + "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", + "service": "Purview", "services": [ - "Storage" + "WAF" ], - "severity": "High", - "subcategory": "Networking", - "text": "Require HTTPS, i.e. disable port 80 on the storage account", - "waf": "Security" + "severity": "Medium", + "text": "Follow Purview Data Lineage Best Practices", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", + "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", + "service": "Purview", "services": [ - "Storage" + "WAF" ], - "severity": "High", - "subcategory": "Networking", - "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", - "waf": "Security" + "severity": "Medium", + "text": "Follow Best Practices for Scanning Registered Sources", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", + "service": "Purview", "services": [ - "Storage" + "WAF" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", - "waf": "Security" + "text": "Follow Classification Best Practices in Governance Portal", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", + "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", + "service": "Purview", "services": [ - "Storage" + "WAF" ], - "severity": "High", - "subcategory": "Networking", - "text": "Enforce the latest TLS version for a storage account", - "waf": "Security" + "severity": "Medium", + "text": "Perform Sensitivity Labelling in the Purview Data Map", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", + "link": "https://learn.microsoft.com/purview/concept-data-share", + "service": "Purview", "services": [ - "Entra", - "Storage" + "Storage", + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Management", - "text": "Use Microsoft Entra ID tokens for blob access", - "waf": "Security" + "severity": "Low", + "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", "services": [ - "Entra", - "Storage", - "RBAC" + "WAF" ], - "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "Least privilege in IaM permissions", - "waf": "Security" + "severity": "Low", + "text": "Leverage Data Estate Insights", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", + "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", + "service": "Purview", "services": [ - "Entra", - "Storage" + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Management", - "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", - "waf": "Security" + "severity": "Low", + "text": "Use Data stewardship and Catalog adoption", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", "services": [ - "Monitor", - "AKV", - "Storage", - "Entra" + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Management", - "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", - "waf": "Security" + "severity": "Low", + "text": "Use Inventory and Ownership", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", + "link": "https://learn.microsoft.com/purview/glossary-insights", + "service": "Purview", "services": [ - "AKV", - "Monitor", - "Storage", - "AzurePolicy" + "WAF" ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Consider using Azure Monitor to audit control plane operations on the storage account", - "waf": "Security" + "severity": "Low", + "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "b130a888-9579-4e76-a896-e710a7da7be9", + "link": "https://learn.microsoft.com/purview/compliance-manager", + "service": "Purview", "services": [ - "Entra", - "AKV", - "Storage", - "AzurePolicy" + "WAF" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "When using storage account keys, consider enabling a 'key expiration policy'", - "waf": "Security" + "text": "Generate assessment scores", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", + "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", + "service": "Purview", "services": [ - "Entra", - "Storage", - "AzurePolicy" + "WAF" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "Consider configuring an SAS expiration policy", - "waf": "Security" + "text": "Profiling- get summaries of data content", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", + "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", + "service": "Purview", "services": [ - "AKV", - "Entra", - "Storage", - "AzurePolicy" + "AzurePolicy", + "WAF" ], - "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "Consider linking SAS to a stored access policy", - "waf": "Security" + "severity": "Low", + "text": "Follow Microsoft Purview Data Owner access policies", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", + "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", + "service": "Purview", "services": [ - "AKV", - "Storage" + "AzurePolicy", + "WAF" ], - "severity": "Medium", - "subcategory": "CI/CD", - "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", - "waf": "Security" + "severity": "Low", + "text": "Follow Self-service access policies", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "WAF checklist", + "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", + "link": "https://learn.microsoft.com/purview/concept-policies-devops", + "service": "Purview", "services": [ - "Entra", - "Storage" + "AzurePolicy", + "WAF" + ], + "severity": "Low", + "text": "Follow DevOps policies", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.cache/redis", + "checklist": "WAF checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", + "services": [ + "WAF", + "ACR" ], "severity": "High", - "subcategory": "Identity and Access Management", - "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", - "waf": "Security" + "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "microsoft.cache/redis", + "checklist": "WAF checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", "services": [ - "Entra", "Storage", - "AzurePolicy" + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Management", - "text": "Strive for short validity periods for ad-hoc SAS", - "waf": "Security" + "severity": "Medium", + "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "microsoft.cache/redis", + "checklist": "WAF checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", "services": [ - "Entra", - "Storage" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "Apply a narrow scope to a SAS", - "waf": "Security" + "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "arm-service": "microsoft.cache/redis", + "checklist": "WAF checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "services": [ - "Entra", - "Storage" + "ASR", + "WAF" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "Consider scoping SAS to a specific client IP address, wherever possible", - "waf": "Security" + "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachineScaleSets", + "checklist": "WAF checklist", + "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", + "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", + "service": "VMSS", "services": [ - "Entra", - "Storage" + "VM", + "WAF" ], "severity": "Low", - "subcategory": "Identity and Access Management", - "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", - "waf": "Security" + "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", + "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", + "service": "VM", "services": [ - "Entra", - "Storage", - "RBAC" + "VM", + "WAF", + "Backup" ], "severity": "High", - "subcategory": "Identity and Access Management", - "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", - "waf": "Security" + "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", + "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "VM", "services": [ - "Entra", - "Storage" + "VM", + "WAF" ], - "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", - "waf": "Security" + "severity": "High", + "text": "Use Premium or Ultra disks for production VMs", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", + "guid": "b31e38c3-f298-412b-8363-cffe179b599d", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", + "service": "VM", "services": [ - "Storage", - "AzurePolicy" + "VM", + "WAF" ], "severity": "High", - "subcategory": "Networking", - "text": "Avoid overly broad CORS policies", - "waf": "Security" + "text": "Ensure Managed Disks are used for all VMs", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", + "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", + "service": "VM", "services": [ - "Storage" + "VM", + "Storage", + "SQL", + "WAF" ], - "severity": "High", - "subcategory": "Confidentiality and Encryption", - "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", - "waf": "Security" + "severity": "Medium", + "text": "Do not use the Temp disk for anything that is not acceptable to be lost", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", + "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "VM", "services": [ - "Storage" + "Storage", + "VM", + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Confidentiality and Encryption", - "text": "Determine which/if platform encryption should be used.", - "waf": "Security" + "text": "Leverage Availability Zones for your VMs in regions where they are supported", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", + "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "VM", "services": [ - "Storage" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Confidentiality and Encryption", - "text": "Determine which/if client-side encryption should be used.", - "waf": "Security" + "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure Storage Review Checklist", - "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", + "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "VM", "services": [ - "Entra", - "Storage" + "VM", + "ASR", + "WAF" ], "severity": "High", - "subcategory": "Identity and Access Management", - "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", - "waf": "Security" + "text": "Avoid running a production workload on a single VM", + "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", + "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", "services": [ - "Storage" + "VM", + "ASR", + "AVS", + "WAF" ], "severity": "High", - "subcategory": "Platform Version", - "text": "Leverage a storagev2 account type for better performance and reliability", + "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure Storage Review Checklist", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", + "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", + "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", + "service": "VM", "services": [ - "Storage" + "WAF" ], - "severity": "High", - "subcategory": "Availablity", - "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", + "severity": "Low", + "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", + "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", + "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", + "service": "VM", "services": [ - "Storage" + "VM", + "ASR", + "WAF" ], "severity": "Medium", - "subcategory": "Failover", - "text": "For write operation after failover, use customer-Managed Failover ", + "text": "Increase quotas in DR region before testing failover with ASR", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", + "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", + "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", + "service": "VM", "services": [ - "Storage" + "VM", + "WAF" ], - "severity": "Medium", - "subcategory": "Failover", - "text": "Understand Microsoft-Managed Failover details", + "severity": "Low", + "text": "Utilize Scheduled Events to prepare for VM maintenance", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", + "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", "service": "Azure Storage", "services": [ - "Storage" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Data Protection", - "text": "Enable Soft Delete", + "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", "waf": "Reliability" }, { - "category": "Operations management", - "checklist": "Azure Bot Service", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", - "services": [], - "severity": "Medium", - "subcategory": "High Availablity", - "text": "Follow reliability support recommendations in Azure Bot Service", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", + "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", + "services": [ + "Storage", + "WAF" + ], + "severity": "Low", + "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", "waf": "Reliability" }, { - "category": "Operations management", - "checklist": "Azure Bot Service", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", - "services": [], - "severity": "Medium", - "subcategory": "High Availablity", - "text": "Deploying bots with local data residency and regional compliance", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", + "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "services": [ + "Storage", + "WAF" + ], + "severity": "Low", + "text": "Enable soft delete for Storage Account Containers", "waf": "Reliability" }, { - "category": "Operations management", - "checklist": "Azure Bot Service", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", - "services": [], - "severity": "Medium", - "subcategory": "High Availablity", - "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "WAF checklist", + "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", + "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", + "services": [ + "Storage", + "WAF" + ], + "severity": "Low", + "text": "Enable soft delete for blobs", "waf": "Reliability" }, { - "category": "Business", - "checklist": "Multitenant architecture", - "guid": "41177955-fe8f-430b-ae72-20dc5b6880da", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", + "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", + "service": "Azure Backup", "services": [ - "Entra" + "WAF", + "Backup" ], - "severity": "High", - "subcategory": "Business", - "text": "Understand what kind of solution you're creating, such as business-to-business (B2B), business-to-consumer (B2C), or your enterprise software, and how tenants are different from users.", - "waf": "Operations" - }, - { - "category": "Business", - "checklist": "Multitenant architecture", - "guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "services": [], - "severity": "High", - "subcategory": "Business", - "text": "Define your tenants. Understand how many tenants you will support initially, and your growth plans.", - "waf": "Operations" + "severity": "Medium", + "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", + "waf": "Reliability" }, { - "category": "Business", - "checklist": "Multitenant architecture", - "guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models", - "services": [], - "severity": "High", - "subcategory": "Business", - "text": "Define your pricing model and ensure it aligns with your tenants' consumption of Azure resources.", - "waf": "Cost" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", + "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", + "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", + "service": "Azure Backup", + "services": [ + "WAF", + "Backup" + ], + "severity": "Low", + "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", + "waf": "Reliability" }, { - "category": "Business", - "checklist": "Multitenant architecture", - "guid": "331e84a6-2d65-4359-92ff-a1870b062995", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models", - "services": [], - "severity": "Medium", - "subcategory": "Business", - "text": "Understand whether you need to separate your tenants into different tiers. Tiers might have different pricing, features, performance promises, geographic locations, and so forth.", - "waf": "Operations" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "WAF checklist", + "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", + "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", + "service": "Azure Backup", + "services": [ + "Storage", + "WAF", + "Backup" + ], + "severity": "Low", + "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", + "waf": "Reliability" }, { - "category": "Business", - "checklist": "Multitenant architecture", - "guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "services": [], - "severity": "Medium", - "subcategory": "Business", - "text": "Based on your customers' requirements, decide on the tenancy models that are appropriate for various parts of your solution.", - "waf": "Operations" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "WAF checklist", + "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", + "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", + "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", + "service": "DNS", + "services": [ + "DNS", + "ASR", + "WAF", + "ACR" + ], + "severity": "Low", + "text": "Implement DNS Failover using Azure DNS Private Resolvers", + "waf": "Reliability" }, { - "category": "Business", - "checklist": "Multitenant architecture", - "guid": "f5d76ae1-7048-4ff5-abba-f1ca799578b9", - "link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer", + "arm-service": "Microsoft.PowerBI/gateways", + "checklist": "WAF checklist", + "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", + "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", + "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", + "service": "Data Gateways", "services": [ - "Entra" + "WAF", + "ACR" ], "severity": "Medium", - "subcategory": "Business", - "text": "When you're ready, sell your B2B multitenant solution using the Microsoft Commercial Marketplace.", - "waf": "Operations" - }, - { - "category": "Reliability", - "checklist": "Multitenant architecture", - "guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist", - "services": [], - "severity": "High", - "subcategory": "Reliability", - "text": "Review the Azure Well-Architected Reliability checklist, which is applicable to all workloads.", + "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", "waf": "Reliability" }, { - "category": "Reliability", - "checklist": "Multitenant architecture", - "guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75", - "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor", - "services": [], + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "WAF checklist", + "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", + "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", + "services": [ + "NVA", + "WAF" + ], "severity": "High", - "subcategory": "Reliability", - "text": "Understand the Noisy Neighbor antipattern. Prevent individual tenants from impacting the system's availability for other tenants.", + "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", "waf": "Reliability" }, { - "category": "Reliability", - "checklist": "Multitenant architecture", - "guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview", - "services": [], + "checklist": "WAF checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], "severity": "Medium", - "subcategory": "Reliability", - "text": "Design your multitenant solution for the level of growth that you expect. But don't overengineer for unrealistic growth.", - "waf": "Reliability" + "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "Operations" }, { - "category": "Reliability", - "checklist": "Multitenant architecture", - "guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics", - "services": [], + "checklist": "WAF checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], "severity": "Medium", - "subcategory": "Reliability", - "text": "Define service-level objectives (SLOs) and optionally service-level agreements (SLAs) for your solution. SLAs and SLOs should be based on the requirements of your tenants, as well as the composite SLA of the Azure resources in your architecture.", - "waf": "Reliability" + "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", + "training": "https://github.com/Azure/sap-automation", + "waf": "Operations" }, { - "category": "Reliability", - "checklist": "Multitenant architecture", - "guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute", - "services": [], - "severity": "High", - "subcategory": "Reliability", - "text": "Test the scale of your solution. Ensure that it performs well under all levels of load, and that it scales correctly as the number of tenants increases.", + "checklist": "WAF checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], + "severity": "Medium", + "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", "waf": "Reliability" }, { - "category": "Reliability", - "checklist": "Multitenant architecture", - "guid": "2ff55551-984b-4606-95eb-bfb9c8b36761", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute", - "services": [], + "checklist": "WAF checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", + "services": [ + "WAF", + "Backup" + ], "severity": "Medium", - "subcategory": "Reliability", - "text": "Apply chaos engineering principles to test the reliability of your solution.", + "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", "waf": "Reliability" }, { - "category": "Security", - "checklist": "Multitenant architecture", - "guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c", - "link": "https://learn.microsoft.com/security/zero-trust", - "services": [], - "severity": "High", - "subcategory": "Security", - "text": "Apply the Zero Trust and least privilege principles in all layers of your solution.", - "waf": "Security" - }, - { - "category": "Security", - "checklist": "Multitenant architecture", - "guid": "92160e00-6894-4102-97e0-615d4ed93c01", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests", + "checklist": "WAF checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", "services": [ - "Entra" + "SQL", + "Storage", + "ASR", + "Backup", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Security", - "text": "Ensure that you can correctly map user requests to tenants. Consider including the tenant context as part of the identity system, or by using another means, like application-level tenant authorization.", - "waf": "Security" + "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Multitenant architecture", - "guid": "3c1538b4-5676-4b85-b451-432befb37b4f", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "services": [], + "checklist": "WAF checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], "severity": "Medium", - "subcategory": "Security", - "text": "Perform ongoing penetration testing and security code reviews.", - "waf": "Security" + "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Multitenant architecture", - "guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance", - "services": [], + "checklist": "WAF checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", + "services": [ + "VPN", + "ExpressRoute", + "ASR", + "WAF" + ], "severity": "High", - "subcategory": "Security", - "text": "Understand your tenants' compliance requirements, including data residency and any compliance or regulatory standards that they require you to meet.", - "waf": "Security" + "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Multitenant architecture", - "guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names", + "checklist": "WAF checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", "services": [ - "DNS" + "AKV", + "WAF", + "ACR" ], - "severity": "High", - "subcategory": "Security", - "text": "Correctly manage domain names and avoid vulnerabilities like dangling DNS and subdomain takeover attacks.", - "waf": "Security" + "severity": "Low", + "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Multitenant architecture", - "guid": "72ded36d-c633-4e0d-bd41-799a29da3481", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview", - "services": [], + "checklist": "WAF checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", + "services": [ + "ASR", + "WAF", + "SAP", + "VNet" + ], "severity": "Medium", - "subcategory": "Security", - "text": "Follow service-specific guidance for multitenancy.", - "waf": "Security" + "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", + "waf": "Reliability" }, { - "category": "Cost Optimization", - "checklist": "Multitenant architecture", - "guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8", - "link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist", + "checklist": "WAF checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", "services": [ - "Cost" + "Storage", + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Cost Optimization", - "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.", - "waf": "Cost" + "severity": "Low", + "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "waf": "Reliability" }, { - "category": "Cost Optimization", - "checklist": "Multitenant architecture", - "guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption", + "checklist": "WAF checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "services": [ - "Cost" + "WAF" ], "severity": "High", - "subcategory": "Cost Optimization", - "text": "Ensure you can adequately measure per-tenant consumption and correlate it with your infrastructure costs.", - "waf": "Cost" + "text": "Native database replication technology should be used to synchronize the database in a HA pair.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "category": "Cost Optimization", - "checklist": "Multitenant architecture", - "guid": "c851fd44-7cf1-459c-95a4-f6455d75a981", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", "services": [ - "Cost", - "Monitor" + "VNet", + "WAF" ], - "severity": "Medium", - "subcategory": "Cost Optimization", - "text": "Avoid antipatterns. Antipatterns include failing to track costs, tracking costs with unnecessary precision, real-time measurement, and using monitoring tools for billing.", - "waf": "Cost" + "severity": "High", + "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "Multitenant architecture", - "guid": "0d475a5a-2c0f-47ab-b1e1-701da68d3407", - "link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops", - "services": [], + "checklist": "WAF checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", + "services": [ + "VM", + "ASR", + "WAF", + "Entra" + ], "severity": "High", - "subcategory": "Operational Excellence", - "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.", - "waf": "Operations" + "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "Multitenant architecture", - "guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle", - "services": [], - "severity": "Medium", - "subcategory": "Operational Excellence", - "text": "Use automation to manage the tenant lifecycle, such as onboarding, deployment, provisioning, and configuration.", - "waf": "Operations" + "checklist": "WAF checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], + "severity": "High", + "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "Multitenant architecture", - "guid": "e0bfceed-4f4e-492d-b9f5-898815faa363", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates", - "services": [], - "severity": "Medium", - "subcategory": "Operational Excellence", - "text": "Find the right balance for deploying service updates. Consider both your tenants' requirements and your own operational requirements.", - "waf": "Operations" + "checklist": "WAF checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], + "severity": "High", + "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "Multitenant architecture", - "guid": "a3f80518-d428-4c02-b2cc-dfaef47db7e2", + "checklist": "WAF checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "services": [ - "Monitor" + "VM", + "Storage", + "WAF" ], "severity": "High", - "subcategory": "Operational Excellence", - "text": "Monitor the health of the overall system, as well as each tenant.", - "waf": "Operations" + "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "Multitenant architecture", - "guid": "dfb42da5-f871-4953-9e5c-da6fda3f1411", + "checklist": "WAF checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", "services": [ - "Monitor" + "Storage", + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Operational Excellence", - "text": "Configure and test alerts to notify you when specific tenants are experiencing issues or are exceeding their consumption limits.", - "waf": "Operations" + "severity": "High", + "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "Multitenant architecture", - "guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization", - "services": [], + "checklist": "WAF checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], "severity": "High", - "subcategory": "Operational Excellence", - "text": "Organize your Azure resources for isolation and scale.", - "waf": "Operations" + "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "Multitenant architecture", - "guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration", - "services": [], - "severity": "Medium", - "subcategory": "Operational Excellence", - "text": "Avoid deployment and configuration antipatterns. Antipatterns include running separate versions of the solution for each tenant, hardcoding tenant-specific configurations or logic, and manual deployments.", - "waf": "Operations" + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", + "services": [ + "LoadBalancer", + "WAF", + "SAP" + ], + "severity": "High", + "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "category": "Performance Efficiency", - "checklist": "Multitenant architecture", - "guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd", - "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency", - "services": [], + "checklist": "WAF checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", + "services": [ + "LoadBalancer", + "WAF" + ], "severity": "High", - "subcategory": "Performance Efficiency", - "text": "Review the Azure Well-Architected Performance Efficiency checklist, which is applicable to all workloads.", - "waf": "Performance" + "text": "Make sure the Floating IP is enabled on the Load balancer", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Reliability" }, { - "category": "Performance Efficiency", - "checklist": "Multitenant architecture", - "guid": "18911c4c-934c-49a8-839a-60c092afce30", - "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor", - "services": [], + "checklist": "WAF checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", + "services": [ + "WAF" + ], "severity": "High", - "subcategory": "Performance Efficiency", - "text": "If you use shared infrastructure, plan for how you'll mitigate Noisy Neighbor concerns. Ensure that one tenant can't reduce the performance of the system for other tenants.", - "waf": "Performance" + "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "category": "Performance Efficiency", - "checklist": "Multitenant architecture", - "guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute", + "checklist": "WAF checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", "services": [ - "Storage" + "VM", + "WAF", + "SAP", + "Entra" ], - "severity": "Medium", - "subcategory": "Performance Efficiency", - "text": "Determine how you'll scale your compute, storage, networking, and other Azure resources to match the demands of your tenants.", - "waf": "Performance" + "severity": "High", + "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", + "waf": "Reliability" }, { - "category": "Performance Efficiency", - "checklist": "Multitenant architecture", - "guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization", - "services": [], + "checklist": "WAF checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "services": [ + "RBAC", + "VM", + "WAF", + "Entra" + ], "severity": "High", - "subcategory": "Performance Efficiency", - "text": "Consider each Azure resource's scale limits. Organize your resources appropriately, in order to avoid resource organization antipatterns. For example, don't over-architect your solution to work within unrealistic scale requirements.", - "waf": "Performance" + "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "category": "Application Deployment", - "checklist": "Azure Spring Apps Review", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", - "services": [], + "checklist": "WAF checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", + "services": [ + "WAF" + ], "severity": "Medium", - "subcategory": "DevOps", - "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", + "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure Spring Apps Review", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", + "checklist": "WAF checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "services": [ - "TrafficManager", - "FrontDoor", - "ASR" + "VM", + "WAF" ], - "severity": "Medium", - "subcategory": "Disaster Recovery", - "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "severity": "High", + "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure Spring Apps Review", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", + "checklist": "WAF checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "services": [ - "ACR" + "WAF", + "SAP", + "Entra" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", + "severity": "High", + "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure Spring Apps Review", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", - "services": [], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Use more than 1 app instance for your apps", + "checklist": "WAF checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "services": [ + "WAF", + "SAP", + "ACR" + ], + "severity": "High", + "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Spring Apps Review", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", + "checklist": "WAF checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "services": [ - "Monitor" + "WAF", + "SAP", + "Entra" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "severity": "High", + "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Spring Apps Review", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", - "services": [], + "checklist": "WAF checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", + "services": [ + "VM", + "WAF", + "Entra" + ], "severity": "Medium", - "subcategory": "Scalability", - "text": "Set up autoscaling in Spring Cloud Gateway", + "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Spring Apps Review", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", - "services": [], - "severity": "Low", - "subcategory": "Scalability", - "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "checklist": "WAF checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "services": [ + "VM", + "Storage", + "WAF" + ], + "severity": "Medium", + "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure Spring Apps Review", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", - "services": [], + "checklist": "WAF checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], "severity": "Medium", - "subcategory": "Support", - "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Device Update Review", - "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", - "services": [], + "checklist": "WAF checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "services": [ + "Storage", + "WAF" + ], "severity": "High", - "subcategory": "High Availability", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", + "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Device Update Review", - "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", - "services": [], + "checklist": "WAF checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", + "services": [ + "Storage", + "WAF", + "SAP" + ], "severity": "High", - "subcategory": "High Availability", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", + "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Device Update Review", - "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Device Update for IoT Hub", - "services": [], + "checklist": "WAF checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", + "services": [ + "Storage", + "ASR", + "WAF", + "SAP" + ], "severity": "High", - "subcategory": "High Availability", - "text": "Consider a Cross-Region DR strategy for critical workloads", + "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Device Update Review", - "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Device Update for IoT Hub", + "checklist": "WAF checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", "services": [ - "AppSvc" + "Storage", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "High Availability", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", "services": [ - "ASR" + "SAP", + "WAF", + "Cost" ], "severity": "Medium", - "subcategory": "Hub and spoke", - "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "text": "Automate SAP System Start-Stop to manage costs.", + "waf": "Cost" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "services": [ - "Entra" + "VM", + "Cost", + "Storage", + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Microsoft Entra ID Tenants", - "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", - "waf": "Operations" + "severity": "Low", + "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", + "waf": "Cost" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "services": [ - "Entra" + "VM", + "Cost", + "Storage", + "WAF", + "SAP" ], "severity": "Low", - "subcategory": "Microsoft Entra ID Tenants", - "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", - "waf": "Operations" + "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", + "waf": "Cost" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", + "checklist": "WAF checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", "services": [ - "Entra" + "RBAC", + "Subscriptions", + "WAF" ], "severity": "High", - "subcategory": "Microsoft Entra ID Tenants", - "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", - "waf": "Operations" + "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "services": [ + "WAF", + "SAP", "Entra" ], - "severity": "High", - "subcategory": "Cloud Solution Provider", - "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "Cost" + "severity": "Medium", + "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-cloud-solution-provider#design-recommendations", + "checklist": "WAF checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "services": [ + "WAF", + "SAP", "Entra" ], - "severity": "Low", - "subcategory": "Cloud Solution Provider", - "text": "If you have a CSP partner, define and document your support request and escalation process.", - "waf": "Cost" + "severity": "Medium", + "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "32952499-58c8-4e6f-ada5-972e67893d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "checklist": "WAF checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "services": [ - "Cost", - "Entra" + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Cloud Solution Provider", - "text": "Setup Cost Reporting and Views with Azure Cost Management.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/", - "waf": "Cost" + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "685cb4f2-ac9c-4b19-9167-993ed0b32415", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "checklist": "WAF checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", "services": [ - "LoadBalancer", - "Entra" + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Enterprise Agreement", - "text": "Configure Notification Contacts to a group mailbox.", - "waf": "Cost" + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "12cd499f-96e2-4e41-a243-231fb3245a1c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "checklist": "WAF checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "services": [ - "TrafficManager", - "Entra" + "WAF", + "SAP" ], - "severity": "Low", - "subcategory": "Enterprise Agreement", - "text": "Use departments and accounts to map your organization's structure to your enrollment hierarchy which can help with separating billing.", - "training": "https://learn.microsoft.com/azure/cost-management-billing/manage/understand-ea-roles", - "waf": "Cost" + "severity": "Medium", + "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "ca0fe401-12ad-46fc-8a7e-86293866a9f6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-recommendations", + "checklist": "WAF checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", "services": [ - "Cost", + "AKV", + "WAF", + "SAP" + ], + "severity": "Medium", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "waf": "Security" + }, + { + "checklist": "WAF checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", + "services": [ + "AKV", + "WAF", + "SAP" + ], + "severity": "Medium", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "waf": "Security" + }, + { + "checklist": "WAF checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], + "severity": "Medium", + "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", + "waf": "Security" + }, + { + "checklist": "WAF checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], + "severity": "Medium", + "text": "Implement SSO to SAP HANA", + "waf": "Security" + }, + { + "checklist": "WAF checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", + "services": [ + "WAF", + "SAP", "Entra" ], "severity": "Medium", - "subcategory": "Enterprise Agreement", - "text": "Enable both DA View Charges and AO View Charges on your EA Enrollments to allow users with the correct perms review Cost and Billing Data.", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/assign-access-acm-data#enable-access-to-costs-in-the-azure-portal", + "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "5cf9f485-2784-49b3-9824-75d9b8bdb57b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "checklist": "WAF checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", "services": [ - "Cost", - "Entra", - "Subscriptions" + "WAF", + "SAP" ], - "severity": "Low", - "subcategory": "Enterprise Agreement", - "text": "Use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads.", - "training": "https://learn.microsoft.com/azure/devtest/offer/how-to-manage-monitor-devtest", - "waf": "Cost" + "severity": "Medium", + "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "6ad5c3dd-e5ea-4ff1-81a4-7886ff87845c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "checklist": "WAF checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", "services": [ + "WAF", + "SAP", "Entra" ], - "severity": "Low", - "subcategory": "Microsoft Customer Agreement", - "text": "Configure Agreement billing account notification contact email.", - "training": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-setup-account", - "waf": "Cost" + "severity": "Medium", + "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "90e87802-602f-4dfb-acea-67c60689f1d7", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice", + "checklist": "WAF checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", "services": [ - "Cost", - "Entra", - "Storage" + "WAF", + "SAP" ], - "severity": "Low", - "subcategory": "Microsoft Customer Agreement", - "text": "Use Billing Profiles and Invoice sections to structure your agreements billing for effective cost management.", - "training": "https://learn.microsoft.com/azure/cost-management-billing/understand/mca-overview#billing-profiles", - "waf": "Cost" + "severity": "Medium", + "text": "Implement SSO to SAP BTP", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "e81a73f0-84c4-4641-b406-14db3b4d1f50", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "checklist": "WAF checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", "services": [ - "Cost", + "WAF", + "SAP", "Entra" ], - "severity": "Low", - "subcategory": "Microsoft Customer Agreement", - "text": "Make use of Microsoft Azure plan for dev/test offer to reduce costs for non-production workloads.", - "training": "https://learn.microsoft.com/azure/devtest/offer/overview-what-is-devtest-offer-visual-studio", - "waf": "Cost" + "severity": "Medium", + "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", + "waf": "Security" }, { - "category": "Azure Billing and Microsoft Entra ID Tenants", - "checklist": "Azure Landing Zone Review", - "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "checklist": "WAF checklist", + "description": "Keep your management group hierarchy reasonably flat, no more than four.", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", "services": [ - "Entra", - "RBAC" + "AzurePolicy", + "Subscriptions", + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Microsoft Customer Agreement", - "text": "Define and document a process to periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account.", - "training": "https://learn.microsoft.com/azure/cost-management-billing/manage/understand-mca-roles", - "waf": "Cost" + "text": "enforce existing Management Group policies to SAP Subscriptions", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", + "checklist": "WAF checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "services": [ - "ACR", - "Entra", - "RBAC", - "Subscriptions" + "Subscriptions", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Identity", - "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "4348bf81-7573-4512-8f46-9061cc198fea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator", + "checklist": "WAF checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "services": [ + "Subscriptions", + "WAF" + ], + "severity": "High", + "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "WAF checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", "services": [ - "Entra" + "VM", + "Subscriptions", + "WAF" ], "severity": "High", - "subcategory": "Microsoft Entra ID and Hybrid Identity", - "text": "Use managed identities instead of service principals for authentication to Azure services. You can check for existing service principals via Entra ID > Sign in Logs > Service principal logins.", - "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", - "waf": "Security" + "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", "services": [ - "Entra" + "WAF" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" + "severity": "Low", + "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", "services": [ - "Entra" + "VM", + "Subscriptions", + "WAF" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "severity": "High", + "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", "services": [ - "Entra", - "AzurePolicy" + "WAF" ], "severity": "High", - "subcategory": "Identity", - "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Security" + "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", + "checklist": "WAF checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", "services": [ - "Entra" + "TrafficManager", + "WAF", + "Cost" ], - "severity": "High", - "subcategory": "Identity", - "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", - "waf": "Security" + "severity": "Medium", + "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "checklist": "WAF checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "services": [ - "Entra", - "RBAC" + "WAF", + "Backup" ], "severity": "High", - "subcategory": "Identity", - "text": "Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based on role and security requirements.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Security" + "text": "Help protect your HANA database by using the Azure Backup service.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", "services": [ + "VM", + "Storage", + "WAF", "Entra" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations", + "checklist": "WAF checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "services": [ - "ACR", - "Entra", - "VM" + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Identity", - "text": "When deploying Active Directory Domain Controllers, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set.", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", - "waf": "Reliability" + "text": "Ensure time-zone matches between the operating system and the SAP system.", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "e8aa1e41-870d-4968-94c6-77be14f510ac", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions#identity", + "checklist": "WAF checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", "services": [ + "WAF", "Entra" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Deploy your Azure landing zone identity resources in multiple regions. If using domain controllers, associate each region with an Active Directory site so that resources can resolve to their local domain controllers.", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "f5664b5e-984a-4859-a773-e7d261623a76", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "checklist": "WAF checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", "services": [ - "ACR", - "Entra", - "RBAC", - "Subscriptions" + "WAF", + "Cost" ], - "severity": "Medium", - "subcategory": "Identity", - "text": "Use Azure custom RBAC roles for the following key roles to provide fine-grain access across your ALZ: Azure platform owner, network management, security operations, subscription owner, application owner. Align these roles to teams and responsibilities within your business.", - "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", - "waf": "Security" + "severity": "Low", + "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", + "waf": "Cost" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", "services": [ + "WAF", + "SAP", "Entra" ], "severity": "Medium", - "subcategory": "Identity", - "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", - "waf": "Security" + "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", "services": [ - "Entra" + "VM", + "WAF" ], "severity": "Medium", - "subcategory": "Identity", - "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", - "waf": "Reliability" + "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", "services": [ - "Monitor", - "Entra" + "WAF", + "SAP" + ], + "severity": "Low", + "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "WAF checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", + "services": [ + "SQL", + "WAF", + "SAP", + "Monitor" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", - "waf": "Security" + "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Operations" }, { - "ammp": true, - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", "services": [ - "Entra" + "VM", + "Entra", + "Monitor", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Identity", - "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", - "waf": "Security" + "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94", - "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server", + "checklist": "WAF checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", "services": [ - "Entra", - "ASR" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Microsoft Entra ID", - "text": "When deploying Microsoft Entra Connect, use a staging sever for high availability/disaster recovery.", - "training": "https://learn.microsoft.com/entra/identity/hybrid/connect/plan-connect-topologies", - "waf": "Reliability" + "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", "services": [ - "Entra", - "RBAC" + "NetworkWatcher", + "WAF", + "SAP", + "Monitor" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", - "waf": "Security" + "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", + "checklist": "WAF checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", "services": [ - "Entra" + "VM", + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Identity", - "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Security" + "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", + "waf": "Operations" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator", + "checklist": "WAF checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "services": [ - "Entra", - "VNet" + "Subscriptions", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Landing zones", - "text": "Configure Identity network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).", - "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", - "waf": "Security" + "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "Performance" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations", + "checklist": "WAF checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", "services": [ - "ACR", "Storage", - "RBAC", - "Entra", - "AKV" + "ASR", + "WAF" ], "severity": "Medium", - "subcategory": "Landing zones", - "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.g. Data Operations across Key Vault, Storage Account and Database Services.", - "training": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "waf": "Security" + "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure Landing Zone Review", - "guid": "d505ebcb-79b1-4274-9c0d-a27c8bea489c", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review", + "checklist": "WAF checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", "services": [ - "Entra" + "Sentinel", + "WAF", + "SAP", + "Monitor" ], "severity": "Medium", - "subcategory": "Landing zones", - "text": "Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements.", - "training": "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review", + "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", "waf": "Security" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "description": "Consider using the Azure naming tool available at https://aka.ms/azurenamingtool", - "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming", - "services": [], - "severity": "High", - "subcategory": "Naming and tagging", - "text": "Use a well defined naming scheme for resources, such as Microsoft Best Practice Naming Standards.", - "waf": "Security" + "checklist": "WAF checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", + "services": [ + "WAF", + "Cost" + ], + "severity": "Medium", + "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "Operations" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "2df27ee4-12e7-4f98-9f63-04722dd69c5b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "checklist": "WAF checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", "services": [ - "Subscriptions" + "VM", + "WAF", + "Monitor" ], - "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Enforce reasonably flat management group hierarchy with no more than four levels.", - "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", - "waf": "Security" + "severity": "Low", + "text": "Use inter-VM latency monitoring for latency-sensitive applications.", + "waf": "Performance" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "667313b4-f566-44b5-b984-a859c773e7d2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", + "checklist": "WAF checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "services": [ - "Subscriptions" + "ASR", + "WAF", + "SAP", + "Monitor" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure.", - "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", - "waf": "Security" + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Reliability" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "61623a76-5a91-47e1-b348-ef254c27d42e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", + "checklist": "WAF checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "services": [ - "Subscriptions", - "RBAC", - "AzurePolicy" + "Storage", + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment.", - "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", - "waf": "Security" + "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", + "waf": "Performance" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", + "checklist": "WAF checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", "services": [ - "ExpressRoute", - "DNS", - "VWAN", - "Subscriptions" + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Enforce a dedicated connectivity subscription in the Connectivity management group to host an Azure Virtual WAN hub, private non-AD Domain Name System (DNS), ExpressRoute circuit, and other networking resources.", - "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", - "waf": "Security" + "severity": "Low", + "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", + "waf": "Performance" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant = (array_length(mgmtChain) > 1)", - "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34", - "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group", + "checklist": "WAF checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", "services": [ - "Subscriptions" + "Storage", + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Enforce no subscriptions are placed under the root management group.", - "training": "https://learn.microsoft.com/azure/governance/management-groups/overview", - "waf": "Security" + "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "waf": "Performance" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19", - "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", + "checklist": "WAF checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", "services": [ - "RBAC", - "Subscriptions" + "SQL", + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings.", - "training": "https://learn.microsoft.com/training/modules/configure-role-based-access-control/", - "waf": "Security" + "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "Performance" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "92481607-d5d1-4e4e-9146-58d3558fd772", - "link": "https://learn.microsoft.com/azure/governance/management-groups/overview", + "checklist": "WAF checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "services": [ - "Subscriptions" + "ASR", + "WAF", + "SAP", + "Monitor" ], - "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.", - "waf": "Security" + "severity": "High", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "Operations" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "49b82111-2df2-47ee-912e-7f983f630472", - "link": "https://learn.microsoft.com/entra/id-governance/access-reviews-overview", + "checklist": "WAF checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", "services": [ - "Cost", - "Subscriptions", - "RBAC", - "AzurePolicy" + "AppGW", + "AzurePolicy", + "WAF" ], - "severity": "High", - "subcategory": "Subscriptions", - "text": "Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.", - "training": "https://learn.microsoft.com/training/modules/plan-implement-manage-access-review/", + "severity": "Medium", + "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", "waf": "Security" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "checklist": "WAF checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "services": [ - "Subscriptions" + "VM", + "DNS", + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/", - "waf": "Security" + "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operations" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "c68e1d76-6673-413b-9f56-64b5e984a859", - "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations", + "checklist": "WAF checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "services": [ - "Cost", - "Subscriptions" + "DNS", + "VNet", + "WAF", + "SAP" ], - "severity": "High", - "subcategory": "Subscriptions", - "text": "Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions.", - "training": "https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/", - "waf": "Security" + "severity": "Medium", + "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operations" }, { - "ammp": true, - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25", - "link": "https://learn.microsoft.com/azure/azure-portal/azure-portal-dashboards", + "checklist": "WAF checklist", + "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", "services": [ - "Monitor", - "Storage", - "Subscriptions" + "VNet", + "WAF", + "SAP", + "ACR" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Establish dashboards and/or visualizations to monitor compute and storage capacity metrics. (i.e. CPU, memory, disk space)", - "training": "https://learn.microsoft.com/training/modules/visualize-data-workbooks/", - "waf": "Security" + "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "Reliability" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/get-started/manage-costs", + "checklist": "WAF checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "services": [ - "Cost", - "Subscriptions" + "NVA", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Subscriptions", - "text": "As part of your cloud adoption, implement a detailed cost management plan using the 'Managed cloud costs' process.", - "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/", - "waf": "Security" + "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", + "training": "https://me.sap.com/notes/2731110", + "waf": "Performance" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de", - "link": "https://learn.microsoft.com/azure/governance/management-groups/overview", + "checklist": "WAF checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", "services": [ - "Entra", - "Subscriptions" + "VWAN", + "WAF", + "SAP", + "ACR" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "If servers will be used for Identity services, like domain controllers, establish a dedicated identity subscription in the identity management group, to host these services. Make sure that resources are set to use the domain controllers available in their region.", - "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", - "waf": "Security" + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "Operations" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs", + "checklist": "WAF checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", "services": [ - "Cost", - "Subscriptions" + "NVA", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "Ensure tags are used for billing and cost management.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "Operations" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "6cc0ea22-42bb-441e-a345-804ab0a09666", - "link": "https://github.com/Azure/sovereign-landing-zone/blob/main/docs/02-Architecture.md", + "checklist": "WAF checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", "services": [ - "Subscriptions" + "VWAN", + "NVA", + "VNet", + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Subscriptions", - "text": "For Sovereign Landing Zone, have a 'confidential corp' and 'confidential online' management group directly under the 'landing zones' MG.", - "training": "https://learn.microsoft.com/industry/sovereignty/slz-overview", - "waf": "Security" + "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "waf": "Operations" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "250d81ce-8bbe-4f85-9051-6a18a8221e50", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions", + "checklist": "WAF checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "services": [ - "Cost" + "VM", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Regions", - "text": "Select the right Azure region/s for your deployment. Azure is a global-scale cloud platform that provide global coverage through many regions and geographies. Different Azure regions have different characteristics, access and availability models, costs, capacity, and services offered, then it is important to consider all criteria and requirements.", - "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", - "waf": "Reliability" + "text": "Public IP assignment to VM running SAP Workload is not recommended.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "Security" }, { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "19ca3f89-397d-44b1-b5b6-5e18661372ac", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions#operate-in-multiple-geographic-regions", + "checklist": "WAF checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", "services": [ - "ASR" + "ASR", + "WAF" ], - "severity": "Medium", - "subcategory": "Regions", - "text": "Deploy your Azure landing zone in a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint.", - "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", - "waf": "Reliability" - }, - { - "category": "Resource Organization", - "checklist": "Azure Landing Zone Review", - "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "services": [], - "severity": "Medium", - "subcategory": "Regions", - "text": "Ensure required services and features are available within the chosen deployment regions.", - "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", - "waf": "Reliability" + "severity": "High", + "text": "Consider reserving IP address on DR side when configuring ASR", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "373f482f-3e39-4d39-8aa4-7e566f6082b6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery", + "checklist": "WAF checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "services": [ - "AppGW", - "FrontDoor" + "WAF" ], - "severity": "Medium", - "subcategory": "App delivery", - "text": "Document a standard for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front Door. You can use the Application Delivery checklist to for recommendations.", + "severity": "High", + "text": "Avoid using overlapping IP address ranges for production and DR sites.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", "services": [ - "VNet" + "Storage", + "VNet", + "WAF" ], "severity": "Medium", - "subcategory": "Hub and spoke", - "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" + "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", + "checklist": "WAF checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", "services": [ - "VPN", - "DNS", - "NVA", "Firewall", - "ExpressRoute", - "Entra", - "VNet" + "WAF" ], - "severity": "High", - "subcategory": "Hub and spoke", - "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Cost" + "severity": "Medium", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", "services": [ - "DDoS" + "AppGW", + "WAF", + "SAP" ], - "severity": "High", - "subcategory": "App delivery", - "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "severity": "Medium", + "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "checklist": "WAF checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "services": [ - "NVA" + "AzurePolicy", + "WAF", + "FrontDoor", + "ACR" ], "severity": "Medium", - "subcategory": "Hub and spoke", - "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", - "waf": "Reliability" + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", "services": [ - "ExpressRoute", - "ARS", - "VPN" + "AppGW", + "AzurePolicy", + "WAF", + "FrontDoor" ], - "severity": "Low", - "subcategory": "Hub and spoke", - "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "severity": "Medium", + "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", + "checklist": "WAF checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "services": [ - "ARS", - "VNet" + "AppGW", + "LoadBalancer", + "WAF" ], - "severity": "Low", - "subcategory": "Hub and spoke", - "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "severity": "Medium", + "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", "services": [ - "ACR", - "VNet" + "VWAN", + "WAF", + "SAP", + "ACR" ], "severity": "Medium", - "subcategory": "Hub and spoke", - "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", "services": [ - "Monitor" + "ACR", + "Storage", + "PrivateLink", + "VNet", + "Backup", + "WAF" ], "severity": "Medium", - "subcategory": "Hub and spoke", - "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Operations" + "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "checklist": "WAF checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", "services": [ - "ExpressRoute", - "VNet" + "VM", + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Hub and spoke", - "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "severity": "High", + "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", "services": [ - "Storage" + "LoadBalancer", + "WAF" ], "severity": "Medium", - "subcategory": "Hub and spoke", - "text": "Limit the number of routes per route table to 400.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", + "checklist": "WAF checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", "services": [ - "VNet" + "VM", + "VNet", + "WAF", + "SAP" ], - "severity": "High", - "subcategory": "Hub and spoke", - "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "severity": "Medium", + "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "checklist": "WAF checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "services": [ - "LoadBalancer" + "VNet", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Hub and spoke", - "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", - "waf": "Reliability" + "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "checklist": "WAF checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "services": [ - "LoadBalancer" + "WAF", + "SAP" ], - "severity": "High", - "subcategory": "Hub and spoke", - "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", - "waf": "Reliability" + "severity": "Medium", + "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "services": [ - "ExpressRoute" + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Encryption", - "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Security" + "severity": "High", + "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "services": [ - "ExpressRoute", - "VPN" + "SAP", + "VNet", + "WAF", + "Cost" ], - "severity": "Medium", - "subcategory": "Encryption", - "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" + "severity": "High", + "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Cost" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", "services": [ - "ACR", - "VNet" + "LoadBalancer", + "WAF" ], "severity": "High", - "subcategory": "IP plan", - "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" + "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", "services": [ - "VNet" + "VNet", + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "IP plan", - "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "services": [ - "VNet" + "VM", + "SAP", + "WAF", + "Backup" ], "severity": "High", - "subcategory": "IP plan", - "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Performance" + "text": "Review SAP HANA database backups for Azure VMs.", + "waf": "Cost" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "services": [ "ASR", - "VNet" + "WAF", + "SAP", + "Monitor" ], - "severity": "High", - "subcategory": "IP plan", - "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Reliability" + "severity": "Medium", + "text": "Review Site Recovery built-in monitoring, where used for SAP.", + "waf": "Cost" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", + "checklist": "WAF checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", "services": [ - "ACR", - "VNet" + "WAF", + "SAP", + "Monitor" ], "severity": "High", - "subcategory": "IP plan", - "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", - "waf": "Reliability" + "text": "Review the Monitoring the SAP HANA System Landscape guidance.", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", + "checklist": "WAF checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", "services": [ - "DNS", - "VNet" + "VM", + "WAF", + "Backup" ], "severity": "Medium", - "subcategory": "IP plan", - "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Review Oracle Database in Azure Linux VM backup strategies.", "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "checklist": "WAF checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", "services": [ - "ACR", - "DNS", - "VNet" + "Storage", + "SQL", + "WAF" ], "severity": "Medium", - "subcategory": "IP plan", - "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "Security" + "text": "Review the use of Azure Blob Storage with SQL Server 2016.", + "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", + "checklist": "WAF checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", "services": [ - "DNS", - "VNet" + "VM", + "WAF", + "Backup" ], - "severity": "Low", - "subcategory": "IP plan", - "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", - "training": "https://learn.microsoft.com/training/courses/az-700t00", + "severity": "Medium", + "text": "Review the use of Automated Backup v2 for Azure VMs.", "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", + "checklist": "WAF checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", "services": [ - "DNS", - "VM", - "VNet" + "WAF" ], "severity": "High", - "subcategory": "IP plan", - "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Enabling Write accelerator for M series when using premium disks(V1)", "waf": "Operations" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "checklist": "WAF checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", "services": [ - "DNS", - "VNet" + "WAF" ], "severity": "Medium", - "subcategory": "IP plan", - "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Reliability" + "text": "Test availability zone latency.", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "checklist": "WAF checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", "services": [ - "Bastion" + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Internet", - "text": "Use Azure Bastion to securely connect to your network.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Security" + "text": "Activate SAP EarlyWatch Alert for all SAP components.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "checklist": "WAF checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", "services": [ - "Bastion", - "VNet" + "WAF", + "SAP" ], "severity": "Medium", - "subcategory": "Internet", - "text": "Use Azure Bastion in a subnet /26 or larger.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Security" + "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", + "training": "https://me.sap.com/notes/0002879613", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "checklist": "WAF checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", "services": [ + "SQL", "WAF", - "ACR", - "FrontDoor", - "AzurePolicy" + "Monitor" ], "severity": "Medium", - "subcategory": "Internet", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "text": "Review SQL Server performance monitoring using CCMS.", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", + "checklist": "WAF checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", "services": [ + "VM", "WAF", - "AppGW", - "AzurePolicy", - "FrontDoor" + "SAP" ], - "severity": "Low", - "subcategory": "Internet", - "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "severity": "Medium", + "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", + "checklist": "WAF checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", "services": [ "WAF", - "VNet" + "SAP", + "Monitor" ], - "severity": "High", - "subcategory": "Internet", - "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "severity": "Medium", + "text": "Review SAP HANA studio alerts.", + "waf": "Performance" + }, + { + "checklist": "WAF checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", + "services": [ + "WAF", + "SAP" + ], + "severity": "Medium", + "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", + "waf": "Performance" + }, + { + "checklist": "WAF checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "services": [ + "VM", + "WAF" + ], + "severity": "Medium", + "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", "services": [ - "DDoS", - "VNet" + "WAF", + "SAP" ], - "severity": "High", - "subcategory": "Internet", - "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "severity": "Medium", + "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", - "services": [], - "severity": "High", - "subcategory": "Internet", - "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", - "waf": "Reliability" + "checklist": "WAF checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "services": [ + "SQL", + "WAF", + "SAP" + ], + "severity": "Low", + "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "checklist": "WAF checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "services": [ - "DDoS" + "SQL", + "WAF" ], "severity": "High", - "subcategory": "Internet", - "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", + "training": "https://me.sap.com/notes/3019299/E", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", + "checklist": "WAF checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "services": [ - "AzurePolicy", - "VM" + "SQL", + "Storage", + "Backup", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Internet", - "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", "services": [ - "ExpressRoute", - "VPN", - "Backup" + "Storage", + "WAF" ], "severity": "Medium", - "subcategory": "Hybrid", - "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", "services": [ - "ExpressRoute" + "AKV", + "WAF" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "severity": "High", + "text": "Use Azure Key Vault to store your secrets and credentials", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "services": [ - "ExpressRoute", - "VPN" + "AzurePolicy", + "RBAC", + "Subscriptions", + "WAF" ], "severity": "Medium", - "subcategory": "Hybrid", - "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", "services": [ - "ExpressRoute", - "Cost" + "AKV", + "AzurePolicy", + "WAF" ], - "severity": "High", - "subcategory": "Hybrid", - "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "severity": "Medium", + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", "services": [ - "ExpressRoute", - "Cost" + "AzurePolicy", + "RBAC", + "WAF" ], "severity": "High", - "subcategory": "Hybrid", - "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Cost" - }, - { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", - "services": [ - "ExpressRoute" - ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "services": [ - "ExpressRoute" + "Storage", + "WAF", + "SAP", + "Defender" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "severity": "High", + "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", "services": [ - "ExpressRoute" + "RBAC", + "WAF", + "SAP", + "Defender" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "severity": "High", + "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", + "checklist": "WAF checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "services": [ - "VPN" + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Reliability" + "severity": "Low", + "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", + "checklist": "WAF checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "services": [ - "VPN" + "AKV", + "WAF" ], "severity": "Medium", - "subcategory": "Hybrid", - "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Reliability" + "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", "services": [ - "ExpressRoute", - "Cost" + "AKV", + "WAF" ], "severity": "High", - "subcategory": "Hybrid", - "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", "services": [ - "ExpressRoute" + "AKV", + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "severity": "High", + "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", "services": [ - "ExpressRoute", - "Monitor" + "RBAC", + "Subscriptions", + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "severity": "High", + "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", "services": [ - "ACR", - "Monitor", - "NetworkWatcher" + "NVA", + "PrivateLink", + "WAF", + "SAP" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "severity": "High", + "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", "services": [ - "ExpressRoute" + "VM", + "Storage", + "WAF" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Use ExpressRoute circuits from different peering locations for redundancy.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "severity": "Low", + "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", "services": [ - "ExpressRoute", - "VPN" + "WAF", + "Defender" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "severity": "Low", + "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "services": [ - "Storage", - "VNet" + "VNet", + "WAF", + "SAP" ], "severity": "High", - "subcategory": "Hybrid", - "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", - "waf": "Reliability" + "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "services": [ - "ExpressRoute", - "ACR" + "WAF", + "SAP" ], - "severity": "High", - "subcategory": "Hybrid", - "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "severity": "Low", + "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", + "checklist": "WAF checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "services": [ - "ExpressRoute" + "AKV", + "WAF", + "SAP", + "Monitor" ], "severity": "Medium", - "subcategory": "Hybrid", - "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" - }, - { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", - "services": [], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "WAF checklist", + "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", "services": [ - "ExpressRoute" + "ServiceBus", + "WAF" ], - "severity": "High", - "subcategory": "Hybrid", - "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "WAF checklist", + "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", "services": [ - "ExpressRoute", - "Monitor", - "VNet" + "ServiceBus", + "WAF" ], "severity": "Medium", - "subcategory": "Hybrid", - "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "WAF checklist", + "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", "services": [ - "ExpressRoute", - "VNet" + "Entra", + "ServiceBus", + "TrafficManager", + "AzurePolicy", + "RBAC", + "WAF" ], "severity": "Medium", - "subcategory": "Hybrid", - "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "WAF checklist", + "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", + "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", + "service": "Service Bus", "services": [ - "ACR" + "ServiceBus", + "WAF", + "Entra" ], - "severity": "Low", - "subcategory": "Hybrid", - "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", - "waf": "Performance" + "severity": "Medium", + "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "WAF checklist", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", "services": [ - "Firewall" + "ServiceBus", + "Storage", + "RBAC", + "Subscriptions", + "WAF" ], "severity": "High", - "subcategory": "Firewall", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "WAF checklist", + "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", "services": [ - "ACR", - "RBAC", - "AzurePolicy", - "Firewall" + "ServiceBus", + "VNet", + "WAF", + "Monitor" ], "severity": "Medium", - "subcategory": "Firewall", - "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "WAF checklist", + "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", "services": [ - "Firewall" + "ServiceBus", + "PrivateLink", + "VNet", + "WAF" ], - "severity": "Low", - "subcategory": "Firewall", - "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "severity": "Medium", + "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "WAF checklist", + "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", "services": [ - "DNS", - "Firewall" + "ServiceBus", + "WAF" ], - "severity": "High", - "subcategory": "Firewall", - "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "severity": "Medium", + "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", + "checklist": "WAF checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", + "service": "Azure Service Fabric", "services": [ - "Firewall" + "WAF" ], - "severity": "High", - "subcategory": "Firewall", - "text": "Use Azure Firewall Premium to enable additional security features.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "severity": "Medium", + "text": "Use Standard SKU for production scenarios.", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", + "checklist": "WAF checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", + "service": "Azure Service Fabric", "services": [ - "Firewall" + "VM", + "WAF" ], - "severity": "High", - "subcategory": "Firewall", - "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", - "waf": "Security" + "severity": "Medium", + "text": "Use durability level Silver (5 VMs) or greater for production scenarios", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", + "checklist": "WAF checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", + "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", + "service": "Azure Service Fabric", "services": [ - "Firewall" + "WAF", + "ACR" ], - "severity": "High", - "subcategory": "Firewall", - "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "severity": "Medium", + "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", + "service": "Azure Service Fabric", "services": [ - "Storage", - "NVA", - "Firewall", - "VWAN", - "VNet" + "WAF", + "APIM" ], - "severity": "High", - "subcategory": "Firewall", - "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", - "waf": "Security" + "severity": "Medium", + "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", + "service": "Azure Service Fabric", "services": [ - "Storage", - "Firewall" + "WAF" ], "severity": "Medium", - "subcategory": "Firewall", - "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" + "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", + "checklist": "WAF checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", + "guid": "4da21268-f775-4c89-a271-eb80543c8df7", + "service": "Azure Service Fabric", "services": [ - "AzurePolicy", - "Firewall" + "VM", + "WAF" ], - "severity": "Important", - "subcategory": "Firewall", - "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" + "severity": "Medium", + "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", + "service": "Azure Service Fabric", "services": [ - "Firewall", - "VNet" + "VM", + "WAF" ], - "severity": "High", - "subcategory": "Segmentation", - "text": "Use a /26 prefix for your Azure Firewall subnets.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "severity": "Medium", + "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", + "waf": "Cost" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", + "service": "Azure Service Fabric", "services": [ - "AzurePolicy" + "WAF" ], "severity": "Medium", - "subcategory": "Firewall", - "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "Performance" + "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", + "service": "Azure Service Fabric", "services": [ - "Storage" + "VNet", + "WAF", + "APIM" ], "severity": "Medium", - "subcategory": "Firewall", - "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", - "waf": "Performance" + "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", - "services": [], + "checklist": "WAF checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", + "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", + "services": [ + "VM", + "Entra", + "Storage", + "AKV", + "WAF" + ], "severity": "Medium", - "subcategory": "Firewall", - "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "001cbb6f-d88d-4431-8434-d01333397776", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", + "service": "Azure Service Fabric", "services": [ - "Monitor" + "WAF" ], "severity": "Medium", - "subcategory": "Firewall", - "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", + "service": "Azure Service Fabric", "services": [ - "Firewall" + "WAF", + "ACR" ], - "severity": "High", - "subcategory": "Firewall", - "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", - "waf": "Performance" + "severity": "Medium", + "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", + "link": "", + "service": "Azure Service Fabric", "services": [ - "ServiceBus" + "WAF" ], - "severity": "Low", - "subcategory": "Firewall", - "text": "Use web categories to allow or deny outbound access to specific topics.", - "waf": "Performance" + "severity": "Medium", + "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", - "services": [], + "checklist": "WAF checklist", + "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", + "link": "", + "service": "Azure Service Fabric", + "services": [ + "AKV", + "WAF" + ], "severity": "Medium", - "subcategory": "Firewall", - "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "Performance" + "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", "services": [ - "DNS", - "Firewall" + "WAF", + "Entra" ], "severity": "Medium", - "subcategory": "Firewall", - "text": "Enable Azure Firewall DNS proxy configuration.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", + "checklist": "WAF checklist", + "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", + "service": "Azure Service Fabric", "services": [ - "Monitor", - "Firewall" + "WAF" ], - "severity": "High", - "subcategory": "Firewall", - "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Operations" + "severity": "Medium", + "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", + "category": "Security", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", "services": [ - "Backup" + "EventHubs" ], "severity": "Low", - "subcategory": "Firewall", - "text": "Implement backups for your firewall rules", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Operations" + "subcategory": "Data Protection", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", + "category": "Security", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", "services": [ - "ACR", - "Firewall" + "EventHubs" ], - "severity": "High", - "subcategory": "Firewall", - "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Data Protection", + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "category": "Security", + "checklist": "Azure Event Hub Review", + "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", "services": [ - "DDoS", - "Firewall", - "VNet" + "Entra", + "TrafficManager", + "EventHubs", + "AzurePolicy", + "RBAC" + ], + "severity": "Medium", + "subcategory": "Identity and Access Management", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Security" + }, + { + "category": "Security", + "checklist": "Azure Event Hub Review", + "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", + "services": [ + "VM", + "Entra", + "Storage", + "EventHubs", + "AKV" ], - "severity": "High", - "subcategory": "Firewall", - "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity and Access Management", + "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", + "category": "Security", + "checklist": "Azure Event Hub Review", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", "services": [ - "VNet" + "RBAC", + "EventHubs", + "Entra" ], "severity": "High", - "subcategory": "PaaS", - "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "subcategory": "Identity and Access Management", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "e43a58a9-c229-49c4-b7b5-7d0c655562f2", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "category": "Security", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", "services": [ - "PrivateLink" + "VNet", + "EventHubs", + "Monitor" ], "severity": "Medium", - "subcategory": "PaaS", - "text": "Use Private Link, where available, for shared Azure PaaS services.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "subcategory": "Monitoring", + "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", + "category": "Security", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", "services": [ - "ExpressRoute", - "PrivateLink" + "PrivateLink", + "VNet", + "EventHubs" ], "severity": "Medium", - "subcategory": "PaaS", - "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "subcategory": "Networking", + "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "category": "Security", + "checklist": "Azure Event Hub Review", + "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", "services": [ - "VNet" + "EventHubs" ], - "severity": "High", - "subcategory": "PaaS", - "text": "Don't enable virtual network service endpoints by default on all subnets.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "severity": "Medium", + "subcategory": "Networking", + "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", + "category": "Operations Management", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", "services": [ - "DNS", - "NVA", - "PrivateLink", - "Firewall" + "EventHubs" ], "severity": "Medium", - "subcategory": "PaaS", - "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Security" + "subcategory": "Best Practices", + "text": "Leverage FTA Resillency HandBook", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", + "category": "Operations Management", + "checklist": "Azure Event Hub Review", + "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", "services": [ - "ExpressRoute", - "VPN", - "VNet" + "EventHubs", + "ACR" ], "severity": "High", - "subcategory": "Segmentation", - "text": "Use at least a /27 prefix for your Gateway subnets.", - "waf": "Security" + "subcategory": "Zone Redudancy", + "text": "Leverage Availability Zones if regionally applicable", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", + "category": "Operations Management", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", "services": [ - "VNet" + "EventHubs" ], - "severity": "High", - "subcategory": "Segmentation", - "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Best Practices", + "text": "Use the Premium or Dedicated SKUs for predicable performance", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "c2447ec6-6138-4a72-80f1-ce16ed301d6e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "category": "Operations Management", + "checklist": "Azure Event Hub Review", + "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", "services": [ - "VNet" + "ASR", + "EventHubs" ], - "severity": "Medium", - "subcategory": "Segmentation", - "text": "Delegate subnet creation to the landing zone owner.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "severity": "High", + "subcategory": "Geo Redudancy", + "text": "Plan for Geo Disaster Recovery using Active Passive configuration", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "category": "Operations Management", + "checklist": "Azure Event Hub Review", + "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", "services": [ - "ACR", - "VNet" + "ASR", + "EventHubs" ], "severity": "Medium", - "subcategory": "Segmentation", - "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" + "subcategory": "Geo Redudancy", + "text": "For Business Critical Applications, use Active Active configuration", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", + "category": "Operations Management", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", "services": [ - "Entra", - "NVA", - "VNet" + "EventHubs" ], "severity": "Medium", - "subcategory": "Segmentation", - "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" + "subcategory": "Reliability", + "text": "Design Resilient Event Hubs", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", - "services": [ - "NetworkWatcher", - "VNet" - ], + "category": "Operations Management", + "checklist": "Cognitive Services Review Checklist", + "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", + "service": "Cognitive Services", + "services": [], "severity": "Medium", - "subcategory": "Segmentation", - "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Security" + "subcategory": "Best Practice", + "text": "Leverage FTA HandBook for Cognitive Services", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", + "category": "Operations Management", + "checklist": "Cognitive Services Review Checklist", + "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Cognitive Services", "services": [ - "VNet" + "Backup" ], "severity": "Medium", - "subcategory": "Segmentation", - "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "subcategory": "Backup", + "text": "Backup Your Prompts", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", + "category": "Operations Management", + "checklist": "Cognitive Services Review Checklist", + "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Cognitive Services", "services": [ - "VWAN" + "ASR", + "Backup" ], - "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "severity": "High", + "subcategory": "Backup", + "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", + "category": "Operations Management", + "checklist": "Cognitive Services Review Checklist", + "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", + "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", + "service": "Cognitive Services", "services": [ - "ACR", - "VWAN" + "Backup" ], "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Performance" + "subcategory": "Backup", + "text": "Backup Your ChatGPT conversations", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", - "services": [ - "VWAN", - "Firewall" - ], + "category": "Operations Management", + "checklist": "Cognitive Services Review Checklist", + "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", + "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", + "service": "Cognitive Services", + "services": [], "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "subcategory": "DevOps", + "text": "CI/CD for custom speech", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", - "services": [ - "VWAN" - ], + "category": "Operations Management", + "checklist": "Cognitive Services Review Checklist", + "guid": "3687a046-7a1f-4893-9bda-43324f248116", + "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", + "service": "Cognitive Services", + "services": [], + "severity": "Low", + "subcategory": "QnA Service", + "text": "Move a knowledge base using export-import", + "waf": "Reliability" + }, + { + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", + "service": "Azure Service Fabric", + "services": [], "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "subcategory": "Cluster architecture", + "text": "Use Standard SKU for production scenarios.", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", + "category": "Standard clusters", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", + "service": "Azure Service Fabric", "services": [ - "VWAN", - "Monitor" + "VM" ], "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "subcategory": "Cluster architecture", + "text": "Use durability level Silver (5 VMs) or greater for production scenarios", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", + "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", + "service": "Azure Service Fabric", "services": [ - "VWAN" + "ACR" ], "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "subcategory": "Cluster architecture", + "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", + "service": "Azure Service Fabric", "services": [ - "ExpressRoute", - "VWAN", - "VPN" + "APIM" ], "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "subcategory": "Cluster architecture", + "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", + "service": "Azure Service Fabric", + "services": [], + "severity": "Medium", + "subcategory": "Workload architecture", + "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", + "waf": "Reliability" + }, + { + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", + "guid": "4da21268-f775-4c89-a271-eb80543c8df7", + "service": "Azure Service Fabric", "services": [ - "VWAN" + "VM" ], "severity": "Medium", - "subcategory": "Virtual WAN", - "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "subcategory": "Cluster architecture", + "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", + "service": "Azure Service Fabric", "services": [ - "VWAN" + "VM" ], - "severity": "High", - "subcategory": "Virtual WAN", - "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Cluster architecture", + "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", + "waf": "Cost" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", + "service": "Azure Service Fabric", + "services": [], + "severity": "Medium", + "subcategory": "Cluster and workload architectures", + "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", + "waf": "Cost" + }, + { + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", + "service": "Azure Service Fabric", "services": [ - "AzurePolicy" + "VNet", + "APIM" ], - "severity": "High", - "subcategory": "Governance", - "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "severity": "Medium", + "subcategory": "Cluster architecture", + "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", + "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", "services": [ - "RBAC", - "AzurePolicy" + "AKV", + "Storage", + "VM", + "Entra" ], "severity": "Medium", - "subcategory": "Governance", - "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", - "training": "https://learn.microsoft.com/training/modules/governance-security/", + "subcategory": "Cluster architecture", + "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "services": [ - "Subscriptions", - "AzurePolicy" - ], + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "001cbb6f-d88d-4431-8434-d01333397776", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", + "service": "Azure Service Fabric", + "services": [], "severity": "Medium", - "subcategory": "Governance", - "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "subcategory": "Cluster architecture", + "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", + "service": "Azure Service Fabric", "services": [ - "AzurePolicy" + "ACR" ], - "severity": "High", - "subcategory": "Governance", - "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "severity": "Medium", + "subcategory": "Cluster architecture", + "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", - "services": [ - "Subscriptions", - "AzurePolicy" - ], - "severity": "Low", - "subcategory": "Governance", - "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", + "link": "", + "service": "Azure Service Fabric", + "services": [], + "severity": "Medium", + "subcategory": "Workload architecture", + "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", + "link": "", + "service": "Azure Service Fabric", "services": [ - "AzurePolicy" + "AKV" ], - "severity": "High", - "subcategory": "Governance", - "text": "Use built-in policies where possible to minimize operational overhead.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "severity": "Medium", + "subcategory": "Workload architecture", + "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", "services": [ - "Subscriptions", - "Entra", - "RBAC", - "AzurePolicy" + "Entra" ], "severity": "Medium", - "subcategory": "Governance", - "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "subcategory": "Workload architecture", + "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "services": [ - "Subscriptions", - "AzurePolicy" - ], + "category": "Managed clusters", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", + "service": "Azure Service Fabric", + "services": [], "severity": "Medium", - "subcategory": "Governance", - "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "subcategory": "Cluster and workload architectures", + "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", + "category": "Application Deployment", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", + "services": [], + "severity": "Medium", + "subcategory": "DevOps", + "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", + "waf": "Reliability" + }, + { + "category": "BC and DR", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", "services": [ - "AzurePolicy" + "TrafficManager", + "ASR", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Governance", - "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "Security" + "subcategory": "Disaster Recovery", + "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", + "category": "BC and DR", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", "services": [ - "Subscriptions", - "AzurePolicy" + "ACR" ], "severity": "Medium", - "subcategory": "Governance", - "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", - "waf": "Security" + "subcategory": "High Availability", + "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", + "category": "BC and DR", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", + "services": [], + "severity": "Medium", + "subcategory": "High Availability", + "text": "Use more than 1 app instance for your apps", + "waf": "Reliability" + }, + { + "category": "Operations", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", "services": [ - "AzurePolicy" + "Monitor" ], "severity": "Medium", - "subcategory": "Governance", - "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", + "category": "Operations", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", + "services": [], + "severity": "Medium", + "subcategory": "Scalability", + "text": "Set up autoscaling in Spring Cloud Gateway", + "waf": "Reliability" + }, + { + "category": "Operations", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", + "services": [], + "severity": "Low", + "subcategory": "Scalability", + "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "waf": "Reliability" + }, + { + "category": "Operations", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", + "services": [], + "severity": "Medium", + "subcategory": "Support", + "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "974a759c-763e-47d2-9161-3a7649907e0e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ASB_v1.docx", "services": [ - "AzurePolicy" + "ServiceBus" ], "severity": "Medium", - "subcategory": "Governance", - "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", - "waf": "Security" + "subcategory": "Best Practices", + "text": "Leverage FTA Handbook.", + "waf": "Reliability" }, { - "category": "Governance", - "checklist": "Azure Landing Zone Review", - "guid": "29fd366b-a180-452b-9bd7-954b7700c667", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "49907e0e-338e-4e25-9c17-d32e8aaab757", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/operational-excellence", "services": [ - "Cost", - "TrafficManager", - "Monitor" + "ServiceBus" ], "severity": "Medium", - "subcategory": "Optimize your cloud investment", - "text": "Configure 'Actual' and 'Forecasted' Budget Alerts.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/", - "waf": "Cost" + "subcategory": "Best Practices", + "text": "Implement geo-replication on the sender and receiver side to protect against outages and disasters", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "1549ab81-53d8-49f8-ad17-b84b33b5a67f", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", "services": [ - "AzurePolicy", - "Monitor", - "RBAC", - "Entra" + "ServiceBus", + "Storage", + "ASR" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Operations" + "subcategory": "Best Practices", + "text": "If you need mission-critical messaging with queues and topics, Service Bus Premium is recommended with Geo-Disaster Recovery.", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "7b9ed5b3-1f38-4c40-9a82-2c2463cf0f18", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", "services": [ - "Monitor" + "ServiceBus" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "subcategory": "Best Practices", + "text": "Implement high availability for the Service Bus namespace", "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "ac699ef1-d5a8-43de-9de3-2c1881470607", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", "services": [ - "Monitor", - "ARS", - "AzurePolicy", - "Storage" + "ServiceBus" ], "severity": "High", - "subcategory": "Monitoring", - "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" + "subcategory": "Best Practices", + "text": "Ensure related messages are delivered in guaranteed order", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "c5c0e4e6-1465-48d2-958e-d67139b82110", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", "services": [ - "Monitor", - "AzurePolicy", - "VM" + "ServiceBus" + ], + "severity": "Low", + "subcategory": "Best Practices", + "text": "Evaluate different Java Messaging Service (JMS) features through the JMS API", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "2df26ee4-11e6-4f88-9e52-f4722dd68c5b", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "services": [ + "ServiceBus" + ], + "severity": "Low", + "subcategory": "Best Practices", + "text": "Use .NET Nuget packages to communicate with Service Bus messaging entities", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "5c2521e5-4a69-4b9d-939a-c4e7c68d1d75", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", + "services": [ + "ServiceBus" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "subcategory": "Best Practices", + "text": "Implement resilience for transient fault handling when sending or receiving messages", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "description": "This will be turned on automatically for a new SB namespace created from the portal with the Premium SKUs in a zone-enabled region. Both the Service Bus metadata and the messages data are replicated across datacenters in the availability zones configuration", + "guid": "338ee253-c17d-432e-aaaa-b7571549ab81", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones", "services": [ - "VM" + "ServiceBus", + "ACR" + ], + "severity": "High", + "subcategory": "Best Practices", + "text": "Leverage Availability Zones if regionally applicable", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "description": "If enabled, Implements namespace metadata replication to a secondary region. Does not replicate queue/topic message data. Premium sku only.", + "guid": "53d89f89-d17b-484b-93b5-a67f7b9ed5b3", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#geo-disaster-recovery", + "services": [ + "ServiceBus", + "Storage", + "ASR" ], "severity": "Medium", - "subcategory": "Operational compliance", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operations" + "subcategory": "Geo-Disaster Recovery", + "text": "Plan for Metadata replication during regional failure", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "description": "If an outage cannot be tolerated, do not use the build-in metadata replication option. Leverage a replication pattern to replicate Service Bus messages across two or more sets of cross-region namespaces", + "guid": "1f38c403-a822-4c24-93cf-0f18ac699ef1", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-federation-overview", "services": [ - "VM" + "ServiceBus", + "ASR", + "ACR" ], "severity": "Medium", - "subcategory": "Operational compliance", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operations" + "subcategory": "Geo-Disaster Recovery", + "text": "Plan for Message replication during regional failure", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus uses a message broker to handle messages that are sent to a Service Bus queue or topic. By default, all messages that are sent to a queue or topic are handled by the same message broker process. This architecture can place a limitation on the overall throughput of the message queue. However, you can also partition a queue or topic when it is created", + "guid": "d5a83de4-de32-4c18-a147-0607c5c0e4e6", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/data-partitioning-strategies#partitioning-azure-service-bus", "services": [ - "Monitor", - "NetworkWatcher" + "ServiceBus", + "Storage" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use Network Watcher to proactively monitor traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Operations" + "subcategory": "Best Practices", + "text": "For applications which require high throughput, use Patritioning ", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "541acdce-9793-477b-adb3-751ab2ab13ad", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "14658d24-58ed-4671-99b8-21102df26ee4", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters", "services": [ - "Monitor" + "ServiceBus" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use resource locks to prevent accidental deletion of critical shared services.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "subcategory": "Best Practices", + "text": "Evaluate Premier-tier benefits of Azure Service Bus", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "a6e55d7d-8a2a-4db1-87d6-326af625ca44", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/effect-deny", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "11e6f883-e52f-4472-8dd6-8c5b5c2521e5", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-messaging-exceptions", "services": [ - "Monitor", - "RBAC", - "AzurePolicy" + "ServiceBus" ], - "severity": "Low", - "subcategory": "Monitoring", - "text": "Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assignments ensures the appropriate guardrails are in place to enforce who can deploy and configure resources and what resources they can deploy and configure.", - "training": "https://learn.microsoft.com/azure/role-based-access-control/deny-assignments?tabs=azure-portal", - "waf": "Operations" + "severity": "High", + "subcategory": "Best Practices", + "text": "Ensure that Service Bus Messaging Exceptions are handled properly", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "e5695f22-23ac-4e8c-a123-08ca5017f154", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "4a69b9d3-39ac-44e7-a68d-1d75657202b4", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist", "services": [ - "Monitor" + "ServiceBus", + "Storage", + "PrivateLink" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an important component of resource management in Azure.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-service-health/", - "waf": "Operations" + "subcategory": "Best Practices", + "text": "Connect to Service Bus with the Advanced Messaging Queue Protocol (AMQP) and use Service Endpoints or Private Endpoints when possible.", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "d5f345bf-97ab-41a7-819c-6104baa7d48c", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "category": "Operations Management", + "checklist": "Service Bus Review Checklist", + "guid": "f4564b4d-974a-4759-a763-e7d261613a76", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-performance-improvements?tabs=net-standard-sdk-2", "services": [ - "Monitor" + "ServiceBus" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned.", - "training": "https://learn.microsoft.com/en-gb/training/modules/incident-response-with-alerting-on-azure/7-actions-and-alert-processing-rules", - "waf": "Operations" + "severity": "High", + "subcategory": "Best Practices", + "text": "Review the Best Practices for performance improvements using Service Bus Messaging", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "e3ab3693-829e-47e3-8618-3687a0477a20", - "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard", + "category": "Security", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", "services": [ - "Monitor" + "ServiceBus" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/", - "waf": "Operations" + "severity": "Low", + "subcategory": "Data Protection", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", + "category": "Security", + "checklist": "Service Bus Review Checklist", + "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", "services": [ - "Monitor" + "ServiceBus" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use Azure Monitor Logs for insights and reporting.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "Operations" + "subcategory": "Data Protection", + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "619e8a13-f988-4795-85d6-26886d70ba6c", - "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview", + "category": "Security", + "checklist": "Service Bus Review Checklist", + "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", "services": [ - "Monitor", - "Storage" + "Entra", + "ServiceBus", + "TrafficManager", + "AzurePolicy", + "RBAC" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-extensions/", - "waf": "Operations" + "subcategory": "Identity and Access Management", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", + "category": "Security", + "checklist": "Service Bus Review Checklist", + "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", + "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", + "service": "Service Bus", "services": [ - "Monitor" + "ServiceBus", + "Entra" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use Azure Monitor alerts for the generation of operational alerts.", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "Operations" + "subcategory": "Identity and Access Management", + "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "859c3900-4514-41eb-b010-475d695abd74", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "category": "Security", + "checklist": "Service Bus Review Checklist", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", "services": [ - "Monitor" + "Entra", + "ServiceBus", + "Storage", + "RBAC", + "Subscriptions" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied.", - "training": "https://learn.microsoft.com/training/paths/az-104-monitor-backup-resources/", - "waf": "Operations" + "severity": "High", + "subcategory": "Identity and Access Management", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "category": "Security", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", "services": [ + "ServiceBus", + "VNet", "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", - "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", - "waf": "Operations" + "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "aa45be6a-8f2d-4896-b0e3-775e6e94e610", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-monitor", + "category": "Security", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", "services": [ - "Monitor", - "AzurePolicy" + "ServiceBus", + "PrivateLink", + "VNet" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Deploy AMBA to establish monitoring for platform components of your landing zone - AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy.", - "training": "https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/", - "waf": "Operations" + "subcategory": "Networking", + "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "aa45be6a-8f2d-4896-b0e3-885e6e94e770", - "link": "https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview", + "category": "Security", + "checklist": "Service Bus Review Checklist", + "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", "services": [ - "Monitor" + "ServiceBus" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use Azure Monitoring Agent (AMA). The Log Analytics agent is deprecated since August 31,2024", - "training": "https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview#installation", - "waf": "Operations" + "subcategory": "Networking", + "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "0d83fd81-952c-4d47-a6cb-3a930925ef2e", - "link": "https://learn.microsoft.com/en-gb/azure/storage/common/redundancy-migration?tabs=portal", - "services": [ - "Cost", - "Storage" - ], + "category": "Operations Management", + "checklist": "Stream Analytics Review Checklist", + "guid": "32e52e36-11c8-418b-8a0b-c511e43a18a9", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-stream_analytics_v1.docx", + "services": [], "severity": "High", - "subcategory": "Data Protection", - "text": "Ensure that storage accounts are zone or region redundant, Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.", - "training": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "subcategory": "High Availablity ", + "text": "Leverage FTA Resiliency Handbook for Stream Analytics", "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "category": "Operations Management", + "checklist": "Stream Analytics Review Checklist", + "description": "Azure Stream Analytics provides high availability (99.9% SLA) for jobs and clusters within a region, the details of which are transparent to the end customer. If failures occur within the service, per the documentation �Azure Stream Analytics guarantees exactly once event processing and at-least-once delivery of events, so events are never lost.�", + "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", + "link": "https://azure.microsoft.com/en-in/products/stream-analytics", "services": [], "severity": "Medium", - "subcategory": "Data Protection", - "text": "Enable cross-region replication in Azure for BCDR with paired regions.", - "training": "https://learn.microsoft.com/training/modules/provide-disaster-recovery-replicate-storage-data/", + "subcategory": "High Availablity ", + "text": "Understand High Availability 99% SLA and use it to plan your DR strategy", "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", + "category": "Operations Management", + "checklist": "Stream Analytics Review Checklist", + "description": "Azure Stream Analytics resources (jobs, clusters, etc.) are regional and do not provide automatic geo-failover. However, you can achieve geo-redundancy by deploying identical Stream Analytics jobs in multiple Azure regions. Each job connects to local input and output sources. It is the responsibility of your application to both send input data into the two regional inputs and reconcile between the two regional outputs.", + "guid": "fc833934-8b26-42d6-ac5f-512925498e6d", + "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy", + "services": [], + "severity": "Medium", + "subcategory": "Geo Redundancy", + "text": "Plan for Geo Redudancy of the service", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Stream Analytics Review Checklist", + "guid": "b9d37dac-43bc-46cd-8d7a-a9b24604489a", + "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy", + "services": [], + "severity": "Medium", + "subcategory": "Geo Redundancy", + "text": "Depending on your availablity requirement, configure Active/Active configuration or Active/Passive configuration ", + "waf": "Reliability" + }, + { + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "service": "Azure Synapse Analytics", "services": [ - "Backup" + "SQL", + "Entra" ], - "severity": "Low", - "subcategory": "Data Protection", - "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Reliability" + "severity": "High", + "subcategory": "", + "text": "Restrict use of local users on sql workloads on Synapse", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "services": [ - "AzurePolicy", - "VM" + "Entra" ], "severity": "Medium", - "subcategory": "Operational compliance", - "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "subcategory": "", + "text": "Use managed identity to authenticate to the services", "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "service": "Azure Synapse Analytics", "services": [ - "Monitor", "AzurePolicy", - "VM" + "Entra" ], - "severity": "Medium", - "subcategory": "Operational compliance", - "text": "Monitor VM security configuration drift via Azure Policy.", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "severity": "High", + "subcategory": "", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse also includes Synapse role-based access control (RBAC) roles to manage different aspects of Synapse Studio. Leverage these built-in roles to assign permissions to users, groups, or other security principals to manage who can Publish code artifacts and list or access published code artifacts,Execute code on Apache Spark pools and integration runtimes,Access linked (data) services that are protected by credentials,Monitor or cancel job executions, review job output and execution logs.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", "services": [ - "ACR", - "ASR", - "VM" + "RBAC", + "Storage", + "Monitor", + "Entra" ], "severity": "Medium", - "subcategory": "Protect and Recover", - "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", - "waf": "Operations" + "subcategory": "", + "text": "Use Azure RBAC to control access on storage and Synapse RBAC to control access on workspace level depending on the personas of the team to fine grain the access on data and compute", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "b2ab13ad-a6e5-45d7-b8a2-adb117d6326a", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "services": [ - "ASR" + "SQL", + "Entra" ], "severity": "Medium", - "subcategory": "Protect and Recover", - "text": "Use native PaaS service disaster recovery capabilities. Perform failover testing with these capabilities.", - "training": "https://learn.microsoft.com/en-us/training/modules/explore-iaas-paas-platform-tools-for-high-availability-disaster-recovery/", - "waf": "Operations" + "subcategory": "", + "text": "Implement RLS, CLS and data masking on sql workloads in dedicated sql pool to add additional layer of security", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network. This can be selected when deploying a workspace", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "services": [ - "Backup" + "VNet" ], "severity": "Medium", - "subcategory": "Protect and Recover", - "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Operations" + "subcategory": "", + "text": "Use managed vnet workspace to restrict the access over public internet", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "To protect any sensitive data, it's recommended to disable public access to the workspace endpoints entirely. By doing so, it ensures all workspace endpoints can only be accessed using�private endpoints.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "services": [ - "WAF", - "AppGW", - "FrontDoor" + "PrivateLink" ], - "severity": "High", - "subcategory": "App delivery", - "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "", + "text": "Configure private endpoints to connect to the external services and disable public access", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If public access needs to be enabled, it's highly recommended to configure the IP firewall rules to allow inbound connections only from the specified list of public IP addresses.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "services": [], + "subcategory": "", + "text": "If enabling public access highly recommended to configure IP firewall rules", + "waf": "Security" + }, + { + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", "services": [ - "WAF", - "Sentinel", - "AppGW", - "FrontDoor" + "VM", + "VNet" ], "severity": "Medium", - "subcategory": "App delivery", - "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", - "waf": "Operations" + "subcategory": "", + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", + "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "b86ad884-08e3-4727-94b8-75ba18f20459", - "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This can be done only when deploying the workspace, but Python libraries installed from public repositories like PyPI are not supported. (Think about the limitation before enabling it)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", "services": [], "severity": "Medium", - "subcategory": "Access control", - "text": "Determine the incident response plan for Azure services before allowing it into production.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-incident-readiness/", + "subcategory": "", + "text": "Enable Data Exfiltration Protection (DEP)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "01365d38-e43f-49cc-ad86-8266abca264f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security-zero-trust", - "services": [], + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "First layer of encryption is done by Microsoft managed keys, you can add a second layer of encryption using Customer managed Keys", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "services": [ + "AKV" + ], "severity": "Medium", - "subcategory": "Access control", - "text": "Apply a zero-trust approach for access to the Azure platform.", - "training": "https://learn.microsoft.com/training/modules/introduction-zero-trust-best-practice-frameworks/", + "subcategory": "", + "text": "Data Encryption at rest using Customer managed Keys for workspace", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse leverages TLS to ensure data is encrypted in motion. SQL dedicated pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "services": [ + "SQL" + ], + "severity": "Medium", + "subcategory": "", + "text": "Data Encryption in transit ", + "waf": "Security" + }, + { + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Keyvaults to store your secrets and credentials", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "service": "Azure Synapse Analytics", "services": [ "AKV" ], "severity": "High", - "subcategory": "Encryption and keys", - "text": "Use Azure Key Vault to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "subcategory": "", + "text": "Store passwords, secerts and keys in Azure key vault", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", + "category": "", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.", + "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", "services": [ "AKV" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "subcategory": "", + "text": "Use Azure Key Vault secrets in pipeline activities" + }, + { + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "service": "Azure Data Factory", + "services": [ + "Entra" + ], + "severity": "High", + "subcategory": "", + "text": "Restrict use of local users whereever necessary", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", "services": [ - "AKV", - "AzurePolicy" + "Entra" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "subcategory": "", + "text": "Use managed identity to authenticate to the services", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "service": "Azure Data Factory", "services": [ - "AKV", - "RBAC", + "AzurePolicy", "Entra" ], - "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "severity": "High", + "subcategory": "", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", + "service": "Azure Data Factory", + "services": [], + "severity": "Medium", + "subcategory": "", + "text": "Disable access over public internet and configure either firewall rules or trusted services rules" + }, + { + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "service": "Azure Data Factory", "services": [ - "AKV" + "VM", + "VNet" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "subcategory": "", + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you create an Azure integration runtime within a Data Factory managed virtual network, the integration runtime is provisioned with the managed virtual network. It uses private endpoints to securely connect to supported data stores.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "service": "Azure Data Factory", + "services": [ + "PrivateLink", + "VNet" + ], + "severity": "Medium", + "subcategory": "", + "text": "Use managed vnet IR to restrict the access over public internet for Azure Integration Runtime", + "waf": "Security" + }, + { + "category": "Network Security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Managed private endpoints are private endpoints created in the Data Factory managed virtual network that establishes a private link to Azure resources. Data Factory manages these private endpoints on your behalf.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", "services": [ - "AKV" + "PrivateLink", + "VNet", + "EventHubs" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Establish an automated process for key and certificate rotation.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "subcategory": "", + "text": "Configure managed private endpoints to connect to resources using managed azure IR", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "By using Azure Private Link, you can connect to various platform as a service (PaaS) deployments in Azure via a private endpoint. A private endpoint is a private IP address within a specific virtual network and subnet", + "guid": "b47a393a-0804-4272-a479-8b1578b219a4", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link", "services": [ - "AKV", "PrivateLink", "VNet" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", - "waf": "Security" + "subcategory": "", + "text": "Configure Private Links to connect to sources in customer Vnet and data factory" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This is a default setting", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "service": "Azure Data Factory", "services": [ - "AKV", - "Monitor", - "Entra" + "AKV" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "subcategory": "", + "text": "Data Encryption at rest by Microsoft managed keys", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This is a default setting", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "service": "Azure Data Factory", "services": [ - "AKV", - "AzurePolicy" + "AKV" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "subcategory": "", + "text": "Data Encryption in transit by Microsoft managed keys", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "16183687-a047-47a2-8994-5bda43334f24", - "link": "https://learn.microsoft.com/azure/security/fundamentals/encryption-atrest", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you specify a customer-managed key, Data Factory uses�both�the factory system key and the CMK to encrypt customer data. Missing either would result in Deny of Access to data and factory.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", "services": [ "AKV" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "subcategory": "", + "text": "Data Encryption in transit by BYOK (Customer managed keys)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", "services": [ "AKV" ], - "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "severity": "High", + "subcategory": "", + "text": "Store passwords, secrets in Azure Key Vault", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.", + "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", "services": [ - "ACR", - "AKV", - "ASR" + "AKV" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "subcategory": "", + "text": "Use Azure Key Vault secrets in pipeline activities" + }, + { + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "You can encrypt and store credentials for any of your on-premises data stores (linked services with sensitive information) on a machine with self-hosted integration runtime.", + "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", + "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime", + "service": "Azure Data Factory", + "services": [], + "severity": "Medium", + "subcategory": "", + "text": "Encrypt credentials for on-premises using SHIR data stores in Azure Data Factory" + }, + { + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "service": "Microsoft Purview", + "services": [ + "RBAC", + "Entra" + ], + "severity": "Medium", + "subcategory": "", + "text": "Define roles and responsibilities to manage Microsoft Purview in control plane and data plane", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Azure RBACs for this", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "services": [ - "AKV" + "RBAC", + "Subscriptions", + "Entra" ], "severity": "Medium", - "subcategory": "Encryption and keys", - "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "subcategory": "", + "text": "Define roles and tasks required to deploy and manage Microsoft Purview inside an Azure subscription (control plane)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Microsoft Purview roles for this.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "services": [ + "RBAC", "Entra" ], "severity": "Medium", - "subcategory": "Operations", - "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "subcategory": "", + "text": "Define roles and task needed to perform data management and governance using Microsoft Purview. (Data plane for Data Map and Data Catalog.)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "4e3ab369-3829-4e7e-9161-83687a0477a2", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "service": "Microsoft Purview", "services": [ - "Monitor", - "ARS", - "Storage" + "RBAC", + "Entra" ], "severity": "Medium", - "subcategory": "Operations", - "text": "Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "subcategory": "", + "text": "Assign roles to Microsoft Entra groups instead of assigning roles to individual users.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", "services": [ - "Subscriptions", - "Defender" + "Entra" ], - "severity": "High", - "subcategory": "Operations", - "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "severity": "Medium", + "subcategory": "", + "text": "Use Azure�Active Directory Entitlement Management�to map user access to Microsoft Entra groups using Access Packages.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "service": "Microsoft Purview", "services": [ - "Subscriptions", - "Defender" + "RBAC", + "Entra" ], "severity": "High", - "subcategory": "Operations", - "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "subcategory": "", + "text": "Enforce multifactor authentication for Microsoft Purview users, especially, for users with privileged roles such as collection admins, data source admins or data curators.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "service": "Microsoft Purview", "services": [ - "Subscriptions", - "Defender" + "Entra" ], "severity": "High", - "subcategory": "Operations", - "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "subcategory": "", + "text": "Use Microsoft Entra ID to provide authentication and authorization to all users, security groups registered in Entra, service principal and managed identities inside collections in Microsoft Purview", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", - "services": [], + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "service": "Microsoft Purview", + "services": [ + "Entra" + ], "severity": "High", - "subcategory": "Operations", - "text": "Enable Endpoint Protection on IaaS Servers.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "subcategory": "", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", - "service": "VM", + "category": "Network security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", "services": [ - "Monitor", - "Defender" + "PrivateLink" ], "severity": "Medium", - "subcategory": "Operations", - "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "subcategory": "", + "text": "Enable�end-to-end network isolation�using Private Link Service. (Microsoft Purview Data Map)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", - "services": [ - "Monitor", - "Entra" - ], + "category": "Network security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "services": [], "severity": "Medium", - "subcategory": "Operations", - "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "subcategory": "", + "text": "Use�Microsoft Purview Firewall�to disable Public access. (Microsoft Purview Data Map)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", + "category": "Network security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "services": [ - "ACR", - "Entra" + "VM", + "VNet", + "PrivateLink" ], - "severity": "High", - "subcategory": "Operations", - "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", + "severity": "Medium", + "subcategory": "", + "text": "Deploy�Network Security Group (NSG) rules�for subnets where Azure data sources private endpoints, Microsoft Purview private endpoints and self-hosted runtime VMs are deployed. (Microsoft Purview Data Map)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", + "category": "Network security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", "services": [ - "Entra" + "NVA", + "PrivateLink", + "Firewall" ], "severity": "Medium", - "subcategory": "Operations", - "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", + "subcategory": "", + "text": "Implement Microsoft Purview with private endpoints managed by a Network Virtual Appliance, such as�Azure Firewall�for network inspection and network filtering. (Microsoft Purview Data Map)", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", + "category": "Network security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This private endpoint is also a prerequisite for the portal private endpoint. The Microsoft Purview�portal�private endpoint is required to enable connectivity to Microsoft Purview governance portal using a private network. Microsoft Purview can scan data sources in Azure or an on-premises environment by using ingestion private endpoints. Limitations on using private endpoints https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", "services": [ - "Entra" + "PrivateLink", + "VNet" ], "severity": "Medium", - "subcategory": "Operations", - "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", + "subcategory": "", + "text": "Deploy private endpoints for Microsoft Purview accounts to add another layer of security, so only client calls that are originated from within the virtual network are allowed to access the Microsoft Purview account", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "874a748b-662d-46d1-9051-2a66498f6dfe", - "link": "https://learn.microsoft.com/azure/event-grid/set-alerts", - "services": [ - "Monitor" - ], - "severity": "Low", - "subcategory": "Operations", - "text": "Use an Azure Event Grid-based solution for log-oriented, real-time alerts.", - "training": "https://learn.microsoft.com/training/modules/azure-event-grid/", + "category": "Network security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitation to be reviewed: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "service": "Microsoft Purview", + "services": [], + "severity": "Medium", + "subcategory": "", + "text": "Block public access using Microsoft Purview firewall", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", + "category": "Network security", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "services": [ - "Storage" + "VNet" ], - "severity": "High", - "subcategory": "Overview", - "text": "Enable secure transfer to storage accounts.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "severity": "Medium", + "subcategory": "", + "text": "Use Network Security Groups to filter network traffic to and from Azure resources in an Azure virtual network", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "service": "Microsoft Purview", "services": [ - "Storage" + "VM", + "VNet" ], "severity": "High", - "subcategory": "Overview", - "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "subcategory": "", + "text": "If you have sensitive data that cannot leave the boundary of your on-prem vnet it is highly recommended to use SHIR VMs inside your corporate vnet to extract your metadata ", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "6f704104-85c1-441f-96d3-c9819911645e", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Metadata is extracted and stored in Microsoft Purview Data Map, if you are not using managed storage account for your Purview account they are open to be accessed by all so implement proper RBACs and retrict the access of Data to only intended users. Applicable to Accounts deployed after December 15, 2023 (or deployed using API version 2023-05-01-preview onwards", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "service": "Microsoft Purview", "services": [ - "Entra" + "RBAC", + "Storage" ], - "severity": "High", - "subcategory": "Secure privileged access", - "text": "Separate privileged admin accounts for Azure administrative tasks.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-secure-privileged-access/", + "severity": "Medium", + "subcategory": "", + "text": "Use Azure RBACs to restrict the access of your storage account (not managed by MS) only to intended users.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework", - "services": [], + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "service": "Microsoft Purview", + "services": [ + "AKV" + ], "severity": "Medium", - "subcategory": "Service enablement framework", - "text": "Plan how new azure services will be implemented.", + "subcategory": "", + "text": "Data in rest is encrypted by microsoft managed keys", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure Landing Zone Review", - "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework", + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "service": "Microsoft Purview", "services": [], "severity": "Medium", - "subcategory": "Service enablement framework", - "text": "Plan how service request will be fulfilled for Azure services.", + "subcategory": "", + "text": "Data in transit is encrypted by TLS 1.3", "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops", - "services": [], + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "service": "Microsoft Purview", + "services": [ + "AKV", + "Entra" + ], "severity": "High", - "subcategory": "DevOps Team Topologies", - "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", - "training": "https://learn.microsoft.com/training/modules/choose-an-agile-approach/", - "waf": "Operations" + "subcategory": "", + "text": "Always use Azure key vaults to store all credentials if not using managed identities or without password need methods", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "634146bf-7085-4419-a7b5-f96d2726f6da", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations", + "category": "Protection against accidential deletion", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "service": "Microsoft Purview", "services": [], - "severity": "Low", - "subcategory": "DevOps Team Topologies", - "text": "Aim to define functions for Azure Landing Zone Platform team.", - "training": "https://learn.microsoft.com/training/paths/az-400-work-git-for-enterprise-devops/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "", + "text": "Prevent accidental deletion of Microsoft Purview accounts by applying resource Locks", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations", + "category": "", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", "services": [ - "RBAC" + "Subscriptions", + "Entra" ], - "severity": "Low", - "subcategory": "DevOps Team Topologies", - "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", - "training": "https://learn.microsoft.com/training/paths/az-400-work-git-for-enterprise-devops/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "", + "text": "Plan for a break glass strategy for your Microsoft Entra tenant, Azure subscription and Microsoft Purview accounts to prevent tenant-wide account lockout.", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "165eb5e9-b434-448a-9e24-178632186212", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code", - "services": [], + "category": "Additional security recommendation", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "service": "Microsoft Purview", + "services": [ + "Defender" + ], "severity": "Medium", - "subcategory": "DevOps Team Topologies", - "text": "Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your deployment and Azure environments.", - "training": "https://learn.microsoft.com/training/modules/manage-multiple-environments-using-bicep-azure-pipelines/", - "waf": "Operations" + "subcategory": "", + "text": "Integrate with Microsoft 365 and Microsoft Defender for Cloud", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "0cadb8c7-8fa5-4fbf-8f39-d1fadb3b0460", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "services": [], - "severity": "Medium", - "subcategory": "DevOps Team Topologies", - "text": "Include unit tests for IaC and application code as part of your build process.", - "training": "https://learn.microsoft.com/training/modules/run-quality-tests-build-pipeline/", - "waf": "Operations" + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Separate admin accounts from normal user accounts.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "service": "Azure Databricks", + "services": [ + "Entra" + ], + "severity": "High", + "subcategory": "", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Databricks supports Microsoft Entra ID conditional access, which allows administrators to control where and when users are permitted to sign in to Azure Databricks. Conditional access policies can restrict sign-in to your corporate network or can require multi-factor authentication (MFA).", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", "services": [ - "AKV", - "VM" + "AzurePolicy", + "Entra" ], "severity": "High", - "subcategory": "DevOps Team Topologies", - "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", - "waf": "Operations" + "subcategory": "", + "text": "Configure single sign-on and unified login. Enable multi-factor authentication.", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "a52e0c98-76b9-4a09-a1c9-6b2babf22ac4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Customers can use the Token Management API or UI controls to enable or disable personal access tokens (PATs) for REST API authentication, limit the users who are allowed to use PATs, set the maximum lifetime for new tokens, and manage existing tokens. Highly-secure customers typically provision a maximum token lifetime for new tokens for a workspace. This feature requires the Premium pricing tier.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", "services": [ - "Subscriptions" + "Entra" ], - "severity": "Low", - "subcategory": "DevOps Team Topologies", - "text": "Implement automation for new landing zone for applications and workloads through subscription vending.", - "waf": "Operations" + "severity": "Medium", + "subcategory": "", + "text": "Use token management.", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "cfe363b5-f579-4284-bc56-a42153e4c10b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code", - "services": [], + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If you have Databricks administrators who are also normal users of the Databricks platform (for example, there�s a lead data engineer who administers the platform and also does data engineering work), Databricks recommends creating a separate account for administrative tasks. It�s important to note that as part of the Azure RBAC model, users that are given Contributor or above permissions to the Resource Group for a deployed Azure Databricks workspace automatically become administrators when they login to that workspace. Therefore, the same considerations outlined above should be applied to Azure portal users too.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "service": "Azure Databricks", + "services": [ + "RBAC", + "Entra" + ], "severity": "High", - "subcategory": "Development Lifecycle", - "text": "Ensure a version control system is used for source code of applications and IaC developed. Microsoft recommends Git.", - "training": "https://learn.microsoft.com/training/paths/intro-to-vc-git/", - "waf": "Operations" + "subcategory": "", + "text": "Separate admin accounts from normal user accounts", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "c7245dd4-af8a-403a-8bb7-890c1a7cfa9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle", - "services": [], - "severity": "Low", - "subcategory": "Development Lifecycle", - "text": "Follow a branching strategy to allow teams to collaborate better and efficiently manage version control of IaC and application Code. Review options such as Github Flow.", - "training": "https://learn.microsoft.com/training/modules/manage-git-branches-workflows/", - "waf": "Operations" + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "SCIM (System for Cross-domain Identity Management) allows you to sync users and groups from Microsoft Entra ID to Azure Databricks. There are three major benefits of this approach: 1. When you remove a user, the user is automatically removed from Databricks. 2. Users can also be disabled temporarily via SCIM. Customers have used this capability for scenarios where customers believe that an account may be compromised and need to investigate 3. Groups are automatically synchronized Please refer to the documentation for detailed instructions on how to configure SCIM for Azure Databricks. This feature requires the Premium pricing tier", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "services": [ + "Entra" + ], + "severity": "Medium", + "subcategory": "", + "text": "SCIM synchronization of users and groups.", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "12aeea20-9165-4b3e-bdf2-6795fcd3cdbe", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle", - "services": [], + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Using either cluster policies or the older cluster ACLs, admins can define what users or groups within the organization are able to create clusters. Cluster ACLs allow you to specify which users can attach a notebook to a given cluster. Note that if a user shares a notebook already attached to a standard mode cluster, the recipient will also be able to execute code on that cluster. This does not apply to clusters that enforce user isolation: SQL Warehouses, high concurrency with table ACLs clusters, and high concurrency with credential passthrough clusters. Customers who use Unity Catalog can also enable single-user clusters to enforce isolation clusters.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "service": "Azure Databricks", + "services": [ + "SQL", + "Entra", + "Storage", + "EventHubs", + "AzurePolicy" + ], "severity": "Medium", - "subcategory": "Development Lifecycle", - "text": "Adopt a pull request strategy to help keep control of code changes merged into branches.", - "training": "https://learn.microsoft.com/training/modules/review-azure-infrastructure-changes-using-bicep-pull-requests/", - "waf": "Operations" + "subcategory": "", + "text": "Limit cluster creation rights.", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "2676ae46-65ca-444e-8695-fdddeace4cb1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-platform", - "services": [], - "severity": "Medium", - "subcategory": "Development Lifecycle", - "text": "Establish a process for using code to implement quick fixes. Always register quick fixes in your team's backlog so each fix can be reworked at a later point, and you can limit technical debt.", - "training": "https://learn.microsoft.com/training/modules/branch-merge-git/", - "waf": "Operations" + "category": "", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Account admins can configure a workspace setting called RestrictWorkspaceAdmins to restrict workspace admins to only change a job owner to themselves and the job run as setting to a service principal that they have the Service Principal User role on.", + "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins", + "services": [ + "RBAC" + ], + "severity": "High", + "subcategory": "", + "text": "Restrict workspace admins" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code", - "services": [], + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "It�s important to note that even if customers use Azure Key Vault to store their secrets, access controls still need to be defined within Azure Databricks. This is because the same service identity is used to retrieve the secret for all users of an Azure Databricks workspace.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "service": "Azure Databricks", + "services": [ + "AKV", + "Entra" + ], "severity": "High", - "subcategory": "Development Strategy", - "text": "Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM Templates or Terraform to build and maintain your Azure Landing Zone architecture. Both from a Platform and Application workload perspective.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-infrastructure-as-code-using-bicep/", - "waf": "Operations" + "subcategory": "", + "text": "Store passwords, secrets in Azure Key Vault", + "waf": "Security" }, { - "category": "Platform Automation and DevOps", - "checklist": "Azure Landing Zone Review", - "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/landing-zone-security#secure", - "services": [], + "category": "", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", + "services": [ + "AKV" + ], "severity": "High", - "subcategory": "Security", - "text": "Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.", - "training": "https://learn.microsoft.com/training/paths/az-400-implement-security-validate-code-bases-compliance/", - "waf": "Operations" + "subcategory": "", + "text": "Regenerate/rotate keys if using them periodically" }, { - "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "fda1dae2-dc95-4d48-a6c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore#geo-backups-and-disaster-recovery", + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Clusters with user isolation include enforcement such that each user runs as a different non-privileged user account on the cluster host. Languages are also limited to those that can be implemented in an isolated manner (SQL and Python), and Spark APIs must be on an allowlist of those we believe to be isolation-safe.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "service": "Azure Databricks", "services": [ - "Backup" + "SQL", + "Entra" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Enable Geo Backup ", - "waf": "Reliability" + "subcategory": "", + "text": "Use clusters that support user isolation.", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "89e558b9-37d4-4974-b111-2dbd7baf12e7", - "link": "https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/how-to-use-ci-cd-integration-to-automate-the-deploy-of-a-synapse/ba-p/2248060", - "services": [], + "category": "Identity and Access Management", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "It is against security best practices to tie production workloads to individual user accounts, and so we recommend configuring Service Principals within Databricks. Service Principles separate administrator and user actions from the workload and prevent workloads from being impacted if a user leaves an organization. With Databricks, you can configure jobs to run as service principals and generate Personal Access Tokens for Service Principals.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "services": [ + "RBAC", + "Entra" + ], "severity": "Medium", - "subcategory": "DevOps", - "text": "Integrate with Azure DevOps to deploy Multiple environments", - "waf": "Reliability" + "subcategory": "", + "text": "Use service principals to run production jobs. Use proper access control for workspace level (ACLs), account level (RBACs) and data level (Unity catalog) security controls", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "b94ef6e0-47d2-4da2-a82b-1cd6d2f54b29", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "services": [], + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "By default, DBFS is a filesystem that is accessible to all users of the given workspace and can be accessed via API. This is not necessarily a major data exfiltration concern as you can limit access to accessing data via the DBFS API or Databricks cli using IP access lists or private network access. However, as use of Azure Databricks grows and more users join a workspace, those users would have access to any data stored in DBFS, creating the potential for undesired information sharing. Databricks recommends that our customers do not store production data in DBFS.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "service": "Azure Databricks", + "services": [ + "Storage" + ], "severity": "High", - "subcategory": "DR", - "text": "BCDR for Azure Synapse pipelines ", - "waf": "Reliability" + "subcategory": "", + "text": "Avoid storing production data in DBFS.", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "769e3a69-1e88-438a-a936-667e13c00567", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "services": [], - "severity": "High", - "subcategory": "DR", - "text": "Use Zone Redudant pipelines in regions supporting Availablity Zones", - "waf": "Reliability" + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "For the storage accounts that you manage, it is your responsibility to ensure that the storage accounts are protected according to your requirements. Examples might include: Encryption with your customer-managed key, Restrict access to trusted networks with a storage firewall, Anonymous public access is not allowed", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "services": [ + "Storage" + ], + "severity": "Medium", + "subcategory": "", + "text": "Encrypt storage and restrict access.", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "4b1e944a-4598-437e-b7ad-6c6d3b365a5c", - "link": "https://learn.microsoft.com/azure/synapse-analytics/cicd/source-control", - "services": [], - "severity": "Low", - "subcategory": "DevOps", - "text": "Create Scripts for all DLL Statements and save in Git Repository ", - "waf": "Reliability" + "category": "Data Protection", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Add a customer-managed key for select data stored within the Azure Databricks control plane, such as notebooks, secrets, Databricks SQL queries, and Databricks SQL query history and for the root storage account used for DBFS. Azure Databricks requires access to this key for ongoing operations. You can revoke access to the key to prevent Azure Databricks from accessing encrypted data within the control plane (or in our backups). This is like a �nuclear option� where the workspace ceases to function, but it provides an emergency control for extreme situations. This feature requires the Premium pricing tier.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "services": [ + "AKV", + "Storage", + "SQL", + "Backup" + ], + "severity": "Medium", + "subcategory": "", + "text": "Add a customer-managed key for managed services and workspace storage", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "7acbe48a-be54-4cd7-af2e-87768358c559", - "link": "https://learn.microsoft.com/azure/synapse-analytics/spark/apache-spark-development-using-notebooks", - "services": [], - "severity": "Low", - "subcategory": "DevOps", - "text": "When working with Spark Notebooks, make sure to integrate with Git or Azure DevOps", - "waf": "Reliability" + "category": "Networking", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Configure IP access lists that restrict the IP addresses that can authenticate to Databricks at account console and workspace level by checking if the user or API client is coming from a known good IP address range such as a VPN or office network. Established user sessions do not work if the user moves to a bad IP address, such as when disconnecting from the VPN. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "services": [ + "VPN" + ], + "severity": "Medium", + "subcategory": "", + "text": "Enable IP access lists to restrict access to certain IP addresses.", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "775c6ee9-5b86-4ad8-a44c-e3b2b38b875b", - "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore", - "services": [], + "category": "Networking", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Private Link provides a private network route from one Azure environment to another. Private Link can be configured both between Azure Databricks users and the control plane, and also between the control plane and the data plane. Between Databricks users and the control plane, Private Link provides strong controls that limit the source for inbound requests. If a company already routes traffic through an Azure environment, they can use Private Link so that the communication between users and the Azure Databricks control plane does not traverse public IP addresses. This feature requires the Premium pricing tier. Use Azure Private Link to connect from Azure Databricks to your Azure resources. Not only does Private Link ensure", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", + "services": [ + "PrivateLink" + ], "severity": "Medium", - "subcategory": "High Availablity", - "text": "Use Dedicated pools", - "waf": "Reliability" + "subcategory": "", + "text": "Configure and use Azure Private Link to access Azure resources.", + "waf": "Security" }, { "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/analytics/azure-synapse", - "services": [], + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", + "services": [ + "SQL" + ], "severity": "Medium", - "subcategory": "DR", - "text": "Use Database restore points for Azure Synapse", + "subcategory": "Best Practices", + "text": "Leverage Flexible Server", "waf": "Reliability" }, { "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "6abca2a4-fda1-4dae-8dc9-5d48c6c791dc", - "link": "https://learn.microsoft.com/azure/synapse-analytics/sql/on-demand-workspace-overview", - "services": [], - "severity": "Medium", - "subcategory": "High Availablity", - "text": "Use Serverless Pools when required", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", + "services": [ + "SQL" + ], + "severity": "High", + "subcategory": "Best Practices", + "text": "Leverage Availability Zones where regionally applicable", "waf": "Reliability" }, { "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "a0f6c565-89e5-458b-a37d-4974e1112dbd", - "link": "https://learn.microsoft.com/azure/synapse-analytics/quickstart-deployment-template-workspaces", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", "services": [ - "Storage" + "SQL" ], "severity": "Medium", - "subcategory": "DevOps", - "text": "Use Infrastructure as a Code template to do repeatable deployments", + "subcategory": "Best Practices", + "text": "Leverage Data-in replication for cross-region DR scenarios", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure Synapse Review Checklist", - "guid": "7baf12e7-b94e-4f6e-847d-2da2982b1cd6", - "link": "https://learn.microsoft.com/azure/cosmos-db/synapse-link", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", "services": [], "severity": "Medium", - "subcategory": "High Availablity", - "text": "Make sure to re-eshtablish any Synapse Links", - "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", - "waf": "Reliability" + "subcategory": "App delivery", + "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure App Service Review", - "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", "services": [ - "AppSvc" + "AppGW" ], - "severity": "Low", - "subcategory": "High Availability", - "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Ensure you are using Application Gateway v2 SKU", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure App Service Review", - "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", - "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", "services": [ - "AppSvc", - "Backup", - "ASR" + "LoadBalancer" ], "severity": "Medium", - "subcategory": "High Availability", - "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", - "waf": "Reliability" + "subcategory": "Load Balancer", + "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure App Service Review", - "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", "services": [ - "ACR", - "AppSvc" + "LoadBalancer" ], - "severity": "High", - "subcategory": "High Availability", - "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Load Balancer", + "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure App Service Review", - "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", "services": [ - "AppSvc", - "Monitor" + "AppGW", + "VNet" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", - "waf": "Reliability" + "subcategory": "App Gateway", + "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure App Service Review", - "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/azure/app-service/manage-backup", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", "services": [ - "AppSvc", - "Backup" + "AppGW", + "Entra", + "NVA", + "VNet", + "Subscriptions", + "WAF" ], - "severity": "High", - "subcategory": "Multi-tenant service", - "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure App Service Review", - "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/application-gateway/tutorial-protect-application-gateway-ddos", + "service": "App Gateway", "services": [ - "AppSvc", - "Monitor" + "DDoS" ], - "severity": "High", - "subcategory": "High Availability", - "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", + "services": [], + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Configure autoscaling with a minimum amount of instances of two.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure App Service Review", - "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", "services": [ - "AppSvc", - "ASR" + "AppGW", + "ACR" ], - "severity": "Low", - "subcategory": "High Availability", - "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Deploy Application Gateway across Availability Zones", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure App Service Review", - "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", "services": [ - "AppSvc" + "AppGW", + "AzurePolicy", + "WAF", + "FrontDoor" ], - "severity": "High", - "subcategory": "High Availability", - "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "App delivery", + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure App Service Review", - "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", + "ammp": true, + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", "services": [ - "AppSvc" + "TrafficManager" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", + "severity": "High", + "subcategory": "Traffic Manager", + "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure App Service Review", - "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "services": [ - "AppSvc", - "Monitor" + "AVD", + "Entra" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "App delivery", + "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "services": [ - "AppSvc", - "Monitor" + "Entra" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", - "waf": "Reliability" + "subcategory": "App delivery", + "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Security" }, { - "category": "Operations", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", + "ammp": true, + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", "services": [ - "AppSvc", - "Monitor" + "LoadBalancer" ], - "severity": "Low", - "subcategory": "Monitoring", - "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", + "severity": "High", + "subcategory": "Load Balancer", + "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "ammp": true, + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", "services": [ - "AppSvc", - "AKV" + "AppGW", + "WAF" ], "severity": "High", - "subcategory": "Data Protection", - "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", + "subcategory": "App Gateway", + "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "ammp": true, + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", "services": [ - "AppSvc", - "AKV", - "Entra" + "AppGW", + "AzurePolicy", + "WAF" ], "severity": "High", - "subcategory": "Data Protection", - "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", + "subcategory": "App Gateway", + "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", + "ammp": true, + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", "services": [ - "AppSvc", - "AKV", - "Entra" + "AppGW", + "WAF" ], "severity": "High", - "subcategory": "Data Protection", - "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", + "subcategory": "App Gateway", + "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "ammp": true, + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "App Gateway", "services": [ - "AppSvc", - "Subscriptions" + "AppGW", + "AzurePolicy", + "WAF" ], - "severity": "Medium", - "subcategory": "Data Protection", - "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", + "severity": "High", + "subcategory": "App Gateway", + "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", "services": [ - "TrafficManager", - "AppSvc" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Data Protection", - "text": "Do not store sensitive data on local disk", + "subcategory": "App Gateway", + "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", "services": [ - "ACR", - "AppSvc", - "Entra" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Identity and Access Control", - "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", + "subcategory": "App Gateway", + "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", - "services": [ - "AppSvc", - "Entra" - ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Deploy code to App Service from a trusted and secure environment.", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", + "services": [], + "severity": "Low", + "subcategory": "App Gateway", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", "services": [ - "AppSvc", - "Entra" + "AppGW", + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", "services": [ - "AKV", - "AppSvc", - "Entra" + "AppGW", + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", "services": [ - "ACR", - "AppSvc", - "Entra" + "AppGW", + "WAF" ], - "severity": "High", - "subcategory": "Identity and Access Control", - "text": "Pull container images from Azure Container Registry using a Managed Identity.", - "waf": "Security" + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", "services": [ - "AppSvc", - "Entra", - "Monitor" + "AppGW", + "Sentinel", + "WAF" ], "severity": "Medium", - "subcategory": "Logging and Monitoring", - "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", - "waf": "Security" + "subcategory": "App Gateway", + "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", "services": [ - "AppSvc", - "Monitor", - "Entra" + "AppGW", + "WAF" ], "severity": "Medium", - "subcategory": "Logging and Monitoring", - "text": "Send App Service activity logs to Log Analytics", - "waf": "Security" + "subcategory": "App Gateway", + "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", "services": [ - "AppSvc", - "NVA", - "Firewall", - "Monitor", - "VNet" + "AzurePolicy", + "WAF" ], "severity": "Medium", - "subcategory": "Network Security", - "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", - "waf": "Security" + "subcategory": "App Gateway", + "text": "Use WAF Policies instead of the legacy WAF configuration.", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", "services": [ - "AppSvc", - "Storage", - "NVA", - "Firewall", - "PrivateLink", + "AppGW", + "ExpressRoute", + "VPN", "VNet" ], - "severity": "Low", - "subcategory": "Network Security", - "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "services": [ - "AppSvc", - "PrivateLink" - ], + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", + "services": [], "severity": "High", - "subcategory": "Network Security", - "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", + "subcategory": "App Gateway", + "text": "You should encrypt traffic to the backend servers.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", "services": [ - "AppSvc", - "FrontDoor", - "WAF", - "Monitor", - "AppGW" + "WAF" ], "severity": "High", - "subcategory": "Network Security", - "text": "Use a Web Application Firewall (WAF) in front of App Service.", + "subcategory": "App Gateway", + "text": "You should use a Web Application Firewall.", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "services": [ - "WAF", - "AppSvc", - "PrivateLink" - ], + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "App Gateway", + "services": [], + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Redirect HTTP to HTTPS", + "waf": "Security" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", + "services": [], + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", + "waf": "Operations" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", + "services": [], "severity": "High", - "subcategory": "Network Security", - "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", + "subcategory": "App Gateway", + "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", - "services": [ - "AppSvc", - "AzurePolicy" - ], + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "App Gateway", + "services": [], + "severity": "Low", + "subcategory": "App Gateway", + "text": "Create custom error pages to display a personalized user experience", + "waf": "Operations" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "App Gateway", + "services": [], "severity": "Medium", - "subcategory": "Network Security", - "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", + "subcategory": "App Gateway", + "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "App Gateway", "services": [ - "WAF", - "AppSvc" + "FrontDoor" ], - "severity": "High", - "subcategory": "Network Security", - "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", + "waf": "Performance" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", + "services": [], + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Use transport layer load balancing", + "waf": "Performance" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", + "services": [], + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", "services": [ - "AppSvc", - "Storage" + "Entra" ], - "severity": "High", - "subcategory": "Network Security", - "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", + "severity": "Medium", + "subcategory": "App Gateway", + "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", + "category": "Network Topology and Connectivity", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", "services": [ - "AppSvc" + "AppGW" ], - "severity": "High", - "subcategory": "Network Security", - "text": "Turn off remote debugging in production environments.", + "severity": "Low", + "subcategory": "App Gateway", + "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", "waf": "Security" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "fda1dae2-dc95-4d48-a6c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore#geo-backups-and-disaster-recovery", "services": [ - "AppSvc", - "Defender" + "Backup" ], "severity": "Medium", - "subcategory": "Network Security", - "text": "Enable Defender for Cloud - Defender for App Service", - "waf": "Security" + "subcategory": "Backup", + "text": "Enable Geo Backup ", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "89e558b9-37d4-4974-b111-2dbd7baf12e7", + "link": "https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/how-to-use-ci-cd-integration-to-automate-the-deploy-of-a-synapse/ba-p/2248060", + "services": [], + "severity": "Medium", + "subcategory": "DevOps", + "text": "Integrate with Azure DevOps to deploy Multiple environments", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "b94ef6e0-47d2-4da2-a82b-1cd6d2f54b29", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "services": [], + "severity": "High", + "subcategory": "DR", + "text": "BCDR for Azure Synapse pipelines ", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "769e3a69-1e88-438a-a936-667e13c00567", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "services": [], + "severity": "High", + "subcategory": "DR", + "text": "Use Zone Redudant pipelines in regions supporting Availablity Zones", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "4b1e944a-4598-437e-b7ad-6c6d3b365a5c", + "link": "https://learn.microsoft.com/azure/synapse-analytics/cicd/source-control", + "services": [], + "severity": "Low", + "subcategory": "DevOps", + "text": "Create Scripts for all DLL Statements and save in Git Repository ", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "7acbe48a-be54-4cd7-af2e-87768358c559", + "link": "https://learn.microsoft.com/azure/synapse-analytics/spark/apache-spark-development-using-notebooks", + "services": [], + "severity": "Low", + "subcategory": "DevOps", + "text": "When working with Spark Notebooks, make sure to integrate with Git or Azure DevOps", + "waf": "Reliability" + }, + { + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "775c6ee9-5b86-4ad8-a44c-e3b2b38b875b", + "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore", + "services": [], + "severity": "Medium", + "subcategory": "High Availablity", + "text": "Use Dedicated pools", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", - "services": [ - "AppSvc", - "NVA", - "EventHubs", - "WAF", - "DDoS", - "AppGW", - "VNet" - ], + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/analytics/azure-synapse", + "services": [], "severity": "Medium", - "subcategory": "Network Security", - "text": "Enable DDOS Protection Standard on the WAF VNet", - "waf": "Security" + "subcategory": "DR", + "text": "Use Database restore points for Azure Synapse", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", - "services": [ - "ACR", - "AppSvc", - "PrivateLink", - "VNet" - ], + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "6abca2a4-fda1-4dae-8dc9-5d48c6c791dc", + "link": "https://learn.microsoft.com/azure/synapse-analytics/sql/on-demand-workspace-overview", + "services": [], "severity": "Medium", - "subcategory": "Network Security", - "text": "Pull container images over a Virtual Network from Azure Container Registry.", - "waf": "Security" + "subcategory": "High Availablity", + "text": "Use Serverless Pools when required", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "a0f6c565-89e5-458b-a37d-4974e1112dbd", + "link": "https://learn.microsoft.com/azure/synapse-analytics/quickstart-deployment-template-workspaces", "services": [ - "AppSvc" + "Storage" ], "severity": "Medium", - "subcategory": "Penetration Testing", - "text": "Conduct a penetration test on the web application.", - "waf": "Security" + "subcategory": "DevOps", + "text": "Use Infrastructure as a Code template to do repeatable deployments", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", - "services": [ - "AppSvc" - ], + "category": "Operations Management", + "checklist": "Azure Synapse Review Checklist", + "guid": "7baf12e7-b94e-4f6e-847d-2da2982b1cd6", + "link": "https://learn.microsoft.com/azure/cosmos-db/synapse-link", + "services": [], "severity": "Medium", - "subcategory": "Vulnerability Management", - "text": "Deploy validated and vulnerability-scanned code.", - "waf": "Security" + "subcategory": "High Availablity", + "text": "Make sure to re-eshtablish any Synapse Links", + "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", + "waf": "Reliability" }, { - "category": "Security", - "checklist": "Azure App Service Review", - "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", - "services": [ - "AppSvc" - ], + "category": "BC and DR", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", + "services": [], "severity": "High", - "subcategory": "Vulnerability Management", - "text": "Use up-to-date platforms, languages, protocols and frameworks", - "waf": "Security" - }, - { - "category": "Operations", - "checklist": "Azure App Service Review", - "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", - "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", - "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", - "service": "App Services", - "services": [ - "AppSvc" - ], - "severity": "Medium", "subcategory": "High Availability", - "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", "waf": "Reliability" }, { - "category": "Operations", - "checklist": "Azure App Service Review", - "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", - "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", - "service": "App Services", - "services": [ - "AppSvc", - "Monitor" - ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", + "category": "BC and DR", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", + "services": [], + "severity": "High", + "subcategory": "High Availability", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", "waf": "Reliability" }, { - "category": "Governance and Security", - "checklist": "Azure App Service Review", - "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", - "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "App Services", - "services": [ - "ACR", - "AppSvc", - "Backup", - "AzurePolicy" - ], + "category": "BC and DR", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", + "services": [], "severity": "High", - "subcategory": "Compliance", - "text": "Apply Azure Policy to enforce compliance across App Service configurations.", - "waf": "Governance" + "subcategory": "High Availability", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "category": "Cost Governance", - "checklist": "Azure App Service Review", - "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", - "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", - "link": "https://learn.microsoft.com/azure/cost-management-billing/", - "service": "App Services", + "category": "BC and DR", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", "services": [ - "Cost", - "AppSvc", - "Monitor" + "AppSvc" ], - "severity": "Low", - "subcategory": "Cost Monitoring", - "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", - "waf": "Cost" + "severity": "High", + "subcategory": "High Availability", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "category": "Cost Governance", - "checklist": "Azure App Service Review", - "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", - "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", - "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", - "service": "App Services", - "services": [ - "Cost", - "AppSvc", - "ARS", - "Storage" - ], + "category": "Application Deployment", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", + "services": [], "severity": "Medium", - "subcategory": "Cost Optimization", - "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", - "waf": "Cost" + "subcategory": "CI/CD", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "When you are creating a SQL Server on Azure VM, carefully consider the type of workload necessary. If you are migrating an existing environment, collect a performance baseline to determine your SQL Server on Azure VM requirements. If this is a new VM, then create your new SQL Server VM based on your vendor requirements.", - "guid": "1fc3fc14-eea6-4e69-b8d9-a3eec218e687", - "link": "https://learn.microsoft.com/sql/dma/dma-sku-recommend-sql-db?view=sql-server-ver16", + "category": "Governance", + "checklist": "Azure Key Vault", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "SQL", - "VM" + "AKV", + "Backup" ], "severity": "High", - "subcategory": "VM Size", - "text": "Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.", - "waf": "Performance" + "subcategory": "Deployment best practices", + "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "The memory optimized virtual machine sizes are a primary target for SQL Server VMs and the recommended choice by Microsoft. The memory optimized virtual machines offer stronger memory-to-CPU ratios and medium-to-large cache options.Consider Ebdsv5-series series first for most SQL Server workloads.", - "guid": "e04abe1f-8d39-4fda-9776-8424c116775c", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size?view=azuresql#memory-optimized", + "category": "BC and DR", + "checklist": "Azure Key Vault", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", "services": [ - "SQL", - "VM" + "AKV", + "ACR" ], "severity": "Medium", - "subcategory": "VM Size", - "text": "Use memory optimized virtual machine sizes for the best performance of SQL Server workloads.", - "waf": "Performance" + "subcategory": "High Availability", + "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "To find the most effective configuration for SQL Server workloads on an Azure VM, start by measuring the storage performance of your business application. Once storage requirements are known, select a virtual machine that supports the necessary IOPS and throughput with the appropriate memory-to-vCore ratio.", - "guid": "2ea55b56-ad48-4408-be72-734b476ba18f", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance#counters-to-measure-application-performance-requirements", + "category": "BC and DR", + "checklist": "Azure Key Vault", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", "services": [ - "SQL", - "Storage", - "VM" + "AKV" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Determine storage bandwidth and latency requirements for SQL Server data, log, and tempdb files before choosing the disk type.", - "waf": "Performance" + "subcategory": "High Availability", + "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "This provides more dedicated disk IOPS and throughput on the disk level and also allows you to configure the Azure disk host caching setting for each disk to the optimal setting for that data type.", - "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", + "category": "BC and DR", + "checklist": "Azure Key Vault", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", "services": [ - "SQL", - "Storage" + "AKV", + "AzurePolicy" ], - "severity": "High", - "subcategory": "Storage", - "text": "Place data, log, and tempdb files on separate drives", - "waf": "Performance" + "severity": "Medium", + "subcategory": "High Availability", + "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Premium SSD is always recommend as a minimum for SQL Server in order to obtain better performance and lower latency. P30 and P40 are recommended because disk caching is not supported for disks 4 TiB and larger ( P50 and above) and they provide the optimal price to performance ratio", - "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", + "category": "Management", + "checklist": "Azure Key Vault", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", "services": [ - "SQL", - "Storage" + "Storage", + "ASR", + "Backup", + "AKV", + "Subscriptions" ], - "severity": "High", - "subcategory": "Storage", - "text": "For the data drive, use premium P30 and P40 or smaller disks to ensure the availability of cache support", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Business continuity and disaster recovery", + "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Log files have primarily write-heavy operations. Therefore, they do not benefit from the ReadOnly cache. Hence evaluate your price vs performance vs capacity and chose the right storage disk.", - "guid": "25659d35-58fd-4772-99c9-31112d027fe4", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", + "category": "Management", + "checklist": "Azure Key Vault", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", "services": [ - "SQL", - "Storage", - "Cost" + "AKV", + "ASR" ], "severity": "High", - "subcategory": "Storage", - "text": "For the log drive plan for capacity and test performance versus cost while evaluating the premium P30 - P80 disks", - "waf": "Performance" + "subcategory": "Business continuity and disaster recovery", + "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Placing TempDB on the D drive can help performance. Consider the size required and always test performance.", - "guid": "12f70983-f630-4472-8ee6-9d6b5c2622f5", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", + "category": "Management", + "checklist": "Azure Key Vault", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", "services": [ - "SQL", - "Storage", - "VM" + "AKV", + "ASR" ], - "severity": "Medium", - "subcategory": "Storage", - "text": "Place tempdb on the local ephemeral SSD (default D:\\) drive for most SQL Server workloads that are not part of Failover Cluster Instance (FCI) after choosing the optimal VM size.", - "waf": "Performance" + "severity": "Low", + "subcategory": "Business continuity and disaster recovery", + "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Striping Data and Log disk can increase bandwidth. Ensure that VM size also matches expected output", - "guid": "4b69bad3-4aad-45e8-a78e-1d76667313c4", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", + "category": "Management", + "checklist": "Azure Key Vault", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", "services": [ - "SQL", - "Storage", - "VM" + "AKV", + "ASR", + "Backup" ], - "severity": "High", - "subcategory": "Storage", - "text": "Stripe multiple Azure data disks using Storage Spaces to increase I/O bandwidth", - "waf": "Performance" + "severity": "Low", + "subcategory": "Business continuity and disaster recovery", + "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Your storage caching policy varies depending on the type of SQL Server data files that are hosted on the drive.Enable Read-only caching for the disks hosting SQL Server data files.Reads from cache will be faster than the uncached reads from the data disk.Set the caching policy to None for disks hosting the transaction log. There is no performance benefit to enabling caching for the Transaction log disk.", - "guid": "05674b5e-985b-4859-a773-e7e261623b77", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", + "category": "Management", + "checklist": "Azure Key Vault", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", "services": [ - "SQL", - "Storage", - "AzurePolicy" + "AKV", + "ASR", + "Backup" ], - "severity": "High", - "subcategory": "Storage", - "text": "Set host caching to read-only for data file disks and none for log file disks.", - "waf": "Performance" + "severity": "Low", + "subcategory": "Business continuity and disaster recovery", + "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Check that you storage is in the same region as your VM. For exaplme if your VM is in EAST US 2 ensure your storage is in East US 2.", - "guid": "5a917e1f-348e-4f35-9c27-d42e8bbac868", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", + "category": "Management", + "checklist": "Azure Key Vault", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", "services": [ - "SQL", - "Storage", - "VM" + "AKV", + "ASR", + "EventHubs" ], - "severity": "High", - "subcategory": "Storage", - "text": "Provision the storage account in the same region as the SQL Server VM", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Business continuity and disaster recovery", + "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "SQL Server uses extents to store data. These are 64KB in size. Therefore, on a SQL Server machine, the NTFS allocation unit size for hosting SQL database files should be 64 KB.", - "guid": "155abb91-63e9-4908-ae28-c84c33b6b780", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", + "category": "Security", + "checklist": "Azure Key Vault", + "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", + "guid": "d0642c1c-312b-4116-94ab-439e1c836819", + "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", + "service": "Key Vault", "services": [ - "SQL", - "Storage" + "AKV", + "RBAC", + "Entra" ], - "severity": "High", - "subcategory": "Storage", - "text": "Format your data disk to use 64 KB block size (allocation unit size) for all data files placed on a drive other than the temporary D:\\ drive", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Identity and Access Management", + "text": "RBAC is recommended to control access to your key vault. Familiarize yourself with the Key Vault's access control guidance.", + "waf": "Security" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "It is recommended that you determine BCDR needs and requirements ensuring that you are able to meet you SLAs of the environment.", - "guid": "8b9fe5c4-2049-4d41-9a92-3c3474d11028", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#azure-only-disaster-recovery-solutions", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.", + "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", + "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/", "services": [ - "SQL", - "VM" + "AVD", + "VM", + "ASR", + "Subscriptions" ], - "severity": "Medium", - "subcategory": "HADR", - "text": "Determine HA/DR requirements for each VM to be migrated.", + "severity": "High", + "subcategory": "Compute", + "text": "Determine the expected High Availability SLA for applications/desktops published through AVD", "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "When depoying High Availability you need to use availability sets or availability zones to avoid unexpected outages.", - "guid": "ac6aae01-e6a8-44de-9df4-3d1992481718", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#high-availability-nodes-in-an-availability-set", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.", + "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr", "services": [ - "SQL", - "VM" + "VM", + "AVD", + "Storage", + "ASR" ], - "severity": "High", - "subcategory": "HADR", - "text": "Place your VMs in an availability set or different availability zones.", + "severity": "Medium", + "subcategory": "Compute", + "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools", "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Prefered option when deploying an Availability Group. The recommended solution is to use multi-subnets when deploying Always on Availability Groups.", - "guid": "d5d1e5f6-2565-49d3-958f-d77249c93111", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure?view=azuresql&tabs=azure-cli", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.", + "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "SQL", - "VM", - "LoadBalancer", - "VNet" + "AVD", + "ASR" ], - "severity": "Medium", - "subcategory": "HADR", - "text": "Deploy your SQL Server VMs to multiple subnets whenever possible to avoid the dependency on an Azure Load Balancer or a distributed network name (DNN) to route traffic to your HADR solution. ( If one is implementing FCI or AG)", + "severity": "Low", + "subcategory": "Compute", + "text": "Separate critical applications in different AVD Host Pools", "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "High availability and disaster recovery (HADR) features, such as the Always On availability group and the failover cluster instance rely on underlying Windows Server Failover Cluster technology. Review the best practices for modifying your HADR settings to better support the cloud environment.", - "guid": "2d027fe4-12f7-4098-9f63-04722ee69d6b", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#hadr-configuration", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.", + "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", + "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262", "services": [ - "SQL", - "ASR" + "AVD", + "ASR", + "ACR" ], "severity": "High", - "subcategory": "HADR", - "text": "Change the cluster to less aggressive parameters to avoid unexpected outages from transient network failures or Azure platform maintenance. ( If one is implementing FCI or AG)", + "subcategory": "Compute", + "text": "Plan the best resiliency option for AVD Host Pool deployment", "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Ensure that quorum is set correct for the number of instances deployed.", - "guid": "5c2622f5-4b69-4bad-94aa-d5e8c78e1d76", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/hadr-cluster-best-practices?view=azuresql-vm&tabs=windows2012#quorum-voting", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.", + "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "SQL" + "AVD", + "VM", + "ASR", + "Backup" ], - "severity": "High", - "subcategory": "HADR", - "text": "Configure cluster quorum voting to use 3 or more odd number of votes. Don't assign votes to DR regions. ( If one is implementing FCI or AG)", + "severity": "Medium", + "subcategory": "Compute", + "text": "Assess the requirement to backup AVD Session Host VMs", "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "On Azure virtual machines, clusters use a load balancer to hold an IP address that needs to be on one cluster node at a time. In this solution, the load balancer holds the IP address for the virtual network name (VNN) listener for the Always On availability group when the SQL Server VMs are in a single subnet.", - "guid": "667313c4-0567-44b5-b985-b859c773e7e2", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure?view=azuresql-vm&tabs=ilb", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.", + "guid": "5da58639-ca3a-4961-890b-29663c5e10d", + "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery", "services": [ - "SQL", "VM", - "LoadBalancer", - "VNet" + "Cost", + "AVD", + "ASR", + "Backup" ], - "severity": "High", - "subcategory": "HADR", - "text": "When using the virtual network name (VNN) and Azure Load Balancer to connect to your HADR solution, specify MultiSubnetFailover = true in the connection string, even if your cluster only spans one subnet. ( If one is implementing FCI or AG)", + "severity": "Medium", + "subcategory": "Compute", + "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts", "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "SQL Server, Azure SQL Database, and Azure SQL Managed Instance support row and page compression for rowstore tables and indexes, and support columnstore and columnstore archival compression for columnstore tables and indexes.", - "guid": "61623b77-5a91-47e1-b348-ef354c27d42e", - "link": "https://learn.microsoft.com/sql/relational-databases/data-compression/data-compression?view=sql-server-ver16", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.", + "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", + "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery", "services": [ - "SQL", - "Storage" + "VM", + "ACR", + "AVD", + "Storage", + "ASR" ], "severity": "Low", - "subcategory": "SQL Server", - "text": "Enable database page compression where appropriate.", - "waf": "Performance" + "subcategory": "Dependencies", + "text": "Plan for Golden Image cross-region availability", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "By default, data and log files are initialized to overwrite any existing data left on the disk from previously deleted files. Data and log files are first initialized by zeroing the files (filling with zeros).In SQL Server, for data files only, instant file initialization (IFI) allows for faster execution of the previously mentioned file operations, since it reclaims used disk space without filling that space with zeros. Instead, disk content is overwritten as new data is written to the files.", - "guid": "8bbac868-155a-4bb9-863e-9908ae28c84c", - "link": "https://learn.microsoft.com/sql/relational-databases/databases/database-instant-file-initialization?view=sql-server-ver16", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.", + "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "SQL", - "Storage" + "AVD", + "ASR" ], - "severity": "High", - "subcategory": "SQL Server", - "text": "Enable instant file initialization for data files.", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Dependencies", + "text": "Assess Infrastructure & Application dependencies ", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Recommended for best performance and availability migrate all databases to data and log disks", - "guid": "33b6b780-8b9f-4e5c-9204-9d413a923c34", - "link": "https://learn.microsoft.com/sql/relational-databases/databases/move-database-files?view=sql-server-ver16", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).", + "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", + "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt", "services": [ - "SQL" + "AVD", + "Storage", + "ASR" ], "severity": "Medium", - "subcategory": "SQL Server", - "text": "Move all databases to data disks, including system databases.", - "waf": "Operations" + "subcategory": "Storage", + "text": "Assess which data need to be protected in the Profile and Office Containers", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", - "guid": "b824546c-e1ae-4e34-93ae-c8239248725d", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#sql-server-features", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).", + "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "SQL", + "AVD", "Storage", - "VM" + "ASR", + "Backup", + "AzurePolicy" ], - "severity": "Low", - "subcategory": "SQL Server", - "text": "Move SQL Server error log and trace file directories to data disks.", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Storage", + "text": "Build a backup protection strategy for Profile and Office Containers", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", - "guid": "d68c5b5c-2925-4394-a69a-9d2799c42bb6", - "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/server-memory-server-configuration-options#use-", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.", + "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "SQL", - "VM" + "AVD", + "Storage", + "ASR" ], - "severity": "High", - "subcategory": "SQL Server", - "text": "Set max SQL Server memory limit to leave enough memory for the Operating System.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Storage", + "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", - "guid": "8d1d7555-6246-4b43-a563-b4dc74a748b6", - "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.", + "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", + "link": "https://docs.microsoft.com/azure/backup/backup-afs", "services": [ - "SQL", - "VM" + "AVD", + "Storage", + "ASR", + "Backup" ], - "severity": "High", - "subcategory": "SQL Server", - "text": "Enable lock pages in memory.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Storage", + "text": "Review Azure Files disaster recovery strategy", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", - "guid": "633ad2a0-916a-4664-a8fa-d0e278ee293c", - "link": "https://learn.microsoft.com/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ", + "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", + "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage", "services": [ - "SQL", - "VM" + "AVD", + "Storage", + "ASR" ], - "severity": "Low", - "subcategory": "SQL Server", - "text": "Enable Query Store on all production SQL Server databases following best practices.", - "waf": "Performance" + "severity": "High", + "subcategory": "Storage", + "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", - "guid": "1bc352ba-aab7-4571-a49a-b8093dc9ec9d", - "link": "https://learn.microsoft.com/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server", + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Virtual Desktop Review", + "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.", + "guid": "23429db7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering", "services": [ - "SQL", - "VM" + "ACR", + "AVD", + "Storage", + "ASR", + "Backup" ], - "severity": "High", - "subcategory": "SQL Server", - "text": "Ensure that all tempdb best practices are followed.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Storage", + "text": "Review Azure NetApp Files disaster recovery strategy", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", - "guid": "1bb73b36-a5a6-47fb-a9ed-5b35478c3479", - "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.", + "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", + "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "services": [ - "SQL", - "VM" + "AVD" ], "severity": "High", - "subcategory": "SQL Server", - "text": "Schedule SQL Server Agent jobs to run DBCC CHECKDB, index reorganize, index rebuild, and update statistics jobs.", + "subcategory": "Golden Images", + "text": "Determine how applications will be deployed in AVD Host Pools", "waf": "Operations" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.", - "guid": "816b2863-cffe-41ca-a599-ef0d5a73dd4c", - "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.", + "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", + "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "services": [ - "SQL", - "VM" + "AVD" ], "severity": "Medium", - "subcategory": "SQL Server", - "text": "Limit autogrowth of the database and Disable autoshrink", + "subcategory": "Golden Images", + "text": "Estimate the number of golden images that will be required", "waf": "Operations" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Constrained vCPU virtual machines (VMs) are a type of VM where the vCPU count can be constrained to a half or a quarter of the original VM size. This allows customers to reduce the cost of software licensing while maintaining the same memory, storage, and I/O bandwidth", - "guid": "e36c1c81-770a-4fbc-9c0d-43918648d285", - "link": "https://learn.microsoft.com/azure/virtual-machines/constrained-vcpu", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images", + "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses", "services": [ - "SQL", - "Storage", - "VM", - "Cost" + "AVD" ], - "severity": "Low", - "subcategory": "Cost Optimization", - "text": "Optimize SQL Server License cost with Constrained vCPU VM's", - "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", - "waf": "Cost" + "severity": "Medium", + "subcategory": "Golden Images", + "text": "Determine which OS image/s you will use for Host Pool deployment", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Azure Hybrid Benefit allows you to exchange your existing licenses for discounted rates on Azure SQL Database and Azure SQL Managed Instance. Y", - "guid": "7ed67178-b824-4546-ae1a-ee3453aec823", - "link": "https://azure.microsoft.com/en-ca/pricing/hybrid-benefit/", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.", + "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", + "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries", "services": [ - "SQL", - "Cost" + "VM", + "AVD", + "Storage" ], "severity": "Low", - "subcategory": "Cost Optimization", - "text": "Leverage Azure Hybrid benefit to maximize the value of your on premises licenses in the cloud", - "waf": "Cost" - }, - { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "The SQL Server IaaS Agent extension (SqlIaasExtension) runs on SQL Server on Azure Windows Virtual Machines (VMs) to automate management and administration tasks.", - "guid": "9248725d-d68c-45b5-a292-5394a69a9d27", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms?view=azuresql-vm&tabs=azure-cli", - "services": [ - "SQL", - "VM" - ], - "severity": "Medium", - "subcategory": "Azure", - "text": "Register with the SQL IaaS Agent Extension to unlock a number of feature benefits.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Operations" + "subcategory": "Golden Images", + "text": "Select the proper store for custom images", + "waf": "Reliability" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Accelerated Networking provides consistent ultra-low network latency via Azure's in-house programmable hardware and technologies", - "guid": "99c42bb6-8d1d-4755-9624-6b438563b4dc", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.", + "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", + "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates", "services": [ - "SQL", - "VM" + "AVD" ], - "severity": "High", - "subcategory": "Azure", - "text": "Ensure Accelerated Networking is enabled on the virtual machine.", + "severity": "Low", + "subcategory": "Golden Images", + "text": "Design your build process for custom images", "waf": "Operations" }, { - "category": "SQL Server on Azure VM", - "checklist": "SQL Migration Review", - "description": "Microsoft Defender detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases on the SQL server.", - "guid": "74a748b6-633a-4d2a-8916-a66498fad0e2", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls", - "services": [ - "SQL", - "VM", - "Defender" - ], - "severity": "High", - "subcategory": "Azure", - "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture of your virtual machine deployment.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" - }, - { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "There are some PaaS limitations that are introduced in SQL Managed Instance and some behavior changes compared to SQL Server. It is important to review and understand these differences.", - "guid": "78ee293c-1bc3-452b-aaab-7571849ab809", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server?view=azuresql", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.", + "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", + "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "services": [ - "SQL", - "EventHubs" + "AVD" ], - "severity": "High", - "subcategory": "Pre Migration", - "text": "Review the major differences between SQL Server and Managed Instance", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "severity": "Medium", + "subcategory": "Golden Images", + "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image", "waf": "Operations" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. It is important to review these limits.", - "guid": "3dc9ec9d-1bb7-43b3-9a5a-67fba9ed5b35", - "link": "https://docs.microsoft.com/azure/azure-sql/managed-instance/resource-limits", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.", + "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", + "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix", "services": [ - "SQL" + "AVD" ], "severity": "High", - "subcategory": "Pre Migration", - "text": "Review capacity limits for SQL MI", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Performance" + "subcategory": "Golden Images", + "text": "Include the latest version of FSLogix in the golden image update process", + "waf": "Reliability" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "The instance settings between managed instance and your source SQL Server can be different . It is important to review those differences that can impact performance.", - "guid": "8bc178bd-c5a0-46ca-9144-351e19dd3442", - "link": "https://medium.com/azure-sqldb-managed-instance/compare-environment-settings-on-sql-server-and-azure-sql-that-may-impact-performance-e90c21fa9b08", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ", + "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", + "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool", "services": [ - "SQL" + "AVD", + "RBAC" ], - "severity": "High", - "subcategory": "Pre Migration", - "text": "Compare instance settings on SQL Server and Azure SQL MI that may impact performance", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "severity": "Low", + "subcategory": "Golden Images", + "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool", "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "Assess on-premises SQL Server instance(s) migrating to Azure SQL Managed Instance. The assessment workflow helps you to detect issues that block the migration itself and also partially supported and unsupported features", - "guid": "9eb72281-37a1-451c-9bb4-e4f1814287d5", - "link": "https://docs.microsoft.com/azure/dms/ads-sku-recommend", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.", + "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", + "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode", "services": [ - "SQL" + "AVD", + "Storage" ], - "severity": "High", - "subcategory": "Pre Migration", - "text": "Run Data Migration assistant or Azure Data Studio Migration Extension to detect compatibility issues that can impact database functionality on Managed Instance", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "severity": "Low", + "subcategory": "Golden Images", + "text": "Determine if Microsoft OneDrive will be part of AVD deployment", "waf": "Operations" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "The SKU recommendation feature can evaluate the source SQL Server performance and utilization characteristics to recommend a right-sized Azure SQL Managed Instance to assist with your migration journey.", - "guid": "ca8c26c9-b32a-4b5b-afc6-898a135e3378", - "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.", + "guid": "b5887953-5d22-4788-9d30-b66c67be5951", + "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD", "services": [ - "SQL" + "AVD" ], - "severity": "High", - "subcategory": "Pre Migration", - "text": "Select the right compute resources for your workload by leveraging the SKU recommendation tools.", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "severity": "Low", + "subcategory": "Golden Images", + "text": "Determine if Microsoft Teams will be part of AVD deployment", "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "Review Unsupported Features, Migration Blockers and Breaking Changes for each database from the Assessment", - "guid": "97e31c67-d68c-4b69-82ac-19f906d697c8", - "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend", - "services": [ - "SQL" - ], - "severity": "High", - "subcategory": "Pre Migration", - "text": "Review and address the issues highlighted in DMA/Azure Data Studio", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Operations" - }, - { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "The SQL Managed Instance default DNS zone .database.windows.net can be changed with your own. However, the managed instance hostname part of its FQDN should remain the same.", - "guid": "eaded26b-dd18-46f0-ac25-1b999a68af87", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/frequently-asked-questions-faq?view=azuresql-mi#can-a-managed-instance-have-the-same-name-as-a-sql-server-on-premises-instance", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.", + "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", + "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs", "services": [ - "SQL", - "DNS" + "AVD" ], - "severity": "High", - "subcategory": "Pre Migration", - "text": "Plan for connection string changes as changing a managed instance name is not supported", - "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", - "waf": "Operations" + "severity": "Low", + "subcategory": "Golden Images", + "text": "Assess the requirement to support multiple languages", + "waf": "Reliability" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "There are addional requirements in configuring a vnet and subnet hosting the managed instance.", - "guid": "c9a7f821-b8eb-48c0-aa77-e25e4d5aeaa8", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-existing-add-subnet?view=azuresql-mi", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ", + "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "services": [ - "SQL", - "VNet" + "AVD", + "Storage", + "Cost" ], "severity": "Medium", - "subcategory": "Pre Migration", - "text": "Review managed instance VNet requirements", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "Operations" + "subcategory": "MSIX & AppAttach", + "text": "Do not use the same storage account/share as FSLogix profiles", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "Though it's possible to deploy managed instances to a subnet with a number of IP addresses that's less than the output of the subnet formula, always consider using bigger subnets instead. Using a bigger subnet can help avoid future issues stemming from a lack of IP addresses, such as the inability to create additional instances within the subnet or scale existing instances.", - "guid": "dc4e2436-bb33-46d7-85f1-7960eee0b9b5", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-subnet-determine-size?view=azuresql-mi", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.", + "guid": "241addce-5793-477b-adb3-751ab2ac1fad", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "services": [ - "SQL", - "VNet" + "AVD" ], - "severity": "High", - "subcategory": "Deployment", - "text": "Ensure managed instance subnet has sufficient IP addresses available", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", - "waf": "Operations" + "severity": "Medium", + "subcategory": "MSIX & AppAttach", + "text": "Review performance considerations for MSIX", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. SQL Managed Instance can be deployed on multiple hardware configurations.", - "guid": "c8defc4d-721d-431d-850f-b707ae9eab40", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/resource-limits?view=azuresql-mi#service-tier-characteristics", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.", + "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "services": [ - "SQL" + "VM", + "AVD", + "RBAC", + "Storage" ], - "severity": "High", - "subcategory": "Pre Migration", - "text": "Plan between General Purpose and Business Critical tiers of MI", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", - "waf": "Performance" + "severity": "Medium", + "subcategory": "MSIX & AppAttach", + "text": "Check proper session host permissions for MSIX share", + "waf": "Security" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "The auto-failover groups feature allows you to manage the replication and failover of user databases in a managed instance to a managed instance in another Azure region. Auto-failover groups are designed to simplify deployment and management of geo-replicated databases at scale.", - "guid": "ed329079-8bc1-478b-bc5a-06ca7144351e", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-sql-mi?view=azuresql-mi&tabs=azure-powershell", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.", + "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "services": [ - "SQL" + "AVD" ], - "severity": "High", - "subcategory": "Pre Migration", - "text": "Based on your RPO/RTO's , determine if Auto failover Group needs to be implemented. If so, plan for the deployment attributes of the second instance.", - "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/", - "waf": "Reliability" + "severity": "Low", + "subcategory": "MSIX & AppAttach", + "text": "MSIX packages for 3rd-party applications", + "waf": "Cost" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "There are multiple ways to connect your application to the managed instance. Review and understand the pros and cons and decide on the best approach for your application.", - "guid": "5d226886-d30b-466c-97be-595190f83845", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.", + "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "services": [ - "SQL" + "AVD" ], "severity": "Low", - "subcategory": "Pre Migration", - "text": "Review the Connectivity Design between Database and Application, test & validate it", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "subcategory": "MSIX & AppAttach", + "text": "Disable auto-update for MSIX packages", "waf": "Operations" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "Compare migration options to choose the path that's appropriate to your business needs.", - "guid": "c586cb29-1ec1-46a1-b076-ef9f141acdce", - "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview?view=azuresql-mi#migration-tools", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.", + "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "services": [ - "SQL" + "AVD" ], "severity": "Medium", - "subcategory": "Pre Migration", - "text": "Plan for the Migration Method. Depending on the DB Size and Application downtime window, select the preferred Migration Method.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", - "waf": "Operations" + "subcategory": "MSIX & AppAttach", + "text": "Review operating systems support", + "waf": "Reliability" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "After you verify that data is the same on both source and target, you can cut over from the source to the target environment. It's important to plan the cutover process with business / application teams to ensure minimal interruption during cutover doesn't affect business continuity.", - "guid": "579377bc-db37-451a-a2ac-1fad66e15d4d", - "link": "https://learn.microsoft.com/azure/dms/tutorial-sql-server-managed-instance-online#performing-migration-cutover", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.", + "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", + "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2", "services": [ - "SQL" + "AVD", + "VM" ], "severity": "Medium", - "subcategory": "Pre Migration", - "text": "Plan the cutover process with business / application teams to ensure minimal interruption during cutover and it does not affect business continuity.", - "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", - "waf": "Reliability" + "subcategory": "Session Host", + "text": "Evaluate the usage of Gen2 VM for Host Pool deployment", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "A time zone of a managed instance can be set during instance creation only. The default time zone is UTC", - "guid": "4a2adb1c-3d23-426a-b225-ca44e1695fdd", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/timezones-overview?view=azuresql#set-a-time-zone", + "category": "Compute", + "checklist": "Azure Virtual Desktop Review", + "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.", + "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", + "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection", "services": [ - "SQL" + "AVD" ], - "severity": "High", - "subcategory": "Deployment", - "text": "Ensure you customize your time zone setting at the instance creation time. One cannot change it later.", - "training": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "waf": "Operations" + "severity": "Low", + "subcategory": "Session Host", + "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "Server-level collation in Azure SQL Managed Instance can be specified when the instance is created and cannot be changed later.Default server-level collation is SQL_Latin1_General_CP1_CI_AS.", - "guid": "deace4cb-1deb-44c6-90c3-fc14eebb3693", - "link": "https://learn.microsoft.com/sql/relational-databases/collations/set-or-change-the-server-collation?view=sql-server-ver16", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.", + "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools", "services": [ - "SQL" + "AVD", + "VM" ], "severity": "High", - "subcategory": "Deployment", - "text": "Ensure you select the right collation setting at the instance creation time. One cannot change it later", - "waf": "Operations" + "subcategory": "Capacity Planning", + "text": "Determine the Host Pool type to use", + "waf": "Cost" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "When you're migrating a database protected by Transparent Data Encryption (TDE) to Azure SQL Managed Instance using the native restore option, the corresponding certificate from the SQL Server instance needs to be migrated before database restore.", - "guid": "829e3eec-2183-4687-a007-7a2b5945bda4", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/tde-certificate-migrate?view=azuresql-mi&tabs=azure-powershell", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.", + "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", + "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools", "services": [ - "SQL", + "AVD", "VM" ], - "severity": "Medium", - "subcategory": "Deployment", - "text": "For TDE Enabled Database, corresponding certificate from the on-premises or Azure VM SQL Server needs to be migrated before database restore", - "waf": "Operations" + "severity": "High", + "subcategory": "Capacity Planning", + "text": "Estimate the number of different Host Pools to deploy ", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "System databases can be restored only from backups that are created on the version of SQL Server that the server instance is currently running. This is not the case when you are migrating to SQL Managed Instance.Azure PowerShell and DBATools PowerShell libraries enable you to easily script and automate and customize all parts of the migration process.", - "guid": "3334fdf9-1c23-4418-8b65-275269440b4b", - "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide?view=azuresql-mi#backup-and-restore", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.", + "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", + "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type", "services": [ - "SQL", - "Backup" + "AVD" ], "severity": "Low", - "subcategory": "Migration", - "text": "Restore of system databases is not supported. To migrate instance-level objects (stored in master or msdb databases), we recommend to script them out and run T-SQL scripts on the destination instance.", + "subcategory": "Capacity Planning", + "text": "For Personal Host Pool type, select the proper assignment type", "waf": "Operations" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "When using migration options that continuously replicate / sync data changes from source to the target, the source data and schema can change and drift from the target. During data sync, ensure that all changes on the source are captured and applied to the target during the migration process.", - "guid": "e3d3e084-3276-4d4b-bc01-5bcf219e4a1e", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.", + "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", + "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing", "services": [ - "SQL" + "AVD" ], - "severity": "High", - "subcategory": "Migration", - "text": "Ensure that all changes on the source are captured and applied to the target during the migration process.", - "waf": "Operations" + "severity": "Low", + "subcategory": "Capacity Planning", + "text": "For Pooled Host Pool type, select the best load balancing method", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "Ensure that the application is able to succesffuly connect to the managed instance post migration of the databases.", - "guid": "b5887952-5d22-4688-9d30-b66c57be5951", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host", + "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", + "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "services": [ - "SQL" + "AVD", + "VM" ], "severity": "Medium", - "subcategory": "Migration", - "text": "Test Application Connectivity to MI and Databases", - "waf": "Operations" + "subcategory": "Capacity Planning", + "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "High availability is a fundamental part of SQL Managed Instance platform that works transparently for your database applications. Failovers from primary to secondary nodes in case of node degradation or fault detection, or during regular monthly software updates are an expected occurrence for all applications using SQL Managed Instance in Azure.", - "guid": "90f83845-c586-4cb2-a1ec-16a1d076ef9f", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/user-initiated-failover?view=azuresql", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.", + "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", + "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups", "services": [ - "SQL" + "AVD", + "Storage" ], "severity": "High", - "subcategory": "Post Migration", - "text": "Consider executing a manual failover on SQL Managed Instance to test for fault and failover resiliency.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Reliability" + "subcategory": "Capacity Planning", + "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users", + "waf": "Security" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "Ensuring that your applications are failover resilient prior to deploying to production will help mitigate the risk of application faults in production and will contribute to application availability for your customers.", - "guid": "141acdce-5793-477b-adb3-751ab2ac1fad", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-configure-sql-mi?view=azuresql&tabs=azure-portal#test-failover", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.", + "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits", "services": [ - "SQL", - "LoadBalancer", - "EventHubs" + "AVD", + "ACR", + "Entra" ], - "severity": "High", - "subcategory": "Post Migration", - "text": "If failover groups have been implemented, Test Manual Failover and Failback and test application connectivity behavior during failover/failback", + "severity": "Medium", + "subcategory": "Capacity Planning", + "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant", "waf": "Reliability" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "This provides more dedicated disk IOPS and throughput", - "guid": "aa359272-8e6e-4205-8726-76ae46691e88", - "link": "https://techcommunity.microsoft.com/t5/azure-sql-blog/storage-performance-best-practices-and-considerations-for-azure/ba-p/305525", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.", + "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "services": [ - "SQL", - "Storage" + "AVD" ], - "severity": "High", - "subcategory": "Post Migration", - "text": "Optimize Storage Performance for General Purpose Managed Instance", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Performance" + "severity": "Low", + "subcategory": "Capacity Planning", + "text": "Estimate the number of Applications for each Application Group", + "waf": "Reliability" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "Many organizations have policies that require that certificates or encryption keys be created and managed internally. If your organization has a similar policy, this architecture might apply to you. If your customers require internal management of these items, the architecture also might apply to you.", - "guid": "35ad9422-23e1-4381-8523-081a94174158", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/data/sql-managed-instance-cmk", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.", + "guid": "38b19ab6-0693-4992-9394-5590883916ec", + "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", "services": [ - "SQL", - "AKV", - "AzurePolicy", - "Backup" + "VM", + "AVD", + "Storage" ], "severity": "Low", - "subcategory": "Post Migration", - "text": "Enable Customer managed TDE for taking your own copy only full backups", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Security" + "subcategory": "Capacity Planning", + "text": "Evaluate the usage of FSLogix for Personal Host Pools", + "waf": "Reliability" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "The maintenance window feature provides you with the ability to onboard Azure SQL resource to prescheduled time blocks outside of business hours.", - "guid": "33ef7ad7-c6d3-4733-865c-7acbe44bbe60", - "link": "https://learn.microsoft.com/azure/azure-sql/database/planned-maintenance?view=azuresql", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)", + "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", + "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "services": [ - "SQL" + "AVD", + "VM" ], - "severity": "Medium", - "subcategory": "Post Migration", - "text": "Plan for Azure maintenance events", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "severity": "High", + "subcategory": "Capacity Planning", + "text": "Run workload performance test to determine the best Azure VM SKU and size to use", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "By using the long-term retention (LTR) feature, you can store specified SQL Database and SQL Managed Instance full backups in Azure Blob storage with configured redundancy for up to 10 years.", - "guid": "9d89f2e8-7778-4424-b516-785c6fa96b96", - "link": "https://learn.microsoft.com/azure/azure-sql/database/long-term-retention-overview?view=azuresql-mi", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ", + "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "services": [ - "SQL", - "ARS", - "Backup", + "AVD", "Storage" ], - "severity": "Low", - "subcategory": "Post Migration", - "text": "Configure Long Term backup retention, view backups and restore from backups", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "severity": "High", + "subcategory": "Capacity Planning", + "text": "Verify AVD scalability limits for the environment", "waf": "Reliability" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "By using Azure Hybrid Benefit, you can achieve cost savings, modernise and maintain a flexible hybrid environment while optimising business applications.", - "guid": "ad88408f-3727-434c-a76b-a28021459014", - "link": "https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/#overview", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.", + "guid": "c936667e-13c0-4056-94b1-e945a459837e", + "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu", "services": [ - "SQL", - "Cost" + "AVD" ], "severity": "Low", - "subcategory": "Post Migration", - "text": "Take advantage of Azure Hybrid Benefit and Azure Reservations where applicable.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Cost" + "subcategory": "Capacity Planning", + "text": "Determine if Session Hosts will require GPU", + "waf": "Performance" }, { - "category": "SQL Managed Instance", - "checklist": "SQL Migration Review", - "description": "If you don't have threat protection Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities.", - "guid": "65d38e53-f9cc-4bd8-9926-6acca274faa1", - "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview?view=azuresql", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.", + "guid": "b47a393a-0803-4272-a479-8b1578b219a4", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", "services": [ - "SQL", - "Defender" + "AVD", + "VM" ], - "severity": "Medium", - "subcategory": "Post Migration", - "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" - }, - { - "category": "BC and DR", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Capacity Planning", + "text": "Use Azure VM SKUs able to leverage Accelerated Networking", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "services": [], + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.", + "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", + "link": "https://learn.microsoft.com/azure/virtual-desktop/overview", + "services": [ + "AVD" + ], "severity": "Medium", - "subcategory": "High Availability", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", - "waf": "Reliability" - }, - { - "category": "BC and DR", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "subcategory": "Clients & Users", + "text": "Assess how many users will connect to AVD and from which regions", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "services": [], - "severity": "High", - "subcategory": "High Availability", - "text": "Learn how to trigger a manual failover.", - "waf": "Reliability" + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.", + "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json", + "services": [ + "AVD", + "Storage", + "ExpressRoute", + "VPN" + ], + "severity": "Medium", + "subcategory": "Clients & Users", + "text": "Assess external dependencies for each Host Pool", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", - "services": [], + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.", + "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", + "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows", + "services": [ + "AVD" + ], + "severity": "Low", + "subcategory": "Clients & Users", + "text": "Review user client OS used and AVD client type", + "waf": "Performance" + }, + { + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.", + "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", + "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/", + "services": [ + "AVD" + ], "severity": "High", - "subcategory": "High Availability", - "text": "Learn how to fail back after a failover.", - "waf": "Reliability" + "subcategory": "Clients & Users", + "text": "Run a PoC to validate end-to-end user experience and impact of network latency", + "waf": "Performance" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", - "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", - "service": "VMSS", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.", + "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", + "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties", "services": [ - "VM" + "AVD" ], "severity": "Low", - "subcategory": "VM Scale Sets", - "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", - "waf": "Reliability" + "subcategory": "Clients & Users", + "text": "Assess and document RDP settings for all user groups", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", - "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", - "service": "VM", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.", + "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", + "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop", "services": [ - "Backup", - "VM" + "AVD" ], "severity": "High", - "subcategory": "Virtual Machines", - "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", - "waf": "Reliability" + "subcategory": "General", + "text": "Determine in which Azure regions AVD Host Pools will be deployed.", + "waf": "Performance" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", - "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "VM", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.", + "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", + "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations", "services": [ - "VM" + "AVD" ], - "severity": "High", - "subcategory": "Virtual Machines", - "text": "Use Premium or Ultra disks for production VMs", + "severity": "Medium", + "subcategory": "General", + "text": "Determine metadata location for AVD service", "waf": "Reliability" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", - "guid": "b31e38c3-f298-412b-8363-cffe179b599d", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", - "service": "VM", + "category": "Foundation", + "checklist": "Azure Virtual Desktop Review", + "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.", + "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", + "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "services": [ - "VM" + "AVD", + "VM", + "Storage" ], - "severity": "High", - "subcategory": "Virtual Machines", - "text": "Ensure Managed Disks are used for all VMs", + "severity": "Low", + "subcategory": "General", + "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions", "waf": "Reliability" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", - "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", - "service": "VM", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.", + "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", + "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "services": [ - "SQL", + "AVD", "Storage", - "VM" + "VNet", + "Entra" ], "severity": "Medium", - "subcategory": "Virtual Machines", - "text": "Do not use the Temp disk for anything that is not acceptable to be lost", + "subcategory": "Active Directory", + "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool", "waf": "Reliability" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", - "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "VM", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace", "services": [ - "ACR", - "Storage", - "VM" + "AVD", + "Entra" ], "severity": "Medium", - "subcategory": "Virtual Machines", - "text": "Leverage Availability Zones for your VMs in regions where they are supported", - "waf": "Reliability" + "subcategory": "Active Directory", + "text": "Create a specific OU in Active Directory for each Host Pool", + "waf": "Operations" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", - "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "VM", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ", + "guid": "7126504b-b47a-4393-a080-327294798b15", + "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy", "services": [ - "VM" + "AVD", + "Entra" ], "severity": "Medium", - "subcategory": "Virtual Machines", - "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", - "waf": "Reliability" + "subcategory": "Active Directory", + "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities", + "waf": "Operations" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", - "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "VM", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column", + "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", + "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates", "services": [ - "ASR", - "VM" + "AVD", + "Entra" ], - "severity": "High", - "subcategory": "Virtual Machines", - "text": "Avoid running a production workload on a single VM", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Active Directory", + "text": "Configure FSLogix settings using the built-in provided GPO ADMX template", + "waf": "Operations" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", - "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.", + "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts", "services": [ - "AVS", - "ASR", - "VM" + "AVD", + "VM", + "Entra" ], - "severity": "High", - "subcategory": "Virtual Machines", - "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Active Directory", + "text": "Create a dedicated user account with only permissions to join VM to the domain", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", - "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", - "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", - "service": "VM", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ", + "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", + "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups", "services": [ - "VM" + "AVD", + "Entra" ], - "severity": "Low", - "subcategory": "Virtual Machines", - "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Active Directory", + "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", - "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", - "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", - "service": "VM", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.", + "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", + "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable", "services": [ - "ASR", - "VM" + "AzurePolicy", + "AVD", + "Storage", + "Entra" ], - "severity": "Medium", - "subcategory": "Virtual Machines", - "text": "Increase quotas in DR region before testing failover with ASR", - "waf": "Reliability" + "severity": "High", + "subcategory": "Active Directory", + "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration", + "waf": "Security" }, { - "category": "Compute", - "checklist": "Resiliency Review", - "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", - "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", - "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", - "service": "VM", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", + "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "services": [ - "VM" + "AVD", + "Entra" ], - "severity": "Low", - "subcategory": "Virtual Machines", - "text": "Utilize Scheduled Events to prepare for VM maintenance", + "severity": "High", + "subcategory": "Active Directory", + "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID", "waf": "Reliability" }, { - "category": "Data", - "checklist": "Resiliency Review", - "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", - "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.", + "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", + "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable", "services": [ - "Storage" + "AVD", + "Storage", + "Entra" ], "severity": "Medium", - "subcategory": "Storage Accounts", - "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", - "waf": "Reliability" + "subcategory": "Microsoft Entra ID", + "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario", + "waf": "Security" }, { - "category": "Data", - "checklist": "Resiliency Review", - "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", - "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.", + "guid": "6ceb5443-5125-4922-9442-93bb628537a5", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "services": [ - "Storage" + "VNet", + "AVD", + "Subscriptions", + "Entra" ], - "severity": "Low", - "subcategory": "Storage Accounts", - "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", + "severity": "High", + "subcategory": "Requirements", + "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked", "waf": "Reliability" }, { - "category": "Data", - "checklist": "Resiliency Review", - "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", - "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", + "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", + "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication", "services": [ - "Storage" + "AVD", + "Entra" ], - "severity": "Low", - "subcategory": "Storage Accounts", - "text": "Enable soft delete for Storage Account Containers", - "waf": "Reliability" + "severity": "High", + "subcategory": "Requirements", + "text": "Review and document your identity scenario", + "waf": "Security" }, { - "category": "Data", - "checklist": "Resiliency Review", - "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", - "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.", + "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "services": [ - "Storage" + "AVD", + "Entra" ], - "severity": "Low", - "subcategory": "Storage Accounts", - "text": "Enable soft delete for blobs", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Requirements", + "text": "Assess User Account types and requirements", + "waf": "Security" }, { - "category": "General", - "checklist": "Resiliency Review", - "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", - "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", - "service": "Azure Backup", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.", + "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", + "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso", "services": [ - "Backup" + "AVD", + "Entra" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", + "subcategory": "Requirements", + "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites", "waf": "Reliability" }, { - "category": "General", - "checklist": "Resiliency Review", - "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", - "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", - "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", - "service": "Azure Backup", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.", + "guid": "ea962a15-9394-46da-a7cc-3923266b2258", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "services": [ - "Backup" + "AVD", + "VM", + "Entra" ], - "severity": "Low", - "subcategory": "Backup", - "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", - "waf": "Reliability" + "severity": "High", + "subcategory": "Requirements", + "text": "Select the proper AVD Session Host domain join type", + "waf": "Security" }, { - "category": "General", - "checklist": "Resiliency Review", - "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", - "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", - "service": "Azure Backup", + "category": "Identity", + "checklist": "Azure Virtual Desktop Review", + "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)", + "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", + "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions", "services": [ - "Storage", - "Backup" + "AVD", + "Entra" ], "severity": "Low", - "subcategory": "Backup", - "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", + "subcategory": "Requirements", + "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.", "waf": "Reliability" }, { - "category": "General", - "checklist": "Resiliency Review", - "description": "Clearly define your organization's business continuity and disaster recovery requirements for your Azure environment. This includes identifying the critical applications, data, and services that need to be protected, as well as specifying the desired recovery objectives and strategies.", - "guid": "72e52e36-11dd-458c-9a4b-1521e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.", + "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", + "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template", "services": [ - "ASR" + "AVD", + "Monitor", + "Entra" ], - "severity": "High", - "subcategory": "Design", - "text": "Define business continuity and disaster recovery requirements", - "waf": "Reliability" - }, - { - "category": "General", - "checklist": "Resiliency Review", - "description": "Ensure that your Azure architectures are designed with a focus on reliability. Consider implementing fault-tolerant mechanisms, redundancy, and resiliency patterns to minimize the impact of failures and maximize the availability of your applications and services.", - "guid": "c2399c4d-7b67-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/architecture/reliability/architect", - "services": [], - "severity": "High", - "subcategory": "Design", - "text": "Implement reliability best practices in Azure architectures", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Management", + "text": "Use built-in provided administrative templates for AVD settings configuration", + "waf": "Operations" }, { - "category": "General", - "checklist": "Resiliency Review", - "description": "IaC configurations can play a role in your disaster recovery plan, particularly in situations where recovery time is not time-sensitive. In the event of infrastructure recreation in a second region, IaC can be used to reproduce the necessary infrastructure.", - "guid": "fe237de2-43b1-46c3-8d7a-a9b7570449aa", - "link": "https://learn.microsoft.com/azure/well-architected/devops/automation-infrastructure", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.", + "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", + "link": "https://learn.microsoft.com/azure/virtual-desktop/management", "services": [ - "RBAC", - "ASR" + "AVD", + "VM", + "Monitor" ], - "severity": "Medium", - "subcategory": "DevOps", - "text": "Implement Infrastructure as Code (IaC) for Rapid Infrastructure Recovery", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Management", + "text": "Plan AVD Session Hosts configuration management strategy", + "waf": "Operations" }, { - "category": "General", - "checklist": "Resiliency Review", - "description": "Azure offers region pairs that are geographically separated and can be used for cross-region replication and disaster recovery. These region pairs provide redundancy and protection against regional or large-scale disasters.", - "guid": "dcb1f7d5-769a-4e56-aba3-8d4a85e2213d", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the “More Info” column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.", + "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", + "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop", "services": [ - "ASR" + "AVD", + "Monitor" ], "severity": "Medium", - "subcategory": "Multi-region", - "text": "Plan for cross-region recovery by leveraging region pairs", - "waf": "Reliability" + "subcategory": "Management", + "text": "Evaluate Intune for AVD Session Hosts management", + "waf": "Operations" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "By deploying an Application Gateway with a minimum instance count of two, you will have at least two instances available under normal circumstances. In the event that one of the instances encounters a problem, the other instance will handle the traffic while a new instance is being created. This approach significantly reduces the risk of service disruption and ensures a seamless experience for your users.", - "guid": "93c76286-37a5-451c-9b04-e4f1854387e5", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#autoscaling-and-high-availability", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.", + "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", + "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios", "services": [ - "AppGW" + "AVD", + "VM", + "Monitor", + "Cost" ], "severity": "Medium", - "subcategory": "Application Gateways", - "text": "Deploy Application Gateways with a minimum instance count of 2 to avoid instance provisioning downtime", + "subcategory": "Management", + "text": "Assess the requirements for host pool auto-scaling capability", "waf": "Reliability" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "The v2 SKU offers several advantages and critical new features that enhance the availability and resilience of your application infrastructure. One notable feature supported by the v2 SKU is zone redundancy, which allows an Application Gateway deployment to span multiple Availability Zones.", - "guid": "ced126cd-032a-4f5b-8fc6-998a535e3378", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.", + "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", + "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect", "services": [ - "AppGW", - "Storage" + "AVD", + "VM", + "Monitor", + "Cost" ], - "severity": "High", - "subcategory": "Application Gateways", - "text": "Deploy Azure Application Gateway v2 for zone redundancy support", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Management", + "text": "Consider the usage of Start VM on Connect for Personal Host Pools", + "waf": "Cost" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "Azure Front Door provides automatic failover capabilities, ensuring continuity in the event of a primary region becoming unavailable. However, during the failover process, there may be a brief period (typically 20-60 seconds) when clients cannot reach the application. It is essential to review the Azure Front Door service level agreement (SLA) to determine whether relying solely on Front Door meets your business requirements for high availability. ", - "guid": "97e31c67-d68c-4f6a-92a1-194956d697dc", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/multi-region#azure-front-door", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.", + "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", + "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them", "services": [ - "FrontDoor" + "VM", + "Cost", + "AVD", + "AzurePolicy", + "Monitor" ], "severity": "Low", - "subcategory": "Azure Front Door", - "text": "Consider a redundant traffic management solution in conjunction with Azure Front Door", - "waf": "Reliability" + "subcategory": "Management", + "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts", + "waf": "Cost" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "By implementing Traffic Manager, you can configure it to continuously monitor the health of your application endpoints and automatically redirect traffic to an alternate endpoint when necessary. This automation minimizes downtime and provides a more seamless experience for your users during disaster recovery scenarios.", - "guid": "8df03a82-2cd4-463c-abbc-8ac299ebc92a", - "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ", + "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", + "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources", "services": [ - "TrafficManager", - "Monitor", + "VPN", + "Cost", + "VWAN", "DNS", - "ASR" + "AVD", + "Storage", + "ExpressRoute", + "Monitor" ], "severity": "Low", - "subcategory": "DNS", - "text": "Plan for automated failover using Traffic Manager for DNS Traffic", - "waf": "Reliability" + "subcategory": "Management", + "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop", + "waf": "Cost" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", - "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", - "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", - "service": "DNS", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.", + "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", + "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations", "services": [ - "ACR", - "DNS", - "ASR" + "AVD", + "Monitor", + "Cost", + "Entra" ], "severity": "Low", - "subcategory": "DNS", - "text": "Implement DNS Failover using Azure DNS Private Resolvers", - "waf": "Reliability" + "subcategory": "Management", + "text": "Periodically check Azure Advisor recommendations for AVD", + "waf": "Operations" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", - "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", - "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", - "service": "Data Gateways", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.", + "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", + "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session", "services": [ - "ACR" + "AVD", + "Monitor" ], "severity": "Medium", - "subcategory": "Data Gateways", - "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", - "waf": "Reliability" + "subcategory": "Management", + "text": "Plan for a Session Host emergency patching and update strategy", + "waf": "Operations" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "When using ExpressRoute, it's important to design for high availability by incorporating redundancy in both the partner and customer networks. This can include multiple ExpressRoute circuits, redundant connections from your network to Microsoft, and ensuring your on-premises network equipment has redundant connections.", - "guid": "c0e7c28d-c936-4657-802b-ff4564b0d934", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.", + "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", + "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates", "services": [ - "ExpressRoute" + "AVD", + "Monitor" ], - "severity": "Medium", - "subcategory": "ExpressRoute", - "text": "Ensure redundancy within both the partner network and customer network when utilizing ExpressRoute for high availability", + "severity": "Low", + "subcategory": "Management", + "text": "Configure the Scheduled Agent Updates feature", "waf": "Reliability" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "The primary circuit should handle regular traffic while the backup circuit stays ready to take over if the primary circuit fails. Utilize BGP attributes to influence routing and designate your primary and backup circuits effectively.", - "guid": "a359c373-e7dd-4616-83a3-64a907ebae48", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.", + "guid": "d1e8c38e-c936-4667-913c-005674b1e944", + "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool", "services": [ - "ExpressRoute", - "Backup" + "AVD", + "VM", + "Monitor" ], "severity": "Medium", - "subcategory": "ExpressRoute", - "text": "When using multiple ExpressRoute circuits ensure that routing allows for a primary and backup", - "waf": "Reliability" + "subcategory": "Management", + "text": "Create a validation (canary) Host Pool", + "waf": "Operations" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "S2S VPN connection can provide a cost-effective, resilient backup solution in the event of an ExpressRoute circuit failure. By using S2S VPN as a failover, you can maintain connectivity to your Azure resources without relying solely on ExpressRoute.", - "guid": "ead53cc7-de2e-48aa-ab35-71549ab9153d", - "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.", + "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops", "services": [ - "ExpressRoute", - "VPN", - "Backup", - "Cost" + "AVD", + "VM", + "Monitor" ], - "severity": "Low", - "subcategory": "ExpressRoute", - "text": "Consider deploying site-to-site VPN as a backup for your ExpressRoute private peering", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Management", + "text": "Determine Host Pool deployment strategy", + "waf": "Operations" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "Standard Load Balancer SKU offers an SLA of 99.99% and a higher level of service availability compared to the Basic Load Balancer SKU.", - "guid": "778468d5-5a78-45d6-be96-c96ad8844cf3", - "link": "https://learn.microsoft.com/azure/load-balancer/skus", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.", + "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", + "link": "https://docs.microsoft.com/azure/virtual-desktop/faq", "services": [ - "LoadBalancer" + "AVD", + "VM", + "Monitor" ], "severity": "Medium", - "subcategory": "Load Balancers", - "text": "Leverage the Standard SKU for Load Balancers that handle traffic to production applications", - "waf": "Reliability" + "subcategory": "Management", + "text": "Turn on Session Host VMs at least every 90 days for token refresh", + "waf": "Operations" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "By configuring the load balancer with a zone-redundant frontend, it can serve zonal resources in any zone with a single IP address. As long as at least one zone remains healthy within the region, the IP address associated with the frontend can survive one or more zone failures. It is recommended to have multiple zonal resources, such as virtual machines from different zones, in the backend pool of the load balancer. ", - "guid": "b2b38c88-6ba2-4c02-8499-114a5d3ce574", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.", + "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", + "link": "https://learn.microsoft.com/azure/virtual-desktop/insights", "services": [ - "LoadBalancer", - "VM" + "AVD", + "Monitor" ], - "severity": "Low", - "subcategory": "Load Balancers", - "text": "For load balancers, consider using a zone-redundant frontend with multiple zonal resources in the backend", + "severity": "High", + "subcategory": "Monitoring", + "text": "Enable monitoring for AVD", "waf": "Reliability" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "When designing health probes for your Azure Load Balancer, it is important to follow best practices to ensure reliable and accurate monitoring of your backend instances.", - "guid": "dccbd979-2a6b-4cca-8b5f-ea1ebf3dd95d", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ", + "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", + "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics", "services": [ - "LoadBalancer", + "AVD", + "VM", "Monitor" ], - "severity": "Low", - "subcategory": "Load Balancers", - "text": "Select the right protocol, appropriate intervals and timeouts, representative paths and probe responses when defining Load Balancer Health Probes", + "severity": "Medium", + "subcategory": "Monitoring", + "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace", "waf": "Reliability" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", - "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ", + "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", + "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal", "services": [ - "NVA" + "AVD", + "Storage", + "Monitor" ], - "severity": "High", - "subcategory": "NVAs", - "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", + "severity": "Medium", + "subcategory": "Monitoring", + "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling", "waf": "Reliability" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "By deploying VPN Gateways in an active-active mode, you can distribute VPN traffic across multiple gateways, improving reliability and ensuring continuous connectivity in case of failures or maintenance.", - "guid": "927139b8-2110-42db-b6ea-f11e6f843e53", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "category": "Monitoring and Management", + "checklist": "Azure Virtual Desktop Review", + "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.", + "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", + "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts", "services": [ - "VPN", - "ACR" + "AVD", + "Monitor" ], "severity": "Medium", - "subcategory": "VPN Gateways", - "text": "Deploy Azure VPN Gateways in an active-active mode to ensure high availability and redundancy for your VPN connections.", + "subcategory": "Monitoring", + "text": "Configure Azure Service Health for AVD alerts ", "waf": "Reliability" }, { - "category": "Network", - "checklist": "Resiliency Review", - "description": "Zone-redundant SKUs ensure that your VPN gateways are physically and logically separated within a region, providing resiliency and scalability. This deployment configuration safeguards your on-premises network connectivity to Azure from zone-level failures.", - "guid": "f4722d92-8c1b-41cd-921f-54b29b9de39a", - "link": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways", + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ", + "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", + "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "services": [ + "NVA", + "AVD", + "ExpressRoute", "VPN" ], "severity": "Medium", - "subcategory": "VPN Gateways", - "text": "Use zone-redundant SKUs when deploying VPN Gateways to enhance resilience and protect against zone-level failures", + "subcategory": "Networking", + "text": "Determine if hybrid connectivity is required to connect to on-premises environment", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Stream Analytics Review Checklist", - "guid": "32e52e36-11c8-418b-8a0b-c511e43a18a9", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-stream_analytics_v1.docx", - "services": [], - "severity": "High", - "subcategory": "High Availablity ", - "text": "Leverage FTA Resiliency Handbook for Stream Analytics", - "waf": "Reliability" + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.", + "guid": "c8639648-a652-4d6c-85e5-02965388e5de", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity", + "services": [ + "AVD", + "VWAN", + "VNet" + ], + "severity": "Medium", + "subcategory": "Networking", + "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Stream Analytics Review Checklist", - "description": "Azure Stream Analytics provides high availability (99.9% SLA) for jobs and clusters within a region, the details of which are transparent to the end customer. If failures occur within the service, per the documentation �Azure Stream Analytics guarantees exactly once event processing and at-least-once delivery of events, so events are never lost.�", - "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", - "link": "https://azure.microsoft.com/en-in/products/stream-analytics", - "services": [], + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ", + "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", + "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", + "services": [ + "AVD", + "VPN" + ], "severity": "Medium", - "subcategory": "High Availablity ", - "text": "Understand High Availability 99% SLA and use it to plan your DR strategy", + "subcategory": "Networking", + "text": "Assess which on-premises resources are required from AVD Host Pools", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Stream Analytics Review Checklist", - "description": "Azure Stream Analytics resources (jobs, clusters, etc.) are regional and do not provide automatic geo-failover. However, you can achieve geo-redundancy by deploying identical Stream Analytics jobs in multiple Azure regions. Each job connects to local input and output sources. It is the responsibility of your application to both send input data into the two regional inputs and reconcile between the two regional outputs.", - "guid": "fc833934-8b26-42d6-ac5f-512925498e6d", - "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy", - "services": [], + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.", + "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", + "services": [ + "NVA", + "AVD", + "Firewall", + "VNet" + ], "severity": "Medium", - "subcategory": "Geo Redundancy", - "text": "Plan for Geo Redudancy of the service", + "subcategory": "Networking", + "text": "Need to control/restrict Internet outbound traffic for AVD hosts?", + "waf": "Security" + }, + { + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.", + "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", + "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list", + "services": [ + "AVD" + ], + "severity": "High", + "subcategory": "Networking", + "text": "Ensure AVD control plane endpoints are accessible", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Stream Analytics Review Checklist", - "guid": "b9d37dac-43bc-46cd-8d7a-a9b24604489a", - "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy", - "services": [], + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.", + "guid": "73676ae4-6691-4e88-95ad-a42223e13810", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide", + "services": [ + "AVD", + "Defender" + ], "severity": "Medium", - "subcategory": "Geo Redundancy", - "text": "Depending on your availablity requirement, configure Active/Active configuration or Active/Passive configuration ", - "waf": "Reliability" + "subcategory": "Networking", + "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ", + "waf": "Security" }, { - "category": "Governance", - "checklist": "Azure Key Vault", - "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.", + "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "services": [ - "AKV", - "Backup" + "NVA", + "AVD", + "Firewall", + "VNet" + ], + "severity": "Low", + "subcategory": "Networking", + "text": "Review custom UDR and NSG for AVD Host Pool subnets", + "waf": "Security" + }, + { + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.", + "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", + "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support", + "services": [ + "AVD", + "VM" ], "severity": "High", - "subcategory": "Deployment best practices", - "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", + "subcategory": "Networking", + "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure Key Vault", - "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Key Vault", + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ", + "guid": "516785c6-fa96-4c96-ad88-408f372734c8", + "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth", "services": [ - "ACR", - "AKV" + "AVD", + "VM" ], - "severity": "Medium", - "subcategory": "High Availability", - "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Networking", + "text": "Check the network bandwidth required for each user and in total for the VM SKU", + "waf": "Performance" }, { - "category": "BC and DR", - "checklist": "Azure Key Vault", - "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", - "service": "Key Vault", + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).", + "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", + "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints", "services": [ - "AKV" + "Cost", + "AVD", + "Storage", + "PrivateLink", + "VNet" ], "severity": "Medium", - "subcategory": "High Availability", - "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", - "waf": "Reliability" + "subcategory": "Networking", + "text": "Evaluate usage Private Endpoint for Azure Files share", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Key Vault", - "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", - "service": "Key Vault", + "category": "Networking", + "checklist": "Azure Virtual Desktop Review", + "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", + "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", + "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath", "services": [ - "AKV", - "AzurePolicy" + "AVD", + "VPN" ], "severity": "Medium", - "subcategory": "High Availability", - "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", - "waf": "Reliability" + "subcategory": "Networking", + "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks", + "waf": "Performance" }, { - "category": "Management", - "checklist": "Azure Key Vault", - "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", - "service": "Key Vault", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.", + "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies", "services": [ - "Backup", - "Storage", - "AKV", - "Subscriptions", - "ASR" + "AVD" ], "severity": "Medium", - "subcategory": "Business continuity and disaster recovery", - "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", - "waf": "Reliability" + "subcategory": "Active Directory", + "text": "Review Active Directory GPO to secure RDP sessions", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Key Vault", - "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", + "guid": "b1172576-9ef6-4691-a483-5ac932223ece", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus", "services": [ - "AKV", - "ASR" + "AVD", + "Defender" ], "severity": "High", - "subcategory": "Business continuity and disaster recovery", - "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", - "waf": "Reliability" + "subcategory": "Host Configuration", + "text": "Ensure anti-virus and anti-malware solutions are used", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Key Vault", - "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.", + "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", + "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview", "services": [ "AKV", - "ASR" + "AVD", + "Storage", + "VM" ], "severity": "Low", - "subcategory": "Business continuity and disaster recovery", - "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", - "waf": "Reliability" + "subcategory": "Host Configuration", + "text": "Assess disk encryption requirements for AVD Session Hosts", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Key Vault", - "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against “bottom of the stack” threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.", + "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch", "services": [ - "AKV", - "Backup", - "ASR" + "AVD", + "VM", + "Monitor" ], - "severity": "Low", - "subcategory": "Business continuity and disaster recovery", - "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Host Configuration", + "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Key Vault", - "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.", + "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", + "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements", "services": [ - "AKV", - "Backup", - "ASR" + "AVD", + "VM" ], - "severity": "Low", - "subcategory": "Business continuity and disaster recovery", - "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Host Configuration", + "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure Key Vault", - "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", - "service": "Key Vault", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.", + "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", + "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection", "services": [ - "AKV", - "ASR", - "EventHubs" + "AVD" ], - "severity": "Medium", - "subcategory": "Business continuity and disaster recovery", - "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Host Configuration", + "text": "Consider enabling screen capture protection to prevent sensitive information from being captured", + "waf": "Security" }, { "category": "Security", - "checklist": "Azure Key Vault", - "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", - "guid": "d0642c1c-312b-4116-94ab-439e1c836819", - "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", - "service": "Key Vault", + "checklist": "Azure Virtual Desktop Review", + "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.", + "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts", "services": [ - "AKV", - "RBAC", - "Entra" + "AVD" ], "severity": "Medium", - "subcategory": "Identity and Access Management", - "text": "RBAC is recommended to control access to your key vault. Familiarize yourself with the Key Vault's access control guidance.", + "subcategory": "Host Configuration", + "text": "Restrict device redirection and drive mapping", "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", - "guid": "ba7da7be-9951-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", - "service": "Azure Data Explorer", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.", + "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "services": [ - "Cost", - "Storage" + "AVD" ], - "subcategory": "Replication", - "text": "Leverage External Tables and Continuous data export overview to reduce costs", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Management", + "text": "When possible, prefer Remote Apps over Full Desktops (DAG)", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", - "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", - "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", - "service": "Azure Data Explorer", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.", + "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "services": [ - "Storage" + "AVD", + "Defender" ], - "subcategory": "Replication", - "text": "To share data, explore Leader-follower cluster configuration", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Management", + "text": "Need to control/restrict user Internet navigation from AVD session hosts?", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", - "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", - "service": "Azure Data Explorer", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.", + "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", + "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide", "services": [ - "ASR" + "AVD" ], - "subcategory": "Replication", - "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", - "waf": "Reliability" + "severity": "High", + "subcategory": "Management", + "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "436b0635-cb45-4e57-a603-324ace8cc123", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", - "service": "Azure Data Explorer", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.", + "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud", "services": [ + "VM", + "Defender", + "AVD", "Storage", - "RBAC" + "AKV", + "Subscriptions" ], - "subcategory": "Replication", - "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Management", + "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", - "service": "Azure Data Explorer", - "services": [], - "subcategory": "Replication", - "text": "Ingest data into each cluster in parallel", - "waf": "Reliability" + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ", + "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs", + "services": [ + "AVD", + "Monitor", + "Entra" + ], + "severity": "Medium", + "subcategory": "Management", + "text": "Enable diagnostic and audit logging", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", - "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", - "service": "Azure Data Explorer", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.", + "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", + "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac", "services": [ - "ACR" + "AVD", + "RBAC", + "Entra" ], - "subcategory": "DR Configuration", - "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Management", + "text": "Assess the requirement to use custom RBAC roles for AVD management", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", - "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", - "service": "Azure Data Explorer", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ", + "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control", "services": [ - "ACR" + "AVD", + "Defender" ], - "subcategory": "DR Configuration", - "text": "For critical applications, create Active-Active configuration in two paired regions", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Management", + "text": "Restrict users from installing un-authorized applications", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", - "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", - "service": "Azure Data Explorer", - "services": [], - "subcategory": "DR Configuration", - "text": "For applications, which required only read during failure, create Active-Hot standby configuration", - "waf": "Reliability" + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", + "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", + "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa", + "services": [ + "AVD", + "Entra" + ], + "severity": "Medium", + "subcategory": "Microsoft Entra ID", + "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users", + "waf": "Security" }, { - "category": "BC and DR", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", - "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", - "service": "Azure Data Explorer", + "category": "Security", + "checklist": "Azure Virtual Desktop Review", + "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.", + "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", + "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd", "services": [ - "Cost", - "Storage", - "AzurePolicy", - "ASR" + "AVD" ], - "subcategory": "DR Configuration", - "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Zero Trust", + "text": "Review and Apply Zero Trust principles and guidance", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure Data Explorer Review Checklist", - "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", - "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.", + "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", + "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop", "services": [ - "AzurePolicy" + "AVD", + "Storage" ], - "subcategory": "IaC", - "text": "Wrap DevOps and source control around all your code", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Azure Files", + "text": "Check best-practices for Azure Files", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", - "services": [], - "subcategory": "IaC", - "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", - "waf": "Reliability" + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.", + "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", + "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance", + "services": [ + "AVD", + "Storage", + "Cost", + "ACR" + ], + "severity": "Low", + "subcategory": "Azure Files", + "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.", + "waf": "Performance" }, { - "category": "Operations Management", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", - "services": [], - "subcategory": "IaC", - "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "If a second region is required for DR purposes verify NetApp availability in there as well.", + "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", + "link": "https://azure.microsoft.com/global-infrastructure/services/", + "services": [ + "AVD", + "Storage" + ], + "severity": "Medium", + "subcategory": "Azure NetApp Files", + "text": "If NetApp Files storage is required, check storage service availability in your specific region.", "waf": "Reliability" }, { - "category": "Automation", - "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.", + "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", + "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container", "services": [ - "SAP" + "AVD", + "Storage" ], "severity": "Medium", - "subcategory": "ACSS", - "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "Operations" + "subcategory": "Azure NetApp Files", + "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency", + "waf": "Reliability" }, { - "category": "Automation", - "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.", + "guid": "6647e977-db49-48a8-bc35-743f17499d42", + "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections", "services": [ - "SAP" + "AVD", + "Storage", + "VNet" ], - "severity": "Medium", - "subcategory": "SDAF", - "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", - "training": "https://github.com/Azure/sap-automation", - "waf": "Operations" + "severity": "High", + "subcategory": "Azure NetApp Files", + "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration", + "waf": "Reliability" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ", + "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", + "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types", "services": [ - "Backup", - "ASR", - "SAP" + "AVD", + "Storage" ], "severity": "Medium", - "subcategory": "Backup and restore", - "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", - "waf": "Reliability" + "subcategory": "Capacity Planning", + "text": "Determine which type of managed disk will be used for the Session Hosts", + "waf": "Performance" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.", + "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", + "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "services": [ - "Backup", - "SAP", - "ASR" + "VM", + "AVD", + "Storage" ], - "severity": "Medium", - "subcategory": "Disaster recovery", - "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Capacity Planning", + "text": "Determine which storage backend solution will be used for FSLogix Profiles", + "waf": "Performance" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.", + "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", + "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "services": [ - "Storage", - "SQL", - "Backup", - "SAP", - "ASR" + "AVD", + "Storage" ], "severity": "High", - "subcategory": "Disaster recovery", - "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Reliability" + "subcategory": "Capacity Planning", + "text": "Do not share storage and profiles between different Host Pools", + "waf": "Performance" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.", + "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", + "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-", "services": [ - "ASR", - "SAP" + "AVD", + "Storage" ], - "severity": "Medium", - "subcategory": "Disaster recovery", - "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "severity": "High", + "subcategory": "Capacity Planning", + "text": "Verify storage scalability limits and Host Pool requirements", "waf": "Reliability" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.", + "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", + "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files", "services": [ - "ExpressRoute", - "VPN", - "ASR", - "SAP" + "AVD", + "Storage", + "Cost" ], "severity": "High", - "subcategory": "Disaster recovery", - "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "Reliability" + "subcategory": "Capacity Planning", + "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.", + "waf": "Performance" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", + "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", + "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers", "services": [ - "ACR", - "AKV", - "ASR", - "SAP" + "AVD", + "Storage", + "ASR" ], - "severity": "Low", - "subcategory": "Disaster recovery", - "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", + "severity": "High", + "subcategory": "FSLogix", + "text": "Do not use Office Containers (ODFC) if not strictly required and justified", "waf": "Reliability" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.", + "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", + "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions", "services": [ - "ASR", - "SAP", - "VNet" + "AVD", + "Storage" ], "severity": "Medium", - "subcategory": "Disaster recovery", - "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", - "waf": "Reliability" + "subcategory": "FSLogix", + "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.", + "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", + "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference", "services": [ - "Storage", - "ASR", - "SAP" + "AVD", + "Storage" ], - "severity": "Low", - "subcategory": "Disaster recovery", - "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "Reliability" + "severity": "High", + "subcategory": "FSLogix", + "text": "Review and confirm configured maximum profile size in FSLogix", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.", + "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", + "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples", "services": [ - "ASR", - "SAP" + "AKV", + "AVD", + "Storage", + "ACR" ], "severity": "High", - "subcategory": "Disaster recovery", - "text": "Native database replication technology should be used to synchronize the database in a HA pair.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "subcategory": "FSLogix", + "text": "Review FSLogix registry keys and determine which ones to apply", "waf": "Reliability" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.", + "guid": "5e985b85-9c77-43e7-b261-623b775a917e", + "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections", "services": [ - "ASR", - "SAP", - "VNet" + "AVD", + "Storage" ], "severity": "High", - "subcategory": "Disaster recovery", - "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "subcategory": "FSLogix", + "text": "Avoid usage of concurrent or multiple connections", "waf": "Reliability" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ", + "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", + "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference", "services": [ + "AVD", "VM", - "Entra", - "ASR", - "SAP" + "Storage" ], - "severity": "High", - "subcategory": "Disaster recovery", - "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Reliability" + "severity": "Low", + "subcategory": "FSLogix", + "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.", + "waf": "Performance" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "category": "Storage", + "checklist": "Azure Virtual Desktop Review", + "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.", + "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", + "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml", "services": [ - "ASR", - "SAP" + "AVD", + "Storage" ], - "severity": "High", - "subcategory": "High availability", - "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "FSLogix", + "text": "Review the usage of FSLogix redirection.", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", "services": [ - "ASR", - "SAP" + "ASR" ], - "severity": "High", - "subcategory": "High availability", - "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "severity": "Medium", + "subcategory": "Hub and spoke", + "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", "waf": "Reliability" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", "services": [ - "Storage", - "VM", - "SAP", - "ASR" + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Microsoft Entra ID Tenants", + "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "waf": "Operations" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", "services": [ - "Storage", - "ASR", - "SAP" + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Microsoft Entra ID Tenants", + "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "waf": "Operations" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", "services": [ - "ASR", - "SAP" + "Entra" ], "severity": "High", - "subcategory": "High availability", - "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "subcategory": "Microsoft Entra ID Tenants", + "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "waf": "Operations" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", "services": [ - "LoadBalancer", - "ASR", - "SAP" + "Entra" ], "severity": "High", - "subcategory": "High availability", - "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "subcategory": "Cloud Solution Provider", + "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "a24d0de3-d4b9-4dfb-8ddd-bbfaf123fa01", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-cloud-solution-provider#design-recommendations", "services": [ - "LoadBalancer", - "ASR", - "SAP" + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "Make sure the Floating IP is enabled on the Load balancer", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Cloud Solution Provider", + "text": "If you have a CSP partner, define and document your support request and escalation process.", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "32952499-58c8-4e6f-ada5-972e67893d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "ASR", - "SAP" + "Cost", + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Cloud Solution Provider", + "text": "Setup Cost Reporting and Views with Azure Cost Management.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "685cb4f2-ac9c-4b19-9167-993ed0b32415", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", "services": [ - "Entra", - "VM", - "SAP", - "ASR" + "LoadBalancer", + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Enterprise Agreement", + "text": "Configure Notification Contacts to a group mailbox.", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "12cd499f-96e2-4e41-a243-231fb3245a1c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "VM", - "RBAC", - "Entra", - "ASR", - "SAP" + "TrafficManager", + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Enterprise Agreement", + "text": "Use departments and accounts to map your organization's structure to your enrollment hierarchy which can help with separating billing.", + "training": "https://learn.microsoft.com/azure/cost-management-billing/manage/understand-ea-roles", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "ca0fe401-12ad-46fc-8a7e-86293866a9f6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-recommendations", "services": [ - "ASR", - "SAP" + "Cost", + "Entra" ], "severity": "Medium", - "subcategory": "High availability", - "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "Reliability" + "subcategory": "Enterprise Agreement", + "text": "Enable both DA View Charges and AO View Charges on your EA Enrollments to allow users with the correct perms review Cost and Billing Data.", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/assign-access-acm-data#enable-access-to-costs-in-the-azure-portal", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "5cf9f485-2784-49b3-9824-75d9b8bdb57b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "VM", - "SAP", - "ASR" + "Subscriptions", + "Cost", + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Enterprise Agreement", + "text": "Use of Enterprise Dev/Test Subscriptions to reduce costs for non-production workloads.", + "training": "https://learn.microsoft.com/azure/devtest/offer/how-to-manage-monitor-devtest", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "6ad5c3dd-e5ea-4ff1-81a4-7886ff87845c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "Entra", - "ASR", - "SAP" + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Microsoft Customer Agreement", + "text": "Configure Agreement billing account notification contact email.", + "training": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-setup-account", + "waf": "Cost" + }, + { + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "90e87802-602f-4dfb-acea-67c60689f1d7", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice", + "services": [ + "Storage", + "Cost", + "Entra" + ], + "severity": "Low", + "subcategory": "Microsoft Customer Agreement", + "text": "Use Billing Profiles and Invoice sections to structure your agreements billing for effective cost management.", + "training": "https://learn.microsoft.com/azure/cost-management-billing/understand/mca-overview#billing-profiles", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "e81a73f0-84c4-4641-b406-14db3b4d1f50", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "ACR", - "ASR", - "SAP" + "Cost", + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", - "waf": "Reliability" + "severity": "Low", + "subcategory": "Microsoft Customer Agreement", + "text": "Make use of Microsoft Azure plan for dev/test offer to reduce costs for non-production workloads.", + "training": "https://learn.microsoft.com/azure/devtest/offer/overview-what-is-devtest-offer-visual-studio", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "category": "Azure Billing and Microsoft Entra ID Tenants", + "checklist": "Azure Landing Zone Review", + "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "Entra", - "ASR", - "SAP" + "RBAC", + "Entra" ], - "severity": "High", - "subcategory": "High availability", - "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Microsoft Customer Agreement", + "text": "Define and document a process to periodically audit the agreement billing RBAC role assignments to review who has access to your MCA billing account.", + "training": "https://learn.microsoft.com/azure/cost-management-billing/manage/understand-mca-roles", + "waf": "Cost" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", "services": [ "Entra", - "VM", - "SAP", - "ASR" + "RBAC", + "Subscriptions", + "ACR" ], - "severity": "Medium", - "subcategory": "High availability", - "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "severity": "High", + "subcategory": "Identity", + "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "4348bf81-7573-4512-8f46-9061cc198fea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator", "services": [ - "Storage", - "VM", - "SAP", - "ASR" + "Entra" ], - "severity": "Medium", - "subcategory": "High availability", - "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", - "waf": "Reliability" + "severity": "High", + "subcategory": "Microsoft Entra ID and Hybrid Identity", + "text": "Use managed identities instead of service principals for authentication to Azure services. You can check for existing service principals via Entra ID > Sign in Logs > Service principal logins.", + "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", "services": [ - "ASR", - "SAP" + "Entra" ], "severity": "Medium", - "subcategory": "High availability", - "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", "services": [ - "Storage", - "ASR", - "SAP" + "Entra" ], - "severity": "High", - "subcategory": "Storage", - "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Identity", + "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", "services": [ - "Storage", - "ASR", - "SAP" + "AzurePolicy", + "Entra" ], "severity": "High", - "subcategory": "Storage", - "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", "services": [ - "Storage", - "ASR", - "SAP" + "Entra" ], "severity": "High", - "subcategory": "Storage", - "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "waf": "Security" }, { - "category": "Business Continuity and Disaster Recovery", - "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", "services": [ - "Storage", - "ASR", - "SAP" + "RBAC", + "Entra" ], "severity": "High", - "subcategory": "Storage", - "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", - "waf": "Reliability" + "subcategory": "Identity", + "text": "Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone, based on role and security requirements.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Security" }, { - "category": "Cost Optimization", - "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", "services": [ - "Cost", - "SAP" + "Entra" ], "severity": "Medium", - "subcategory": " ", - "text": "Automate SAP System Start-Stop to manage costs.", - "waf": "Cost" + "subcategory": "Identity", + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "category": "Cost Optimization", - "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations", "services": [ - "Cost", - "Storage", + "Entra", "VM", - "SAP" + "ACR" ], - "severity": "Low", - "subcategory": " ", - "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", - "waf": "Cost" + "severity": "High", + "subcategory": "Identity", + "text": "When deploying Active Directory Domain Controllers, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set.", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "waf": "Reliability" }, { - "category": "Cost Optimization", - "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "e8aa1e41-870d-4968-94c6-77be14f510ac", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions#identity", "services": [ - "Cost", - "Storage", - "VM", - "SAP" + "Entra" ], - "severity": "Low", - "subcategory": " ", - "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", - "waf": "Cost" + "severity": "Medium", + "subcategory": "Identity", + "text": "Deploy your Azure landing zone identity resources in multiple regions. If using domain controllers, associate each region with an Active Directory site so that resources can resolve to their local domain controllers.", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "waf": "Reliability" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "f5664b5e-984a-4859-a773-e7d261623a76", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", "services": [ "Entra", "RBAC", "Subscriptions", - "SAP" + "ACR" ], - "severity": "High", + "severity": "Medium", "subcategory": "Identity", - "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "Use Azure custom RBAC roles for the following key roles to provide fine-grain access across your ALZ: Azure platform owner, network management, security operations, subscription owner, application owner. Align these roles to teams and responsibilities within your business.", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "services": [ - "Entra", - "SAP" + "Entra" ], "severity": "Medium", "subcategory": "Identity", - "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "services": [ - "Entra", - "SAP" + "Entra" ], "severity": "Medium", "subcategory": "Identity", - "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", - "waf": "Security" + "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "waf": "Reliability" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "services": [ - "Entra", - "SAP" + "Monitor", + "Entra" ], "severity": "Medium", "subcategory": "Identity", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", + "ammp": true, + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", "services": [ - "Entra", - "SAP" + "Entra" ], - "severity": "Medium", + "severity": "High", "subcategory": "Identity", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94", + "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server", "services": [ - "Entra", - "SAP" + "ASR", + "Entra" ], "severity": "Medium", - "subcategory": "Identity", - "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "Security" + "subcategory": "Microsoft Entra ID", + "text": "When deploying Microsoft Entra Connect, use a staging sever for high availability/disaster recovery.", + "training": "https://learn.microsoft.com/entra/identity/hybrid/connect/plan-connect-topologies", + "waf": "Reliability" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", "services": [ - "AKV", - "Entra", - "SAP" + "RBAC", + "Entra" ], "severity": "Medium", "subcategory": "Identity", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", "services": [ - "AKV", - "Entra", - "SAP" + "Entra" ], "severity": "Medium", "subcategory": "Identity", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator", + "services": [ + "VNet", + "Entra" + ], + "severity": "High", + "subcategory": "Landing zones", + "text": "Configure Identity network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).", + "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", + "waf": "Security" + }, + { + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations", "services": [ "Entra", - "SAP" + "ACR", + "Storage", + "AKV", + "RBAC" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", + "subcategory": "Landing zones", + "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.g. Data Operations across Key Vault, Storage Account and Database Services.", + "training": "https://learn.microsoft.com/azure/role-based-access-control/overview", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", + "category": "Identity and Access Management", + "checklist": "Azure Landing Zone Review", + "guid": "d505ebcb-79b1-4274-9c0d-a27c8bea489c", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review", "services": [ - "Entra", - "SAP" + "Entra" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Implement SSO to SAP HANA", + "subcategory": "Landing zones", + "text": "Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements.", + "training": "https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "description": "Consider using the Azure naming tool available at https://aka.ms/azurenamingtool", + "guid": "cacf55bc-e4e4-46be-96bc-57a5f23a269a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming", + "services": [], + "severity": "High", + "subcategory": "Naming and tagging", + "text": "Use a well defined naming scheme for resources, such as Microsoft Best Practice Naming Standards.", + "waf": "Security" + }, + { + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "2df27ee4-12e7-4f98-9f63-04722dd69c5b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", "services": [ - "Entra", - "SAP" + "Subscriptions" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", + "subcategory": "Subscriptions", + "text": "Enforce reasonably flat management group hierarchy with no more than four levels.", + "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", + "waf": "Security" + }, + { + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "667313b4-f566-44b5-b984-a859c773e7d2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", + "services": [ + "Subscriptions" + ], + "severity": "Medium", + "subcategory": "Subscriptions", + "text": "Enforce a sandbox management group to allow users to immediately experiment with Azure.", + "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "61623a76-5a91-47e1-b348-ef254c27d42e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", "services": [ - "Entra", - "SAP" + "AzurePolicy", + "RBAC", + "Subscriptions" ], "severity": "Medium", - "subcategory": "Identity", - "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", + "subcategory": "Subscriptions", + "text": "Enforce a platform management group under the root management group to support common platform policy and Azure role assignment.", + "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "8bbac757-1559-4ab9-853e-8908ae28c84c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", "services": [ - "Entra", - "SAP" + "VWAN", + "DNS", + "ExpressRoute", + "Subscriptions" ], "severity": "Medium", - "subcategory": "Identity", - "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", + "subcategory": "Subscriptions", + "text": "Enforce a dedicated connectivity subscription in the Connectivity management group to host an Azure Virtual WAN hub, private non-AD Domain Name System (DNS), ExpressRoute circuit, and other networking resources.", + "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "graph": "resourcecontainers| where type == 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant = (array_length(mgmtChain) > 1)", + "guid": "33b6b780-8b9f-4e5c-9104-9d403a923c34", + "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group", "services": [ - "Entra", - "SAP" + "Subscriptions" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Implement SSO to SAP BTP", + "subcategory": "Subscriptions", + "text": "Enforce no subscriptions are placed under the root management group.", + "training": "https://learn.microsoft.com/azure/governance/management-groups/overview", "waf": "Security" }, { - "category": "Identity and Access", - "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "74d00018-ac6a-49e0-8e6a-83de5de32c19", + "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", "services": [ - "Entra", - "SAP" + "RBAC", + "Subscriptions" ], "severity": "Medium", - "subcategory": "Identity", - "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", + "subcategory": "Subscriptions", + "text": "Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings.", + "training": "https://learn.microsoft.com/training/modules/configure-role-based-access-control/", "waf": "Security" }, { - "category": "Management Group and Subscriptions", - "checklist": "SAP Checklist", - "description": "Keep your management group hierarchy reasonably flat, no more than four.", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "92481607-d5d1-4e4e-9146-58d3558fd772", + "link": "https://learn.microsoft.com/azure/governance/management-groups/overview", "services": [ - "Subscriptions", - "AzurePolicy", - "SAP" + "Subscriptions" ], "severity": "Medium", "subcategory": "Subscriptions", - "text": "enforce existing Management Group policies to SAP Subscriptions", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", - "waf": "Operations" + "text": "Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.", + "waf": "Security" }, { - "category": "Management Group and Subscriptions", - "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "49b82111-2df2-47ee-912e-7f983f630472", + "link": "https://learn.microsoft.com/entra/id-governance/access-reviews-overview", "services": [ + "AzurePolicy", + "RBAC", "Subscriptions", - "SAP" + "Cost" ], "severity": "High", "subcategory": "Subscriptions", - "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", - "waf": "Operations" + "text": "Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.", + "training": "https://learn.microsoft.com/training/modules/plan-implement-manage-access-review/", + "waf": "Security" }, { - "category": "Management Group and Subscriptions", - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "2dd69c5b-5c26-422f-94b6-9bad33aad5e8", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "services": [ - "Subscriptions", - "SAP" + "Subscriptions" ], - "severity": "High", + "severity": "Medium", "subcategory": "Subscriptions", - "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", - "waf": "Operations" + "text": "Ensure that all subscription owners and IT core team are aware of subscription quotas and the impact they have on provision resources for a given subscription.", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/", + "waf": "Security" }, { - "category": "Management Group and Subscriptions", - "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "c68e1d76-6673-413b-9f56-64b5e984a859", + "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations", "services": [ - "VM", "Subscriptions", - "SAP" + "Cost" ], "severity": "High", "subcategory": "Subscriptions", - "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "waf": "Operations" + "text": "Use Reserved Instances where appropriate to optimize cost and ensure available capacity in target regions.", + "training": "https://learn.microsoft.com/learn/paths/improve-reliability-modern-operations/", + "waf": "Security" }, { - "category": "Management Group and Subscriptions", - "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", + "ammp": true, + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "c773e7d2-6162-43a7-95a9-17e1f348ef25", + "link": "https://learn.microsoft.com/azure/azure-portal/azure-portal-dashboards", "services": [ + "Storage", "Subscriptions", - "SAP" + "Monitor" ], - "severity": "Low", + "severity": "Medium", "subcategory": "Subscriptions", - "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", - "waf": "Operations" + "text": "Establish dashboards and/or visualizations to monitor compute and storage capacity metrics. (i.e. CPU, memory, disk space)", + "training": "https://learn.microsoft.com/training/modules/visualize-data-workbooks/", + "waf": "Security" }, { - "category": "Management Group and Subscriptions", - "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/get-started/manage-costs", "services": [ - "VM", "Subscriptions", - "SAP" + "Cost" ], "severity": "High", "subcategory": "Subscriptions", - "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", - "waf": "Operations" + "text": "As part of your cloud adoption, implement a detailed cost management plan using the 'Managed cloud costs' process.", + "training": "https://learn.microsoft.com/learn/paths/control-spending-manage-bills/", + "waf": "Security" }, { - "category": "Management Group and Subscriptions", - "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de", + "link": "https://learn.microsoft.com/azure/governance/management-groups/overview", "services": [ "Subscriptions", - "SAP" + "Entra" ], - "severity": "High", + "severity": "Medium", "subcategory": "Subscriptions", - "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", - "waf": "Operations" + "text": "If servers will be used for Identity services, like domain controllers, establish a dedicated identity subscription in the identity management group, to host these services. Make sure that resources are set to use the domain controllers available in their region.", + "training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/", + "waf": "Security" }, { - "category": "Management Group and Subscriptions", - "checklist": "SAP Checklist", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", + "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs", "services": [ - "Cost", - "TrafficManager", "Subscriptions", - "SAP" + "Cost" ], "severity": "Medium", "subcategory": "Subscriptions", - "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Operations" - }, - { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "services": [ - "Monitor", - "Backup", - "SAP" - ], - "severity": "High", - "subcategory": "BCDR", - "text": "Help protect your HANA database by using the Azure Backup service.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Reliability" + "text": "Ensure tags are used for billing and cost management.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "6cc0ea22-42bb-441e-a345-804ab0a09666", + "link": "https://github.com/Azure/sovereign-landing-zone/blob/main/docs/02-Architecture.md", "services": [ - "Storage", - "VM", - "Monitor", - "Entra", - "SAP" + "Subscriptions" ], "severity": "Medium", - "subcategory": "BCDR", - "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", - "waf": "Reliability" + "subcategory": "Subscriptions", + "text": "For Sovereign Landing Zone, have a 'confidential corp' and 'confidential online' management group directly under the 'landing zones' MG.", + "training": "https://learn.microsoft.com/industry/sovereignty/slz-overview", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "250d81ce-8bbe-4f85-9051-6a18a8221e50", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions", "services": [ - "Monitor", - "SAP" + "Cost" ], "severity": "High", - "subcategory": "Management", - "text": "Ensure time-zone matches between the operating system and the SAP system.", - "waf": "Operations" + "subcategory": "Regions", + "text": "Select the right Azure region/s for your deployment. Azure is a global-scale cloud platform that provide global coverage through many regions and geographies. Different Azure regions have different characteristics, access and availability models, costs, capacity, and services offered, then it is important to consider all criteria and requirements.", + "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", + "waf": "Reliability" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "19ca3f89-397d-44b1-b5b6-5e18661372ac", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/regions#operate-in-multiple-geographic-regions", "services": [ - "Monitor", - "Entra", - "SAP" + "ASR" ], "severity": "Medium", - "subcategory": "Management", - "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "subcategory": "Regions", + "text": "Deploy your Azure landing zone in a multi-region deployment. Depending on customer size, locations, and users presence, operating in multiple regions can be a common choice to deliver services and run applications closer to them. Using a multi-region deployment is also important to provide geo disaster recovery capabilities, to eliminate the dependency from a single region capacity and diminish the risk of a temporary and localized resource capacity constraint.", + "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", "waf": "Reliability" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", - "services": [ - "Cost", - "Monitor", - "SAP" - ], - "severity": "Low", - "subcategory": "Management", - "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", - "waf": "Cost" - }, - { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", - "services": [ - "Monitor", - "Entra", - "SAP" - ], + "category": "Resource Organization", + "checklist": "Azure Landing Zone Review", + "guid": "4c27d42e-8bba-4c75-9155-9ab9153e8908", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "services": [], "severity": "Medium", - "subcategory": "Management", - "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", - "waf": "Operations" + "subcategory": "Regions", + "text": "Ensure required services and features are available within the chosen deployment regions.", + "training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/", + "waf": "Reliability" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "373f482f-3e39-4d39-8aa4-7e566f6082b6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery", "services": [ - "Monitor", - "VM", - "SAP" + "AppGW", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Management", - "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", - "waf": "Operations" - }, - { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", - "services": [ - "Monitor", - "SAP" - ], - "severity": "Low", - "subcategory": "Management", - "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "subcategory": "App delivery", + "text": "Document a standard for securing the delivery application content from your Workload spokes using Application Gateway and Azure Front Door. You can use the Application Delivery checklist to for recommendations.", "waf": "Operations" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", "services": [ - "SQL", - "Monitor", - "SAP" + "VNet" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Operations" + "subcategory": "Hub and spoke", + "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", "services": [ - "VM", - "Monitor", + "VPN", "Entra", - "SAP" + "DNS", + "NVA", + "Firewall", + "ExpressRoute", + "VNet" ], "severity": "High", - "subcategory": "Monitoring", - "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", - "waf": "Operations" - }, - { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", - "services": [ - "Monitor", - "AzurePolicy", - "SAP" - ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" - }, - { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", - "services": [ - "Monitor", - "NetworkWatcher", - "SAP" - ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", - "waf": "Operations" - }, - { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", - "services": [ - "Monitor", - "VM", - "SAP" - ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", - "waf": "Operations" + "subcategory": "Hub and spoke", + "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Cost" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "VNet", "services": [ - "Monitor", - "Subscriptions", - "SAP" + "DDoS" ], "severity": "High", - "subcategory": "Monitoring", - "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "waf": "Performance" - }, - { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", + "subcategory": "App delivery", + "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "services": [ - "Monitor", - "Storage", - "ASR", - "SAP" + "NVA" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "subcategory": "Hub and spoke", + "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", "waf": "Reliability" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", "services": [ - "Sentinel", - "Monitor", - "SAP" + "ARS", + "ExpressRoute", + "VPN" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "severity": "Low", + "subcategory": "Hub and spoke", + "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", "services": [ - "Cost", - "Monitor", - "SAP" + "ARS", + "VNet" ], - "severity": "Medium", - "subcategory": "Monitoring", - "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", - "waf": "Operations" + "severity": "Low", + "subcategory": "Hub and spoke", + "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Security" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", "services": [ - "Monitor", - "VM", - "SAP" + "VNet", + "ACR" ], - "severity": "Low", - "subcategory": "Performance", - "text": "Use inter-VM latency monitoring for latency-sensitive applications.", + "severity": "Medium", + "subcategory": "Hub and spoke", + "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", "waf": "Performance" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", "services": [ - "Monitor", - "ASR", - "SAP" + "Monitor" ], "severity": "Medium", - "subcategory": "Performance", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Reliability" + "subcategory": "Hub and spoke", + "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Operations" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "services": [ - "Monitor", - "Storage", - "SAP" + "ExpressRoute", + "VNet" ], "severity": "Medium", - "subcategory": "Performance", - "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", - "waf": "Performance" + "subcategory": "Hub and spoke", + "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "services": [ - "Monitor", - "SAP" + "Storage" ], - "severity": "Low", - "subcategory": "Performance", - "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Hub and spoke", + "text": "Limit the number of routes per route table to 400.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", "services": [ - "Monitor", - "Storage", - "SAP" + "VNet" ], - "severity": "Medium", - "subcategory": "Performance", - "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", - "waf": "Performance" + "severity": "High", + "subcategory": "Hub and spoke", + "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", "services": [ - "SQL", - "Monitor", - "SAP" + "LoadBalancer" ], - "severity": "Medium", - "subcategory": "Performance", - "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", - "waf": "Performance" + "severity": "High", + "subcategory": "Hub and spoke", + "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", + "waf": "Reliability" }, { - "category": "Management and Monitoring", - "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", "services": [ - "Monitor", - "ASR", - "SAP" + "LoadBalancer" ], "severity": "High", - "subcategory": "Reliability", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "waf": "Operations" + "subcategory": "Hub and spoke", + "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", + "waf": "Reliability" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", "services": [ - "WAF", - "AppGW", - "AzurePolicy", - "SAP" + "ExpressRoute" ], "severity": "Medium", - "subcategory": "App delivery", - "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "subcategory": "Encryption", + "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", "services": [ - "DNS", - "VM", - "SAP" + "ExpressRoute", + "VPN" ], "severity": "Medium", - "subcategory": "DNS", - "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operations" + "subcategory": "Encryption", + "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", "services": [ - "DNS", - "SAP", - "VNet" + "VNet", + "ACR" ], - "severity": "Medium", - "subcategory": "DNS", - "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operations" + "severity": "High", + "subcategory": "IP plan", + "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "services": [ - "ACR", - "SAP", "VNet" ], "severity": "Medium", - "subcategory": "Hybrid", - "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "Reliability" + "subcategory": "IP plan", + "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "services": [ - "NVA", - "SAP" + "VNet" ], "severity": "High", - "subcategory": "Hybrid", - "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", - "training": "https://me.sap.com/notes/2731110", + "subcategory": "IP plan", + "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Performance" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", "services": [ - "ACR", - "VWAN", - "SAP" + "ASR", + "VNet" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "waf": "Operations" + "severity": "High", + "subcategory": "IP plan", + "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", "services": [ - "NVA", - "SAP", - "VNet" + "VNet", + "ACR" ], - "severity": "Medium", - "subcategory": "Hybrid", - "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "Operations" + "severity": "High", + "subcategory": "IP plan", + "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "waf": "Reliability" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", "services": [ - "VWAN", - "NVA", - "SAP", + "DNS", "VNet" ], "severity": "Medium", - "subcategory": "Hybrid", - "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "subcategory": "IP plan", + "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "Operations" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", "services": [ - "VM", - "SAP", - "VNet" + "DNS", + "VNet", + "ACR" ], - "severity": "High", + "severity": "Medium", "subcategory": "IP plan", - "text": "Public IP assignment to VM running SAP Workload is not recommended.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", "services": [ - "ASR", - "SAP", + "DNS", "VNet" ], - "severity": "High", + "severity": "Low", "subcategory": "IP plan", - "text": "Consider reserving IP address on DR side when configuring ASR", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", + "training": "https://learn.microsoft.com/training/courses/az-700t00", "waf": "Operations" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", "services": [ - "SAP", + "VM", + "DNS", "VNet" ], "severity": "High", "subcategory": "IP plan", - "text": "Avoid using overlapping IP address ranges for production and DR sites.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "Operations" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", "services": [ - "Storage", - "SAP", + "DNS", "VNet" ], "severity": "Medium", "subcategory": "IP plan", - "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "Operations" + "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", "services": [ - "SAP", - "Firewall" + "Bastion" ], "severity": "Medium", "subcategory": "Internet", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "text": "Use Azure Bastion to securely connect to your network.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", "services": [ - "WAF", - "AppGW", - "SAP" + "Bastion", + "VNet" ], "severity": "Medium", "subcategory": "Internet", - "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "text": "Use Azure Bastion in a subnet /26 or larger.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", "services": [ - "ACR", - "FrontDoor", "AzurePolicy", "WAF", - "SAP" + "FrontDoor", + "ACR" ], "severity": "Medium", "subcategory": "Internet", "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "services": [ - "FrontDoor", + "AppGW", "AzurePolicy", "WAF", - "AppGW", - "SAP" + "FrontDoor" ], - "severity": "Medium", + "severity": "Low", "subcategory": "Internet", - "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "service": "WAF", "services": [ - "LoadBalancer", - "WAF", - "AppGW", - "SAP" + "VNet", + "WAF" ], - "severity": "Medium", + "severity": "High", "subcategory": "Internet", - "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", "services": [ - "ACR", - "VWAN", - "SAP" + "DDoS", + "VNet" ], - "severity": "Medium", + "severity": "High", "subcategory": "Internet", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "Performance" + "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", + "services": [], + "severity": "High", + "subcategory": "Internet", + "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "Reliability" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", "services": [ - "ACR", - "Storage", - "PrivateLink", - "Backup", - "SAP", - "VNet" + "DDoS" ], - "severity": "Medium", + "severity": "High", "subcategory": "Internet", - "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", "services": [ - "VM", - "SAP" + "AzurePolicy", + "VM" ], "severity": "High", - "subcategory": "Segmentation", - "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "subcategory": "Internet", + "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", + "services": [ + "ExpressRoute", + "VPN", + "Backup" + ], + "severity": "Medium", + "subcategory": "Hybrid", + "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Performance" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", "services": [ - "LoadBalancer", - "SAP" + "ExpressRoute" ], "severity": "Medium", - "subcategory": "Segmentation", - "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "Security" + "subcategory": "Hybrid", + "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", "services": [ - "VM", - "SAP", - "VNet" + "ExpressRoute", + "VPN" ], "severity": "Medium", - "subcategory": "Segmentation", - "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", - "waf": "Security" + "subcategory": "Hybrid", + "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", "services": [ - "SAP", - "VNet" + "ExpressRoute", + "Cost" ], "severity": "High", - "subcategory": "Segmentation", - "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Performance" + "subcategory": "Hybrid", + "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", "services": [ - "SAP" + "ExpressRoute", + "Cost" + ], + "severity": "High", + "subcategory": "Hybrid", + "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", + "services": [ + "ExpressRoute" ], "severity": "Medium", - "subcategory": "Segmentation", - "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "Performance" + "subcategory": "Hybrid", + "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "services": [ - "SAP" + "ExpressRoute" ], - "severity": "High", - "subcategory": "Segmentation", - "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "severity": "Medium", + "subcategory": "Hybrid", + "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Performance" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", "services": [ - "Cost", - "SAP", - "VNet" + "ExpressRoute" ], - "severity": "High", - "subcategory": "Segmentation", - "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Cost" + "severity": "Medium", + "subcategory": "Hybrid", + "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", "services": [ - "LoadBalancer", - "SAP" + "VPN" ], - "severity": "High", - "subcategory": "Segmentation", - "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Hybrid", + "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" }, { "category": "Network Topology and Connectivity", - "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", "services": [ - "SAP", - "VNet" + "VPN" ], "severity": "Medium", - "subcategory": "Segmentation", - "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", - "waf": "Security" + "subcategory": "Hybrid", + "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", "services": [ - "VM", - "Backup", - "SAP" + "ExpressRoute", + "Cost" ], "severity": "High", - "subcategory": " ", - "text": "Review SAP HANA database backups for Azure VMs.", + "subcategory": "Hybrid", + "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Cost" }, { - "category": "Operational Excellence", - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", "services": [ - "Monitor", - "ASR", - "SAP" + "ExpressRoute" ], "severity": "Medium", - "subcategory": " ", - "text": "Review Site Recovery built-in monitoring, where used for SAP.", - "waf": "Cost" + "subcategory": "Hybrid", + "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Security" }, { - "category": "Operational Excellence", - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", "services": [ - "Monitor", - "SAP" + "ExpressRoute", + "Monitor" ], - "severity": "High", - "subcategory": " ", - "text": "Review the Monitoring the SAP HANA System Landscape guidance.", + "severity": "Medium", + "subcategory": "Hybrid", + "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Operations" }, { - "category": "Operational Excellence", - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", "services": [ - "VM", - "Backup", - "SAP" + "NetworkWatcher", + "Monitor", + "ACR" ], "severity": "Medium", - "subcategory": " ", - "text": "Review Oracle Database in Azure Linux VM backup strategies.", + "subcategory": "Hybrid", + "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Operations" }, { - "category": "Operational Excellence", - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", "services": [ - "SQL", - "Storage", - "SAP" + "ExpressRoute" ], "severity": "Medium", - "subcategory": " ", - "text": "Review the use of Azure Blob Storage with SQL Server 2016.", - "waf": "Operations" + "subcategory": "Hybrid", + "text": "Use ExpressRoute circuits from different peering locations for redundancy.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", "services": [ - "VM", - "Backup", - "SAP" + "ExpressRoute", + "VPN" ], "severity": "Medium", - "subcategory": " ", - "text": "Review the use of Automated Backup v2 for Azure VMs.", - "waf": "Operations" + "subcategory": "Hybrid", + "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "category": "Operational Excellence", - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", "services": [ - "SAP" + "Storage", + "VNet" ], "severity": "High", - "subcategory": " ", - "text": "Enabling Write accelerator for M series when using premium disks(V1)", - "waf": "Operations" + "subcategory": "Hybrid", + "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", + "waf": "Reliability" }, { - "category": "Performant", - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", "services": [ - "SAP" + "ExpressRoute", + "ACR" ], - "severity": "Medium", - "subcategory": " ", - "text": "Test availability zone latency.", - "waf": "Performance" + "severity": "High", + "subcategory": "Hybrid", + "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "category": "Performant", - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", "services": [ - "SAP" + "ExpressRoute" ], "severity": "Medium", - "subcategory": " ", - "text": "Activate SAP EarlyWatch Alert for all SAP components.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "Performance" + "subcategory": "Hybrid", + "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "category": "Performant", - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", - "services": [ - "SAP" - ], + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", + "services": [], "severity": "Medium", - "subcategory": " ", - "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", - "training": "https://me.sap.com/notes/0002879613", - "waf": "Performance" + "subcategory": "Hybrid", + "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "category": "Performant", - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", "services": [ - "SQL", - "Monitor", - "SAP" + "ExpressRoute" ], - "severity": "Medium", - "subcategory": " ", - "text": "Review SQL Server performance monitoring using CCMS.", - "waf": "Performance" + "severity": "High", + "subcategory": "Hybrid", + "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "category": "Performant", - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", "services": [ - "VM", - "SAP" + "ExpressRoute", + "Monitor", + "VNet" ], "severity": "Medium", - "subcategory": " ", - "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", - "training": "https://me.sap.com/notes/1100926/E", - "waf": "Performance" + "subcategory": "Hybrid", + "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" }, { - "category": "Performant", - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", "services": [ - "Monitor", - "SAP" + "ExpressRoute", + "VNet" ], "severity": "Medium", - "subcategory": " ", - "text": "Review SAP HANA studio alerts.", + "subcategory": "Hybrid", + "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Performance" }, { - "category": "Performant", - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", "services": [ - "SAP" + "ACR" ], - "severity": "Medium", - "subcategory": " ", - "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", + "severity": "Low", + "subcategory": "Hybrid", + "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", "services": [ - "VM", - "SAP" + "Firewall" ], - "severity": "Medium", - "subcategory": "Governance", - "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "severity": "High", + "subcategory": "Firewall", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", "services": [ - "SAP" + "AzurePolicy", + "RBAC", + "Firewall", + "ACR" ], "severity": "Medium", - "subcategory": "Governance", - "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "subcategory": "Firewall", + "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", "services": [ - "SQL", - "SAP" + "Firewall" ], "severity": "Low", - "subcategory": "Governance", - "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", + "subcategory": "Firewall", + "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", "services": [ - "SQL", - "SAP" + "DNS", + "Firewall" ], "severity": "High", - "subcategory": "Governance", - "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", - "training": "https://me.sap.com/notes/3019299/E", + "subcategory": "Firewall", + "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", "services": [ - "Storage", - "SQL", - "AKV", - "Backup", - "SAP" + "Firewall" ], "severity": "High", - "subcategory": "Secrets", - "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "subcategory": "Firewall", + "text": "Use Azure Firewall Premium to enable additional security features.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", "services": [ - "AKV", - "Storage", - "SAP" + "Firewall" ], - "severity": "Medium", - "subcategory": "Secrets", - "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "severity": "High", + "subcategory": "Firewall", + "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", "services": [ - "AKV", - "SAP" + "Firewall" ], "severity": "High", - "subcategory": "Secrets", - "text": "Use Azure Key Vault to store your secrets and credentials", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "subcategory": "Firewall", + "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", "services": [ - "AzurePolicy", - "RBAC", - "AKV", - "Subscriptions", - "SAP" + "VWAN", + "NVA", + "Storage", + "Firewall", + "VNet" ], - "severity": "Medium", - "subcategory": "Secrets", - "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "severity": "High", + "subcategory": "Firewall", + "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", "services": [ - "AKV", - "AzurePolicy", - "SAP" + "Storage", + "Firewall" ], "severity": "Medium", - "subcategory": "Secrets", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "subcategory": "Firewall", + "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operations" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", "services": [ - "AKV", - "RBAC", "AzurePolicy", - "SAP" - ], - "severity": "High", - "subcategory": "Secrets", - "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", - "waf": "Security" - }, - { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "services": [ - "AKV", - "Storage", - "SAP", - "Defender" + "Firewall" ], "severity": "High", - "subcategory": "Secrets", - "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", - "waf": "Security" + "subcategory": "Firewall", + "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operations" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", "services": [ - "AKV", - "RBAC", - "SAP", - "Defender" + "Firewall", + "VNet" ], "severity": "High", - "subcategory": "Secrets", - "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "subcategory": "Segmentation", + "text": "Use a /26 prefix for your Azure Firewall subnets.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", "services": [ - "AKV", - "SAP" + "AzurePolicy" ], - "severity": "Low", - "subcategory": "Secrets", - "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", - "waf": "Security" + "severity": "Medium", + "subcategory": "Firewall", + "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", "services": [ - "AKV", - "SAP" + "Storage" ], "severity": "Medium", - "subcategory": "Secrets", - "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "subcategory": "Firewall", + "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", - "services": [ - "AKV", - "SAP" - ], - "severity": "High", - "subcategory": "Secrets", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", + "services": [], + "severity": "Medium", + "subcategory": "Firewall", + "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", "services": [ - "AKV", - "SAP" + "Monitor" ], - "severity": "High", - "subcategory": "Secrets", - "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", - "waf": "Security" + "severity": "Medium", + "subcategory": "Firewall", + "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", "services": [ - "RBAC", - "Subscriptions", - "SAP" + "Firewall" ], "severity": "High", - "subcategory": "Security", - "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", - "waf": "Security" + "subcategory": "Firewall", + "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", "services": [ - "PrivateLink", - "NVA", - "SAP" + "ServiceBus" ], - "severity": "High", - "subcategory": "Security", - "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "waf": "Security" + "severity": "Low", + "subcategory": "Firewall", + "text": "Use web categories to allow or deny outbound access to specific topics.", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "services": [ - "Storage", - "VM", - "SAP" - ], - "severity": "Low", - "subcategory": "Security", - "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", - "waf": "Security" + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", + "services": [], + "severity": "Medium", + "subcategory": "Firewall", + "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "Performance" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", "services": [ - "SAP", - "Defender" + "DNS", + "Firewall" ], - "severity": "Low", - "subcategory": "Security", - "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "severity": "Medium", + "subcategory": "Firewall", + "text": "Enable Azure Firewall DNS proxy configuration.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "Security" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "services": [ - "SAP", - "VNet" + "Firewall", + "Monitor" ], "severity": "High", - "subcategory": "Security", - "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", - "waf": "Security" + "subcategory": "Firewall", + "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "Operations" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", "services": [ - "WAF", - "SAP" + "Backup" ], "severity": "Low", - "subcategory": "Security", - "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", - "waf": "Security" + "subcategory": "Firewall", + "text": "Implement backups for your firewall rules", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Operations" }, { - "category": "Security, Governance and Compliance", - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "services": [ - "AKV", - "Monitor", - "SAP" + "Firewall", + "ACR" ], - "severity": "Medium", - "subcategory": "Security", - "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Security" - }, - { - "category": "Operations Management", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "services": [], "severity": "High", - "subcategory": "High Availablity", - "text": "Enable 2 replicas to have 99.9% availability for read operations", - "waf": "Reliability" - }, - { - "category": "Operations Management", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "services": [], - "severity": "Medium", - "subcategory": "High Availablity", - "text": "Enable 3 replicas to have 99.9% availability for read/write operations", + "subcategory": "Firewall", + "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", - "services": [], + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", + "services": [ + "DDoS", + "Firewall", + "VNet" + ], "severity": "High", - "subcategory": "High Availablity", - "text": "Leverage Availability Zones by enabling read and/or write replicas", + "subcategory": "Firewall", + "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", "services": [ - "ACR" + "VNet" ], - "severity": "Medium", - "subcategory": "Georeplication", - "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", - "waf": "Reliability" + "severity": "High", + "subcategory": "PaaS", + "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "e43a58a9-c229-49c4-b7b5-7d0c655562f2", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", "services": [ - "ACR" + "PrivateLink" ], "severity": "Medium", - "subcategory": "Georeplication", - "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", - "waf": "Reliability" + "subcategory": "PaaS", + "text": "Use Private Link, where available, for shared Azure PaaS services.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", "services": [ - "TrafficManager" + "PrivateLink", + "ExpressRoute" ], "severity": "Medium", - "subcategory": "Georeplication", - "text": "Use Azure Traffic Manager to coordinate requests", - "waf": "Reliability" + "subcategory": "PaaS", + "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", "services": [ - "Storage", - "Backup", - "ASR" + "VNet" ], "severity": "High", - "subcategory": "Disaster Recovery", - "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", - "waf": "Reliability" + "subcategory": "PaaS", + "text": "Don't enable virtual network service endpoints by default on all subnets.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Azure Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "services": [ - "Cost", - "Monitor" + "NVA", + "DNS", + "Firewall", + "PrivateLink" ], "severity": "Medium", - "subcategory": "Azure Monitor - enforce data collection rules", - "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "subcategory": "PaaS", + "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Azure Backup", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", "services": [ - "Cost", - "Backup" + "ExpressRoute", + "VPN", + "VNet" ], - "severity": "Medium", - "subcategory": "Backup", - "text": "check backup instances with the underlying datasource not found", - "waf": "Cost" + "severity": "High", + "subcategory": "Segmentation", + "text": "Use at least a /27 prefix for your Gateway subnets.", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", "services": [ - "Cost" + "VNet" ], - "severity": "Medium", - "subcategory": "Delete/archive", - "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", - "waf": "Cost" + "severity": "High", + "subcategory": "Segmentation", + "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "659d3958-fd77-4289-a835-556df2bfe456", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "c2447ec6-6138-4a72-80f1-ce16ed301d6e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", "services": [ - "Cost" + "VNet" ], "severity": "Medium", - "subcategory": "Delete/archive", - "text": "Consider snooze and stop technique (snooze a service after x days, stop after 2x, delete/deallocate after 3x)", - "waf": "Cost" + "subcategory": "Segmentation", + "text": "Delegate subnet creation to the landing zone owner.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "3b0d834a-3487-426d-b69c-6b5c2a26494b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", "services": [ - "Cost", - "Storage", - "Backup" + "VNet", + "ACR" ], "severity": "Medium", - "subcategory": "Delete/archive", - "text": "Delete or archive unused resources (old backups, logs, storage accounts, etc...)", - "waf": "Cost" + "subcategory": "Segmentation", + "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Azure Backup", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", "services": [ - "Cost", - "Storage", - "Backup", - "ASR" + "NVA", + "VNet", + "Entra" ], "severity": "Medium", - "subcategory": "Delete/archive", - "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", - "waf": "Cost" + "subcategory": "Segmentation", + "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Azure Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", "services": [ - "Cost", - "Monitor" + "NetworkWatcher", + "VNet" ], "severity": "Medium", - "subcategory": "Log Analytics retention for workspaces", - "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "Cost" + "subcategory": "Segmentation", + "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Azure Monitor", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", "services": [ - "Cost", - "Storage", - "AzurePolicy" + "VNet" ], "severity": "Medium", - "subcategory": "Policy", - "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "Cost" + "subcategory": "Segmentation", + "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "waf": "Reliability" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "59bb91a3-ed90-4cae-8cc8-4c37b6b780cb", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", "services": [ - "Cost" + "VWAN" ], "severity": "Medium", - "subcategory": "Run orphaned resources workbook - delete or snooze ghost items", - "text": "https://github.com/dolevshor/azure-orphan-resources", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets", - "waf": "Cost" + "subcategory": "Virtual WAN", + "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "waf": "Operations" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "9fe5c464-89d4-457a-a27c-3874d0102cac", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", "services": [ - "Cost" + "VWAN", + "ACR" ], "severity": "Medium", - "subcategory": "Shutdown/deallocate", - "text": "Shutdown underutilized instances", - "training": "https://learn.microsoft.com/azure/cost-management-billing/understand/analyze-unexpected-charges", - "waf": "Cost" + "subcategory": "Virtual WAN", + "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Performance" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", "services": [ - "Cost", - "Storage", - "Backup", - "VM" + "VWAN", + "Firewall" ], "severity": "Medium", - "subcategory": "stopped/deallocated VMs: check disks", - "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "Cost" + "subcategory": "Virtual WAN", + "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", "services": [ - "Cost", - "Storage", - "AzurePolicy" + "VWAN" ], "severity": "Medium", - "subcategory": "storage accounts lifecycle policy", - "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "Cost" + "subcategory": "Virtual WAN", + "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "Cleanup", - "checklist": "Cost Optimization Checklist", - "guid": "f2bfe456-3b0d-4834-a348-726de69c6b5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", "services": [ - "Cost" + "VWAN", + "Monitor" ], "severity": "Medium", - "subcategory": "Tagging", - "text": "Use specific tags for temporary items with 'delete by DATE' format - and automate monthly cleanup", - "waf": "Cost" + "subcategory": "Virtual WAN", + "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Operations" }, { - "category": "DB/App tuning", - "checklist": "Cost Optimization Checklist", - "guid": "2a26494b-69ba-4d37-aad5-3cc78e1d7666", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", "services": [ - "Cost" + "VWAN" ], "severity": "Medium", - "subcategory": "DB optimization", - "text": "Plan for db optimization with the intent of downsizing the related services (and improve performance)", - "waf": "Cost" + "subcategory": "Virtual WAN", + "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "DB/APP tuning", - "checklist": "Cost Optimization Checklist", - "guid": "7357c449-674b-45ed-a5a8-59c7733be2a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", "services": [ - "Cost" + "VWAN", + "ExpressRoute", + "VPN" ], "severity": "Medium", - "subcategory": "App modernization", - "text": "Modernizing the app towards a microservices architecture will have the effect of letting the app scale according to the single service and not the entire stack", - "waf": "Cost" + "subcategory": "Virtual WAN", + "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "DB/APP tuning", - "checklist": "Cost Optimization Checklist", - "guid": "a27b765a-91be-41f3-a8ef-394c2bd463cb", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", "services": [ - "Cost", - "Storage", - "VM" + "VWAN" ], "severity": "Medium", - "subcategory": "DB optimization", - "text": "optimizing the DB queries will increase performance and allow better right-sizing of storage and VMs", - "waf": "Cost" + "subcategory": "Virtual WAN", + "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "DB/APP tuning", - "checklist": "Cost Optimization Checklist", - "guid": "bac75819-59bb-491a-9ed9-0cae2cc84c37", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "category": "Network Topology and Connectivity", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", "services": [ - "Cost" + "VWAN" ], - "severity": "Medium", - "subcategory": "Demand shaping", - "text": "Using demand shaping on PaaS services will optimize costs and performances", - "waf": "Cost" + "severity": "High", + "subcategory": "Virtual WAN", + "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "b6b780cb-9fe5-4c46-989d-457a927c3874", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "services": [ - "Cost", - "Entra" + "AzurePolicy" ], - "severity": "Medium", - "subcategory": "Advisor", - "text": "Start from the Azure Advisor page suggestions.", - "waf": "Cost" + "severity": "High", + "subcategory": "Governance", + "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", + "service": "Policy", "services": [ - "Cost", - "VM" + "AzurePolicy", + "RBAC" ], "severity": "Medium", - "subcategory": "Advisor", - "text": "Make sure advisor is configured for VM right sizing ", - "waf": "Cost" + "subcategory": "Governance", + "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", + "training": "https://learn.microsoft.com/training/modules/governance-security/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "881a1bd5-d1e4-44a1-a659-d3958fd77289", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "services": [ - "Cost" + "AzurePolicy", + "Subscriptions" ], "severity": "Medium", - "subcategory": "Automation", - "text": "Consider implementing IaC scripts or devops pipelines to match the cost governance process", - "waf": "Cost" + "subcategory": "Governance", + "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "b835556d-f2bf-4e45-93b0-d834a348726d", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "services": [ - "Cost", - "Monitor" + "AzurePolicy" ], - "severity": "Medium", - "subcategory": "Automation", - "text": "Set up cost alerts for applications that have variable costs (ideally for all of them)", - "waf": "Cost" + "severity": "High", + "subcategory": "Governance", + "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "e69c6b5c-2a26-4494-a69b-ad37aad53cc7", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "43334f24-9116-4341-a2ba-527526944008", "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", "services": [ - "Cost" + "AzurePolicy", + "Subscriptions" ], - "severity": "Medium", - "subcategory": "Automation", - "text": "Use Azure Automation: Automate repetitive tasks can help you save time and resources, reducing costs in the process. ", - "waf": "Cost" + "severity": "Low", + "subcategory": "Governance", + "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "8e1d7666-7357-4c44-a674-b5ed85a859c7", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "services": [ - "Cost" + "AzurePolicy" ], - "severity": "Medium", - "subcategory": "Automation", - "text": "Run orphaned resources workbook", - "waf": "Cost" + "severity": "High", + "subcategory": "Governance", + "text": "Use built-in policies where possible to minimize operational overhead.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "733be2a1-a27b-4765-a91b-e1f388ef394c", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "services": [ - "Cost", - "Storage" + "AzurePolicy", + "RBAC", + "Subscriptions", + "Entra" ], "severity": "Medium", - "subcategory": "Baseline", - "text": "Try and establish a baseline of monthly spending and an acceptable saving target against the baseline (new services will not be optimized at this stage)", - "waf": "Cost" + "subcategory": "Governance", + "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "2bd463cb-bac7-4581-a59b-b91a3ed90cae", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "19048384-5c98-46cb-8913-156a12476e49", "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "services": [ - "Cost", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "Medium", - "subcategory": "Baseline", - "text": "Establish a cost optimization baseline by using a policy that tags every new resource as #NEW", - "waf": "Cost" + "subcategory": "Governance", + "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "2cc84c37-b6b7-480c-a9fe-5c46489d457a", - "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", "services": [ - "Cost" + "AzurePolicy" ], "severity": "Medium", - "subcategory": "Baseline", - "text": "Organize resources to maximize cost insights and accountability", - "waf": "Cost" + "subcategory": "Governance", + "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "927c3874-d010-42ca-a6aa-e01e6a84de5d", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", "services": [ - "Cost" + "AzurePolicy", + "Subscriptions" ], "severity": "Medium", - "subcategory": "Budgets", - "text": "Create budgets", - "waf": "Cost" + "subcategory": "Governance", + "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "e36d1d92-881a-41bd-9d1e-44a19659d395", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", "services": [ - "Cost" + "AzurePolicy" ], "severity": "Medium", - "subcategory": "Cost Analysis", - "text": "In cost analysis - use daily granularity, grouped by service name to analyze the spending of the past 3 months and identify the top 3 spenders", - "waf": "Cost" + "subcategory": "Governance", + "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "8fd77289-b835-4556-bf2b-fe4563b0d834", - "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", "services": [ - "Cost" + "AzurePolicy" ], "severity": "Medium", - "subcategory": "Cost Analysis", - "text": "Check daily for cost spikes and anomalies (ideally with automatic billing exports)", - "waf": "Cost" + "subcategory": "Governance", + "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", + "waf": "Security" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "a348726d-e69c-46b5-a2a2-6494b69bad37", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "category": "Governance", + "checklist": "Azure Landing Zone Review", + "guid": "29fd366b-a180-452b-9bd7-954b7700c667", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json", "services": [ + "TrafficManager", + "Monitor", "Cost" ], "severity": "Medium", - "subcategory": "Cost Analysis", - "text": "Automate cost retrieval for deep analysis or integration", + "subcategory": "Optimize your cloud investment", + "text": "Configure 'Actual' and 'Forecasted' Budget Alerts.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/", "waf": "Cost" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "aad53cc7-8e1d-4766-9735-7c449674b5ed", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "services": [ - "Cost", - "ACR" + "AzurePolicy", + "RBAC", + "Monitor", + "Entra" ], "severity": "Medium", - "subcategory": "Free services", - "text": "Take advantage of Azure free services: Azure offers a number of free services, such as DevOps, Azure Container Registry, and Azure Logic Apps, that can help you save costs on development and operations. ", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operations" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "96c96ad8-844c-4f3b-8b38-c886ba2c0214", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "services": [ - "Cost" + "Monitor" ], "severity": "Medium", - "subcategory": "Tagging", - "text": "Tag shared resources", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Reliability" }, { - "category": "Process Administration", - "checklist": "Cost Optimization Checklist", - "guid": "99014a5d-3ce5-474d-acbd-9792a6bcca2b", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "services": [ - "Cost" + "AzurePolicy", + "Storage", + "Monitor", + "ARS" ], - "severity": "Medium", - "subcategory": "Tagging", - "text": "Consider using tags to all services for cost allocation", - "waf": "Cost" + "severity": "High", + "subcategory": "Monitoring", + "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" }, { - "category": "reservations", - "checklist": "Cost Optimization Checklist", - "guid": "4fea1dbf-3dd9-45d4-ac7c-891dcb1f7d57", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", "services": [ - "Cost" + "AzurePolicy", + "VM", + "Monitor" ], "severity": "Medium", - "subcategory": "automation", - "text": "Consider Reservation automation to track and promptly react to changes", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "description": "check by searching the Meter Category Licenses in the Cost analysys", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", "service": "VM", "services": [ - "Cost", - "SQL", - "AzurePolicy", "VM" ], "severity": "Medium", - "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL", - "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", - "waf": "Cost" + "subcategory": "Operational compliance", + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", "service": "VM", "services": [ - "Cost", - "LoadBalancer" + "VM" ], "severity": "Medium", - "subcategory": "Check Red Hat Licences if applicable", - "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "Cost" + "subcategory": "Operational compliance", + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "a76af4a6-91e8-4839-ada4-6667e13c1056", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", "services": [ - "Cost", - "AppSvc" + "NetworkWatcher", + "Monitor" ], "severity": "Medium", - "subcategory": "Functions", - "text": "Saving plans will provide 17% on select app service plans", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Use Network Watcher to proactively monitor traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "541acdce-9793-477b-adb3-751ab2ab13ad", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", "services": [ - "Cost", - "VM" + "Monitor" ], "severity": "Medium", - "subcategory": "Planning", - "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Use resource locks to prevent accidental deletion of critical shared services.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "a6e55d7d-8a2a-4db1-87d6-326af625ca44", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/effect-deny", "services": [ - "Cost", - "ARS", - "VM" + "AzurePolicy", + "RBAC", + "Monitor" + ], + "severity": "Low", + "subcategory": "Monitoring", + "text": "Use deny policies to supplement Azure role assignments. The combination of deny policies and Azure role assignments ensures the appropriate guardrails are in place to enforce who can deploy and configure resources and what resources they can deploy and configure.", + "training": "https://learn.microsoft.com/azure/role-based-access-control/deny-assignments?tabs=azure-portal", + "waf": "Operations" + }, + { + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "e5695f22-23ac-4e8c-a123-08ca5017f154", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "services": [ + "Monitor" ], "severity": "Medium", - "subcategory": "Reservations/savings plans", - "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an important component of resource management in Azure.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-service-health/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "a785c6fe-96c9-46ad-a844-cf3b2b38c886", - "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "d5f345bf-97ab-41a7-819c-6104baa7d48c", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", "services": [ - "Cost" + "Monitor" ], "severity": "Medium", - "subcategory": "Reservations/savings plans", - "text": "Plan for Azure Savings Plans for all the workloads that are dynamic and need maximum flexibility", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Include alerts and action groups as part of the Azure Service Health platform to ensure that alerts or issues can be actioned.", + "training": "https://learn.microsoft.com/en-gb/training/modules/incident-response-with-alerting-on-azure/7-actions-and-alert-processing-rules", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "ba2c0214-9901-44a5-b3ce-574dccbd9792", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "e3ab3693-829e-47e3-8618-3687a0477a20", + "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard", "services": [ - "Cost" + "Monitor" ], "severity": "Medium", - "subcategory": "Reservations/savings plans", - "text": "Plan for Azure Reservations for all the workloads that are less dynamic and won't change much", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", "services": [ - "Cost", - "Storage" + "Monitor" ], "severity": "Medium", - "subcategory": "Reserve storage", - "text": "Only larger disks can be reserved => 1 TiB -", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Use Azure Monitor Logs for insights and reporting.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "619e8a13-f988-4795-85d6-26886d70ba6c", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview", "services": [ - "Cost", - "VM" + "Storage", + "Monitor" ], "severity": "Medium", - "subcategory": "Reserve VMs with normalized and rationalized sizes", - "text": "After the right-sizing optimization", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "When necessary, use shared storage accounts within the landing zone for Azure diagnostic extension log storage.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-extensions/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", "services": [ - "Cost", - "SQL", - "AzurePolicy" + "Monitor" ], "severity": "Medium", - "subcategory": "SQL Database AHUB", - "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Use Azure Monitor alerts for the generation of operational alerts.", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "859c3900-4514-41eb-b010-475d695abd74", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", "services": [ - "Cost", - "SQL", - "VM" + "Monitor" ], "severity": "Medium", - "subcategory": "SQL Database Reservations", - "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Ensure that monitoring requirements have been assessed and that appropriate data collection and alerting configurations are applied.", + "training": "https://learn.microsoft.com/training/paths/az-104-monitor-backup-resources/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "e13c1056-75c1-4e94-9b45-9837ff7ae7c6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", "services": [ - "Cost" + "Monitor" ], "severity": "Medium", - "subcategory": "Tracking", - "text": "Make sure you Azure Reservations and Savings plans are close to 100% utilization or make the necessary changes to reach it.", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "Operations" }, { - "category": "Reservations", - "checklist": "Cost Optimization Checklist", - "guid": "d3b475a5-c7ac-4be4-abbe-64dd89f2e877", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "aa45be6a-8f2d-4896-b0e3-775e6e94e610", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-monitor", "services": [ - "Cost", - "AzurePolicy" + "AzurePolicy", + "Monitor" ], "severity": "Medium", - "subcategory": "Tracking", - "text": "Make sure that your reservations usage is close to 100%. If not, either enforce an allowed SKU policy or exchange the reservation", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Deploy AMBA to establish monitoring for platform components of your landing zone - AMBA is a framework solution that is available and provides an easy way to scale alerting by using Azure Policy.", + "training": "https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/", + "waf": "Operations" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "78468d55-a785-4c6f-b96c-96ad8844cf3b", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "aa45be6a-8f2d-4896-b0e3-885e6e94e770", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview", "services": [ - "Cost", - "AzurePolicy" + "Monitor" ], "severity": "Medium", - "subcategory": "Automation", - "text": "Plan and enforce a On/Off policy for production services, where possible", - "waf": "Cost" + "subcategory": "Monitoring", + "text": "Use Azure Monitoring Agent (AMA). The Log Analytics agent is deprecated since August 31,2024", + "training": "https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview#installation", + "waf": "Operations" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "2b38c886-ba2c-4021-9990-14a5d3ce574d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "0d83fd81-952c-4d47-a6cb-3a930925ef2e", + "link": "https://learn.microsoft.com/en-gb/azure/storage/common/redundancy-migration?tabs=portal", "services": [ - "Cost", - "AzurePolicy" + "Storage", + "Cost" ], + "severity": "High", + "subcategory": "Data Protection", + "text": "Ensure that storage accounts are zone or region redundant, Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost.", + "training": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "waf": "Reliability" + }, + { + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "7ea02e1c-7166-45a3-bdf5-098891367fcb", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "services": [], "severity": "Medium", - "subcategory": "Automation", - "text": "Plan and enforce a On-Demand policy with auto-shutdown for non-production services, where possible", - "waf": "Cost" + "subcategory": "Data Protection", + "text": "Enable cross-region replication in Azure for BCDR with paired regions.", + "training": "https://learn.microsoft.com/training/modules/provide-disaster-recovery-replicate-storage-data/", + "waf": "Reliability" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", "services": [ - "Cost", - "VM" + "Backup" ], - "severity": "Medium", - "subcategory": "Autoscale", - "text": "Consider using a VMSS to match demand rather than flat sizing", - "waf": "Cost" + "severity": "Low", + "subcategory": "Data Protection", + "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Reliability" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", "services": [ - "Cost", - "AKS" + "AzurePolicy", + "VM" ], "severity": "Medium", - "subcategory": "Autoscale", - "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", - "waf": "Cost" + "subcategory": "Operational compliance", + "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "93665720-2bff-4456-9b0d-934a359c363e", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", "services": [ - "Cost" + "AzurePolicy", + "VM", + "Monitor" ], "severity": "Medium", - "subcategory": "Autoscale", - "text": "Right-size PaaS service according to average use and accomodate spikes with auto or manual scaling", - "waf": "Cost" + "subcategory": "Operational compliance", + "text": "Monitor VM security configuration drift via Azure Policy.", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "7dd61623-a364-4a90-9eba-e38ead53cc7d", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", "services": [ - "Cost" + "VM", + "ASR", + "ACR" ], "severity": "Medium", - "subcategory": "Autoscale", - "text": "Plan for demand shaping where applicable", - "waf": "Cost" + "subcategory": "Protect and Recover", + "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "waf": "Operations" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "e2e8aaab-3571-4549-ab91-53d89f89dc7b", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "b2ab13ad-a6e5-45d7-b8a2-adb117d6326a", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", "services": [ - "Cost" + "ASR" ], "severity": "Medium", - "subcategory": "Autoscale", - "text": "Consider implementing a service re-scaling logic within the application", - "training": "https://learn.microsoft.com/azure/cost-management-billing/savings-plan/", - "waf": "Cost" + "subcategory": "Protect and Recover", + "text": "Use native PaaS service disaster recovery capabilities. Perform failover testing with these capabilities.", + "training": "https://learn.microsoft.com/en-us/training/modules/explore-iaas-paas-platform-tools-for-high-availability-disaster-recovery/", + "waf": "Operations" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Azure Backup", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", "services": [ - "Cost", "Backup" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Move recovery points to vault-archive where applicable (Validate)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "subcategory": "Protect and Recover", + "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Operations" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", "services": [ - "Cost", - "VM", - "LoadBalancer" + "AppGW", + "WAF", + "FrontDoor" ], - "severity": "Medium", - "subcategory": "Databricks", - "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", - "waf": "Cost" + "severity": "High", + "subcategory": "App delivery", + "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "waf": "Operations" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Azure Functions", + "category": "Management", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", "services": [ - "Cost" + "AppGW", + "Sentinel", + "WAF", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Functions", - "text": "Functions - Reuse connections", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "Cost" + "subcategory": "App delivery", + "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "waf": "Operations" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Azure Functions", - "services": [ - "Cost" - ], + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "b86ad884-08e3-4727-94b8-75ba18f20459", + "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", + "services": [], "severity": "Medium", - "subcategory": "Functions", - "text": "Functions - Cache data locally", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "Cost" + "subcategory": "Access control", + "text": "Determine the incident response plan for Azure services before allowing it into production.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-incident-readiness/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Azure Functions", - "services": [ - "Cost", - "Storage" - ], + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "01365d38-e43f-49cc-ad86-8266abca264f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/security-zero-trust", + "services": [], "severity": "Medium", - "subcategory": "Functions", - "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Cost" + "subcategory": "Access control", + "text": "Apply a zero-trust approach for access to the Azure platform.", + "training": "https://learn.microsoft.com/training/modules/introduction-zero-trust-best-practice-frameworks/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "services": [ - "Cost" + "AKV" ], - "severity": "Medium", - "subcategory": "Functions", - "text": "Functions - Keep your functions warm", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Cost" + "severity": "High", + "subcategory": "Encryption and keys", + "text": "Use Azure Key Vault to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", "services": [ - "Cost" + "AKV" ], "severity": "Medium", - "subcategory": "Functions", - "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Cost" + "AKV", + "AzurePolicy" ], "severity": "Medium", - "subcategory": "Functions", - "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Azure Functions", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Cost" + "AKV", + "RBAC", + "Entra" ], "severity": "Medium", - "subcategory": "Functions", - "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "df03a822-cd46-43cb-abc8-ac299ebc91a4", - "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Cost" + "AKV" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Evaluate your network topology against networking costs and where applicable reduce the egress and peering data", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Cost", - "FrontDoor", - "EventHubs" + "AKV" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Establish an automated process for key and certificate rotation.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Cost", - "AppSvc", - "FrontDoor" + "AKV", + "PrivateLink", + "VNet" ], "severity": "Medium", - "subcategory": "Networking", - "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "f843e52f-4722-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", "services": [ - "Cost" + "AKV", + "Monitor", + "Entra" ], "severity": "Medium", - "subcategory": "PaaS", - "text": "Consider using free tiers where applicable for all non-production environments", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "b9de39ac-0e7c-428d-a936-657202bff456", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Cost" + "AKV", + "AzurePolicy" ], "severity": "Medium", - "subcategory": "Serverless", - "text": "Using serverless patterns for spikes can help keeping costs down", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "16183687-a047-47a2-8994-5bda43334f24", + "link": "https://learn.microsoft.com/azure/security/fundamentals/encryption-atrest", "services": [ - "Cost", - "Storage" + "AKV" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Consider archiving tiers for less used data", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Cost", - "Storage" + "AKV" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "services": [ - "Cost", - "Storage" + "AKV", + "ASR", + "ACR" ], "severity": "Medium", - "subcategory": "Storage", - "text": "Consider using standard SSD rather than Premium or Ultra where possible", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", "services": [ - "Cost", - "Storage" + "AKV" ], "severity": "Medium", - "subcategory": "Storage", - "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", - "waf": "Cost" + "subcategory": "Encryption and keys", + "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", "services": [ - "Cost", - "Storage", - "ASR" + "Entra" ], "severity": "Medium", - "subcategory": "Storage", - "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", - "waf": "Cost" + "subcategory": "Operations", + "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "4e3ab369-3829-4e7e-9161-83687a0477a2", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", "services": [ - "Cost", - "Storage" + "Storage", + "Monitor", + "ARS" ], "severity": "Medium", - "subcategory": "storage", - "text": "Storage accounts: check hot tier and/or GRS necessary", - "waf": "Cost" + "subcategory": "Operations", + "text": "Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", "services": [ - "Cost", - "Storage" + "Subscriptions", + "Defender" ], - "severity": "Medium", - "subcategory": "Storage", - "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", - "waf": "Cost" + "severity": "High", + "subcategory": "Operations", + "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", "services": [ - "Cost", - "Monitor", - "EventHubs" + "Subscriptions", + "Defender" ], - "severity": "Medium", - "subcategory": "Synapse", - "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", - "waf": "Cost" + "severity": "High", + "subcategory": "Operations", + "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", "services": [ - "Cost", - "Storage" + "Subscriptions", + "Defender" ], - "severity": "Medium", - "subcategory": "Synapse", - "text": "Export cost data to a storage account for additional data analysis.", - "waf": "Cost" + "severity": "High", + "subcategory": "Operations", + "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", + "services": [], + "severity": "High", + "subcategory": "Operations", + "text": "Enable Endpoint Protection on IaaS Servers.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "waf": "Security" + }, + { + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", "services": [ - "Cost", - "SQL" + "Monitor", + "Defender" ], "severity": "Medium", - "subcategory": "Synapse", - "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", - "waf": "Cost" + "subcategory": "Operations", + "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "services": [ - "Cost" + "Monitor", + "Entra" ], "severity": "Medium", - "subcategory": "Synapse", - "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", - "waf": "Cost" + "subcategory": "Operations", + "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", "services": [ - "Cost" + "ACR", + "Entra" ], - "severity": "Medium", - "subcategory": "Synapse", - "text": "Create multiple Apache Spark pool definitions of various sizes.", - "waf": "Cost" + "severity": "High", + "subcategory": "Operations", + "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "services": [ - "Cost" + "Entra" ], "severity": "Medium", - "subcategory": "Synapse", - "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "subcategory": "Operations", + "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", "services": [ - "Cost", - "VM" + "Entra" ], "severity": "Medium", - "subcategory": "VM", - "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "subcategory": "Operations", + "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "874a748b-662d-46d1-9051-2a66498f6dfe", + "link": "https://learn.microsoft.com/azure/event-grid/set-alerts", "services": [ - "Cost", - "VM" + "Monitor" ], - "severity": "Medium", - "subcategory": "VM", - "text": "Right-sizing all VMs", - "waf": "Cost" + "severity": "Low", + "subcategory": "Operations", + "text": "Use an Azure Event Grid-based solution for log-oriented, real-time alerts.", + "training": "https://learn.microsoft.com/training/modules/azure-event-grid/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", "services": [ - "Cost", - "VM" + "Storage" ], - "severity": "Medium", - "subcategory": "VM", - "text": "Swap VM sized with normalized and most recent sizes", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "severity": "High", + "subcategory": "Overview", + "text": "Enable secure transfer to storage accounts.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", "services": [ - "Cost", - "Monitor", - "VM" + "Storage" ], - "severity": "Medium", - "subcategory": "VM", - "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "severity": "High", + "subcategory": "Overview", + "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "waf": "Security" }, { - "category": "Right-sizing", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "6f704104-85c1-441f-96d3-c9819911645e", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning", "services": [ - "Cost", - "VM" + "Entra" ], + "severity": "High", + "subcategory": "Secure privileged access", + "text": "Separate privileged admin accounts for Azure administrative tasks.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-secure-privileged-access/", + "waf": "Security" + }, + { + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "9a19bf39-c95d-444c-9c89-19ca1f6d5215", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework", + "services": [], "severity": "Medium", - "subcategory": "VM", - "text": "Containerizing an application can improve VM density and save money on scaling it", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Cost" + "subcategory": "Service enablement framework", + "text": "Plan how new azure services will be implemented.", + "waf": "Security" }, { - "category": "Responsible AI", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "Azure OpenAI", + "category": "Security", + "checklist": "Azure Landing Zone Review", + "guid": "ae514b93-3d45-485e-8112-9bd7ba012f7b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/service-enablement-framework", "services": [], - "severity": "High", - "subcategory": "Metaprompting", - "text": "Follow Metaprompting guardrails for resonsible AI", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Service enablement framework", + "text": "Plan how service request will be fulfilled for Azure services.", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "Azure OpenAI", - "services": [ - "Entra", - "APIM" - ], + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "e85f4226-bf06-4e35-8a8b-7aee4d2d633a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops", + "services": [], "severity": "High", - "subcategory": "Load Balancing", - "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", - "waf": "Operational Excellence" + "subcategory": "DevOps Team Topologies", + "text": "Ensure you have a cross functional DevOps Platform Team to build, manage and maintain your Azure Landing Zone architecture.", + "training": "https://learn.microsoft.com/training/modules/choose-an-agile-approach/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "Azure OpenAI", - "services": [ - "Monitor" - ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Enable monitoring for your AOAI instances", - "waf": "Operational Excellence" + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "634146bf-7085-4419-a7b5-f96d2726f6da", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations", + "services": [], + "severity": "Low", + "subcategory": "DevOps Team Topologies", + "text": "Aim to define functions for Azure Landing Zone Platform team.", + "training": "https://learn.microsoft.com/training/paths/az-400-work-git-for-enterprise-devops/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "Azure OpenAI", + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "a9e65070-c59e-4112-8bf6-c11364d4a2a5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/devops-teams-topologies#design-recommendations", "services": [ - "AKV", - "Monitor", - "Subscriptions" + "RBAC" ], - "severity": "High", - "subcategory": "Alerts", - "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", - "waf": "Operational Excellence" + "severity": "Low", + "subcategory": "DevOps Team Topologies", + "text": "Aim to define functions for application workload teams to be self-sufficient and not require DevOps Platform Team support. Achieve this through the use of custom RBAC role.", + "training": "https://learn.microsoft.com/training/paths/az-400-work-git-for-enterprise-devops/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", - "services": [ - "Monitor" - ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Monitor token usage to prevent service disruptions due to capacity", - "waf": "Operational Excellence" + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "165eb5e9-b434-448a-9e24-178632186212", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code", + "services": [], + "severity": "Medium", + "subcategory": "DevOps Team Topologies", + "text": "Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your deployment and Azure environments.", + "training": "https://learn.microsoft.com/training/modules/manage-multiple-environments-using-bicep-azure-pipelines/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "0cadb8c7-8fa5-4fbf-8f39-d1fadb3b0460", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "services": [], + "severity": "Medium", + "subcategory": "DevOps Team Topologies", + "text": "Include unit tests for IaC and application code as part of your build process.", + "training": "https://learn.microsoft.com/training/modules/run-quality-tests-build-pipeline/", + "waf": "Operations" + }, + { + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", "services": [ - "Monitor" + "AKV", + "VM" ], - "severity": "Medium", - "subcategory": "Observability", - "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", - "waf": "Operational Excellence" + "severity": "High", + "subcategory": "DevOps Team Topologies", + "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "Azure OpenAI", + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "a52e0c98-76b9-4a09-a1c9-6b2babf22ac4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending", "services": [ - "APIM" + "Subscriptions" ], "severity": "Low", - "subcategory": "Observability", - "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", - "waf": "Operational Excellence" + "subcategory": "DevOps Team Topologies", + "text": "Implement automation for new landing zone for applications and workloads through subscription vending.", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "Azure OpenAI", + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "cfe363b5-f579-4284-bc56-a42153e4c10b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code", "services": [], "severity": "High", - "subcategory": "Infrastructure Deployment", - "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", - "waf": "Operational Excellence" + "subcategory": "Development Lifecycle", + "text": "Ensure a version control system is used for source code of applications and IaC developed. Microsoft recommends Git.", + "training": "https://learn.microsoft.com/training/paths/intro-to-vc-git/", + "waf": "Operations" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "services": [ - "Entra" - ], - "severity": "High", - "subcategory": "Authentication", - "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", - "waf": "Security" + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "c7245dd4-af8a-403a-8bb7-890c1a7cfa9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle", + "services": [], + "severity": "Low", + "subcategory": "Development Lifecycle", + "text": "Follow a branching strategy to allow teams to collaborate better and efficiently manage version control of IaC and application Code. Review options such as Github Flow.", + "training": "https://learn.microsoft.com/training/modules/manage-git-branches-workflows/", + "waf": "Operations" }, { - "category": "Responsible AI", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "12aeea20-9165-4b3e-bdf2-6795fcd3cdbe", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle", "services": [], - "severity": "High", - "subcategory": "Evaluation", - "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Development Lifecycle", + "text": "Adopt a pull request strategy to help keep control of code changes merged into branches.", + "training": "https://learn.microsoft.com/training/modules/review-azure-infrastructure-changes-using-bicep-pull-requests/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "Azure OpenAI", + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "2676ae46-65ca-444e-8695-fdddeace4cb1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-platform", "services": [], - "severity": "High", - "subcategory": "Hosting model", - "text": "Evaluate usage of Provisioned throughput model ", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Development Lifecycle", + "text": "Establish a process for using code to implement quick fixes. Always register quick fixes in your team's backlog so each fix can be reworked at a later point, and you can limit technical debt.", + "training": "https://learn.microsoft.com/training/modules/branch-merge-git/", + "waf": "Operations" }, { - "category": "Responsible AI", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "Azure OpenAI", + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "2cdc9d99-dbcc-4ad4-97f5-e7d358bdfa73", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code", "services": [], "severity": "High", - "subcategory": "Content Safety", - "text": "Review and implement Azure AI content safety", - "waf": "Operational Excellence" + "subcategory": "Development Strategy", + "text": "Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM Templates or Terraform to build and maintain your Azure Landing Zone architecture. Both from a Platform and Application workload perspective.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-infrastructure-as-code-using-bicep/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "Azure OpenAI", + "category": "Platform Automation and DevOps", + "checklist": "Azure Landing Zone Review", + "guid": "cc87a3bc-c572-4ad2-92ed-8cabab66160f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/landing-zone-security#secure", "services": [], "severity": "High", - "subcategory": "Throughput definition", - "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", - "waf": "Performance" + "subcategory": "Security", + "text": "Integrate security into the already combined process of development and operations in DevOps to mitigate risks in the innovation process.", + "training": "https://learn.microsoft.com/training/paths/az-400-implement-security-validate-code-bases-compliance/", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "Azure OpenAI", - "services": [], + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "guid": "976f32a7-30d1-6caa-c2a0-207fdc26571b", + "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", + "services": [ + "Storage", + "AVS", + "Backup" + ], "severity": "Medium", - "subcategory": "Latency improvement", - "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", - "waf": "Performance" + "subcategory": "Backup", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", + "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Microsoft backup service", + "guid": "fc8af7a1-c724-e255-c18d-4ca22a6f27f0", + "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", "services": [ - "ServiceBus", - "Storage" + "AVS", + "Backup" ], "severity": "Medium", - "subcategory": "Elasticity segregation", - "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", - "waf": "Performance" - }, - { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Benchmarking", - "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", - "waf": "Performance" + "subcategory": "Business Continuity", + "text": "Use MABS as your backup solution", + "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", - "services": [], + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Best practice - this is Backup, not disaster recovery", + "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae", + "link": "Best practice to deploy backup in the same region as your AVS deployment", + "services": [ + "AVS", + "ASR", + "Backup" + ], "severity": "Medium", - "subcategory": "Elasticity ", - "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", - "waf": "Performance" - }, - { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Model choice", - "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", - "waf": "Performance" + "subcategory": "Business Continuity", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", + "waf": "Reliability" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", - "services": [], + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Best practice - in case AVS is unavailable", + "guid": "4d2f79a5-4ccf-0dfc-557c-49619b99a540", + "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", + "services": [ + "AVS" + ], "severity": "Medium", - "subcategory": "Fine tuning", - "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", - "waf": "Performance" + "subcategory": "Business Continuity", + "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS", + "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "guid": "ff431c40-962c-5182-d536-0c2f0c4ce9e0", + "link": "Will Disaster Recovery Site Recovery, HCX Disaster Recovery, SRM or back tools be used?", "services": [ - "ACR" + "AVS" ], - "severity": "Low", - "subcategory": "Multi-region architecture", - "text": "Deploy multiple OAI instances across regions", + "severity": "Medium", + "subcategory": "Business Continuity", + "text": "Escalation process with Microsoft in the event of a regional DR", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Compare SRM with HCX", + "guid": "f379436d-3051-daa0-01fb-dc4e0e04d677", + "link": "https://docs.microsoft.com/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager", "services": [ - "Entra", - "APIM" + "AVS", + "ASR" ], - "severity": "High", - "subcategory": "Load balancing", - "text": "Implement retry & healthchecks with Gateway pattern like APIM", + "severity": "Medium", + "subcategory": "Disaster Recovery", + "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "Azure OpenAI", - "services": [], + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Recovery into Azure instead of Vmware solution", + "guid": "367f71d8-3cf6-51a0-91a5-3db3d570cc19", + "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure", + "services": [ + "AVS", + "ASR" + ], "severity": "Medium", - "subcategory": "Quotas", - "text": "Ensure having adequate quotas of TPM & RPM for the workload", + "subcategory": "Disaster Recovery", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", "waf": "Reliability" }, { - "category": "Responsible AI", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "Azure OpenAI", - "services": [], + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Avoid manual tasks as much as possible", + "guid": "ee02ada0-1887-bb3a-b84c-423f45a09ef9", + "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure", + "services": [ + "AVS", + "ASR" + ], "severity": "Medium", - "subcategory": "UX best practice", - "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", - "waf": "Operational Excellence" + "subcategory": "Disaster Recovery", + "text": "Use Automated recovery plans with either of the Disaster solutions,", + "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Azure OpenAI", + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Any other datacenter in the same region", + "guid": "0c2b74e5-9c28-780d-1df3-12d3de4aaa76", + "link": "https://docs.microsoft.com/azure/azure-vmware/connect-multiple-private-clouds-same-region", "services": [ - "ACR" + "AVS", + "ASR" ], "severity": "Medium", - "subcategory": "Load balancing", - "text": "Deploy separate fine tuned models across regions if finetuning is employed", + "subcategory": "Disaster Recovery", + "text": "Configure a secondary disaster recovery environment", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "Azure OpenAI", + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", + "guid": "c2a34ec4-2933-4e6c-dc36-e20e67abbe3f", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", "services": [ - "Backup", + "AVS", "ASR" ], "severity": "Medium", - "subcategory": "Data Backup and Disaster Recovery", - "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", + "subcategory": "Disaster Recovery", + "text": "Assign IP ranges unique to each region", "waf": "Reliability" }, { - "category": "BC and DR", - "checklist": "Azure OpenAI Review", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "SLA considerations", - "text": "Azure AI search service tiers should be choosen to have a SLA ", + "category": "BCDR", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "ExpressRoute Global Reach can be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or routing must be done through network virtual appliances?", + "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c", + "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.", + "services": [ + "NVA", + "AVS", + "ExpressRoute", + "ASR" + ], + "severity": "Medium", + "subcategory": "Disaster Recovery", + "text": "Use Global Reach between DR regions", "waf": "Reliability" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "Azure OpenAI", - "services": [], - "severity": "Low", - "subcategory": "Data Sensitivity", - "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", - "waf": "Security" + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "An ExR Global Reach connection will be established to the ExR circuit, no other connections", + "guid": "a2c12df2-07fa-3edd-2cec-fda0b55fb952", + "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud", + "services": [ + "VWAN", + "AVS" + ], + "severity": "Medium", + "subcategory": "Direct (no vWAN, no H&S)", + "text": "Global Reach to ExR circuit - no Azure resources", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Encryption at Rest", - "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", - "waf": "Security" + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use ExR to connect on-premises (other) location to Azure", + "guid": "f62ce162-ba5a-429d-674e-fafa1af5f706", + "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud", + "services": [ + "AVS", + "ExpressRoute" + ], + "severity": "Medium", + "subcategory": "ExpressRoute", + "text": "Connect to Azure using ExR", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use the migration assesment tool and timeline to determine bandwidth required", + "guid": "cf01c73b-1247-0a7a-740c-e1ea29bda340", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction", "services": [ - "ACR" + "AVS", + "ExpressRoute" ], - "severity": "High", - "subcategory": "Transit Encryption", - "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", - "waf": "Security" + "severity": "Medium", + "subcategory": "ExpressRoute", + "text": "Bandwidth sizing", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "What traffic is routed through a firewall, what goes directly into Azure", + "guid": "aab216ee-8941-315e-eada-c7e1f2243bd1", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", "services": [ - "RBAC" + "AVS", + "ExpressRoute" ], - "severity": "High", - "subcategory": "Access Control", - "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", - "waf": "Security" + "severity": "Medium", + "subcategory": "ExpressRoute", + "text": "Traffic routing ", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "Azure OpenAI", - "services": [], + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "AVS to ExR circuit, no traffic inspection", + "guid": "1f956e45-f62d-5c95-3a95-3bab718907f8", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", + "services": [ + "AVS", + "ExpressRoute" + ], "severity": "Medium", - "subcategory": "Data Masking and Redaction", - "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", - "waf": "Security" + "subcategory": "ExpressRoute", + "text": "Global Reach ", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Name of the vNet and a unique address space /24 minimum", + "guid": "91f7a87b-21ac-d712-959c-8df2ba034253", + "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal", "services": [ - "Monitor", - "Sentinel", - "Defender" + "AVS", + "VNet" ], - "severity": "High", - "subcategory": "Threat Detection and Monitoring", - "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", - "waf": "Security" + "severity": "Medium", + "subcategory": "Hub & Spoke", + "text": "VNet name & address space", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Subnet must be called GatewaySubnet", + "guid": "58a027e2-f37f-b540-45d5-e44843aba26b", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", "services": [ - "AzurePolicy" + "AVS", + "ExpressRoute", + "VPN", + "VNet" ], "severity": "Medium", - "subcategory": "Data Retention and Disposal", - "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", - "waf": "Security" + "subcategory": "Hub & Spoke", + "text": "Gateway subnet", + "waf": "Performance" }, { - "category": "Responsible AI", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Jail break Safety", - "text": "Implement Prompt shields and groundedness detection using Content Safety ", - "waf": "Operational Excellence" + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Create a VPN gateway on the hub Gateway subnet", + "guid": "d4806549-0913-3e79-b580-ac2d3706e65a", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", + "services": [ + "AVS", + "ExpressRoute", + "VPN", + "VNet" + ], + "severity": "Medium", + "subcategory": "Hub & Spoke", + "text": "VPN Gateway", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Data Privacy and Compliance", - "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", - "waf": "Security" + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Create an ExR Gateway in the hub Gateway subnet.", + "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", + "services": [ + "AVS", + "ExpressRoute", + "VPN", + "VNet" + ], + "severity": "Medium", + "subcategory": "Hub & Spoke", + "text": "ExR Gateway", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "Azure OpenAI", - "services": [], + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "How will Internet traffic be routes, Az Firewall, NVA, Secure Hub, On-Premises firewall?", + "guid": "cc2e11b9-7911-7da1-458c-d7fcef794aad", + "link": "https://learn.microsoft.com/azure/azure-vmware/enable-public-internet-access", + "services": [ + "NVA", + "AVS" + ], "severity": "Medium", - "subcategory": "Employee Awareness and Training", - "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", - "waf": "Security" + "subcategory": "Internet", + "text": "Egress point", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Environment segregation", - "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", - "waf": "Security" + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Allow remote connectivity to AVS via the portal, specifically to vCenter, NSX-T and HCX", + "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f", + "link": "https://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html", + "services": [ + "Bastion", + "AVS" + ], + "severity": "Medium", + "subcategory": "Jumpbox & Bastion", + "text": "Remote connectivity to AVS", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "Azure OpenAI", - "services": [], + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Name the jumpbox and identify the subnet where it will be hosted", + "guid": "6f8e93a2-44b1-bb1d-28a1-4d5b3c2ea857", + "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal", + "services": [ + "Bastion", + "AVS", + "VNet" + ], "severity": "Medium", - "subcategory": "Index Segregation", - "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", - "waf": "Security" + "subcategory": "Jumpbox & Bastion", + "text": "Configure a jumbox and Azure Bastion", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Provides secure / seamless RDP/SSH connectivity to your vm's directly through the portal.", + "guid": "ba430d58-4541-085c-3641-068c00be9bc5", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview", "services": [ - "RBAC", - "AzurePolicy" + "Bastion", + "AVS", + "VM" ], "severity": "Medium", - "subcategory": "Sensitive Data in Separate Instances", - "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", - "waf": "Security" + "subcategory": "Jumpbox & Bastion", + "text": "Security measure allowing RDP access via the portal", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Embedding and Vector handling", - "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", - "waf": "Security" + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Using a VPN to connect to Azure to enable VMware communications (HCX) (not recommended)", + "guid": "9988598f-2a9f-6b12-9b46-488415ceb325", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-site-to-site-vpn-gateway", + "services": [ + "AVS", + "VPN" + ], + "severity": "Medium", + "subcategory": "VPN", + "text": "Connect to Azure using a VPN", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use the migration assesment tool and timeline to determine bandwidth required (eg 3rd party tool in link)", + "guid": "956ce5e9-a862-fe2b-a50d-a22923569357", + "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed.", "services": [ - "RBAC" + "AVS", + "VPN" ], - "severity": "High", - "subcategory": "Access control", - "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", - "waf": "Security" + "severity": "Medium", + "subcategory": "VPN", + "text": "Bandwidth sizing", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "What traffic is routed through a firewall, what goes directly into Azure", + "guid": "e095116f-0bdc-4b51-4d71-b9e469d56f59", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", "services": [ - "PrivateLink" + "AVS", + "VPN" ], - "severity": "High", - "subcategory": "Network security", - "text": "Configure private endpoint for AI services to restrict service access within your network", - "waf": "Security" + "severity": "Medium", + "subcategory": "VPN", + "text": "Traffic routing ", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Name and unique address space for the vWAN, name for the vWAN hub", + "guid": "4dc480ac-cecd-39c4-fdc6-680b300716ab", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan", "services": [ - "Firewall", - "VNet" + "VWAN", + "AVS" ], - "severity": "High", - "subcategory": "Network security", - "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", - "waf": "Security" + "severity": "Medium", + "subcategory": "vWAN hub", + "text": "vWAN name, hub name and address space", + "waf": "Performance" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Control Network Access", - "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", - "waf": "Security" + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Select either boh or the appropriate connection type.", + "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal", + "services": [ + "VWAN", + "AVS", + "VPN" + ], + "severity": "Medium", + "subcategory": "vWAN hub", + "text": "ExR and/or VPN gateway provisioned", + "waf": "Performance" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "Azure OpenAI", + "category": "Connectivity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Add Azure firewall to vWAN (recommended)", + "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal", "services": [ - "Cost" + "VWAN", + "AVS", + "Firewall" ], "severity": "Medium", - "subcategory": "Token Optimization", - "text": "Use prompt compression tools like LLMLingua or gprtrim", - "waf": "Cost Optimization" + "subcategory": "vWAN hub", + "text": "Secure vWAN", + "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Active directory or other identity provider servers", + "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter", "services": [ - "AKV", + "AVS", "Entra" ], - "severity": "High", - "subcategory": "Secure APIs and Endpoints", - "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", + "severity": "Medium", + "subcategory": "Access", + "text": "External Identity (user accounts)", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "Azure OpenAI", - "services": [], + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Not required for LDAPS, required for Kerberos", + "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997", + "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology", + "services": [ + "AVS", + "Entra" + ], "severity": "Medium", - "subcategory": "Implement Strong Authentication", - "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", + "subcategory": "Access", + "text": "If using AD domain, ensure Sites & Services has been configured", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Authentication for users, must be secure.", + "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter", "services": [ - "Monitor" + "AVS", + "Entra" ], "severity": "Medium", - "subcategory": "Use Network Monitoring", - "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", + "subcategory": "Access", + "text": "Use LDAPS not ldap ( vCenter)", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "Azure OpenAI", - "services": [], + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Authentication for users, must be secure.", + "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t", + "services": [ + "AVS", + "Entra" + ], "severity": "Medium", - "subcategory": "Security Audits and Penetration Testing", - "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", + "subcategory": "Access", + "text": "Use LDAPS not ldap (NSX-T)", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "Azure OpenAI", - "services": [], - "severity": "Low", - "subcategory": "Infrastructure Deployment", - "text": "Azure AI Services are properly tagged for better management", - "waf": "Operational Excellence" + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "CN or SAN names, no wildcards, contains private key - CER or PFX", + "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c", + "link": "https://youtu.be/4jvfbsrhnEs", + "services": [ + "AVS", + "Entra" + ], + "severity": "Medium", + "subcategory": "Security", + "text": "Security certificate installed on LDAPS servers ", + "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "Azure OpenAI", - "services": [], - "severity": "Low", - "subcategory": "Infrastructure Deployment", - "text": "Azure AI Service accounts follows organizational naming conventions", - "waf": "Operational Excellence" + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Standard Azure Roles Based Access Controls", + "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity", + "services": [ + "RBAC", + "AVS", + "Entra" + ], + "severity": "Medium", + "subcategory": "Security", + "text": "RBAC applied to Azure roles", + "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Diagnostics Logging", - "text": "Diagnostic logs in Azure AI services resources should be enabled", - "waf": "Operational Excellence" + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Create roles in vCenter required to meet minimum viable access guidelines", + "guid": "b04ca129-83a9-3494-7512-347dd2d766db", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges", + "services": [ + "RBAC", + "AVS", + "Entra" + ], + "severity": "Medium", + "subcategory": "Security", + "text": "RBAC model in vCenter", + "waf": "Security" }, { - "category": "Identity and Access Management", - "checklist": "Azure OpenAI Review", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", + "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb", + "link": "Best practice", "services": [ + "RBAC", + "AVS", "Entra" ], - "severity": "High", - "subcategory": "Entra ID based access", - "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", + "severity": "Medium", + "subcategory": "Security", + "text": "CloudAdmin role usage", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "For roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "services": [ - "AKV", + "RBAC", + "AVS", "Entra" ], - "severity": "High", - "subcategory": "Secure Key Management", - "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", + "severity": "Medium", + "subcategory": "Security ", + "text": "Is Privileged Identity Management implemented", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "For the Azure VMware Solution PIM roles", + "guid": "0842d45f-41a8-8274-1155-2f6ed554d315", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "services": [ - "AKV" + "RBAC", + "AVS", + "Entra" ], - "severity": "High", - "subcategory": "Key Rotation and Expiration", - "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", + "severity": "Medium", + "subcategory": "Security ", + "text": "Is Privileged Identity Management audit reporting implemented", "waf": "Security" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "Azure OpenAI", + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Best practice, also see Monitoring/Alerts", + "guid": "915cbcd7-0640-eb7c-4162-9f33775de559", + "link": "Best practice", "services": [ - "Cost" + "AVS", + "Monitor", + "Entra" ], - "severity": "High", - "subcategory": "Token Optimization", - "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", - "waf": "Cost Optimization" + "severity": "Medium", + "subcategory": "Security ", + "text": "Limit use of CloudAdmin account to emergency access only", + "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Secure coding practice", - "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", + "category": "Identity", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Operational procedure", + "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a", + "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal", + "services": [ + "AVS", + "Entra" + ], + "severity": "Medium", + "subcategory": "Security ", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "Azure OpenAI", - "services": [], - "severity": "High", - "subcategory": "Patching and updates", - "text": "Setup a process to regularly update and patch the LLM libraries and other system components", - "waf": "Security" + "category": "Management", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82", + "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview", + "services": [ + "VM", + "AVS", + "Arc" + ], + "severity": "Medium", + "subcategory": "Operations", + "text": "AVS VM Management (Azure Arc)", + "waf": "Operations" }, { - "category": "Responsible AI", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "Azure OpenAI", + "category": "Management", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0", + "link": "https://docs.microsoft.com/azure/governance/policy/overview", "services": [ - "AzurePolicy" + "AzurePolicy", + "AVS", + "Monitor" ], - "severity": "High", - "subcategory": "Governance", - "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", - "waf": "Operational Excellence" + "severity": "Medium", + "subcategory": "Operations", + "text": "Azure policy", + "waf": "Operations" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "Azure OpenAI", + "category": "Management", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "guid": "1e59c639-9b7e-a60b-5e93-3798c1aff5db", + "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks", "services": [ - "Cost" + "AVS" ], "severity": "Medium", - "subcategory": "Cost familiarization", - "text": "Understand difference in cost of base models and fine tuned models and token step sizes", - "waf": "Cost Optimization" + "subcategory": "Operations", + "text": "Resource locks", + "waf": "Operations" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "category": "Management", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "For manual deployments, all configuration and deployments must be documented", + "guid": "8f2c46aa-ca1b-cad3-3ac9-213dfc0a265e", + "link": "Make sure to create your own runbook on the deployment of AVS.", "services": [ - "Cost" + "AVS" ], - "severity": "High", - "subcategory": "Batch processing", - "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", - "waf": "Cost Optimization" + "severity": "Medium", + "subcategory": "Operations", + "text": "Run books", + "waf": "Operations" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Management", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", "services": [ - "Cost", + "AKV", + "AVS" + ], + "severity": "Medium", + "subcategory": "Operations", + "text": "Naming conventions for auth keys", + "waf": "Operations" + }, + { + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "For automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "guid": "e22a2d99-eb71-7d7c-07af-6d4cdb1d4443", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", + "services": [ + "AVS", "Monitor" ], "severity": "Medium", - "subcategory": "Cost monitoring", - "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", - "waf": "Cost Optimization" + "subcategory": "Alerts", + "text": "Create warning alerts for critical thresholds ", + "waf": "Operations" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "Azure OpenAI", + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "guid": "6d02f159-627d-79bf-a931-fab6d947eda2", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", "services": [ - "Cost" + "AVS", + "Monitor" ], "severity": "Medium", - "subcategory": "Token limit", - "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", - "waf": "Cost Optimization" + "subcategory": "Alerts", + "text": "Create critical alert vSAN consumption", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "Azure OpenAI", - "services": [], + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Provides platform alerts (generated by Microsoft)", + "guid": "1cc97b39-2c7e-246f-6d73-789cfebfe951", + "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/", + "services": [ + "AVS", + "Monitor" + ], "severity": "Medium", - "subcategory": "AI Search Reliability", - "text": "Review the guidance provided on setting up AI search for Reliability", - "waf": "Operational Excellence" + "subcategory": "Alerts", + "text": "Configured for Azure Service Health alerts and notifications", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "Azure OpenAI", + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509", + "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", "services": [ - "Storage" + "AVS", + "VM", + "Backup", + "AzurePolicy", + "Monitor" ], "severity": "Medium", - "subcategory": "AI Search Vector Limits", - "text": "Plan and manage AI Search Vector storage", - "waf": "Operational Excellence" + "subcategory": "Backup", + "text": "Backup policy", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Keep in mind the lead time for requesting new nodes", + "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", "services": [ - "ACR" + "AzurePolicy", + "AVS", + "Monitor" ], "severity": "Medium", - "subcategory": "DevOps", - "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", - "waf": "Operational Excellence" + "subcategory": "Capacity", + "text": "Policy around ESXi host density and efficiency", + "waf": "Operations" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "Azure OpenAI", + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Azure Cost Management can be used - one option, put AVS in it's own Subscription. ", + "guid": "7f8f175d-13f4-5298-9e61-0bc7e9fcc279", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern", "services": [ - "Cost", - "Storage" + "AVS", + "Subscriptions", + "Monitor", + "Cost" ], - "severity": "High", - "subcategory": "Costing Model", - "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", - "waf": "Cost Optimization" + "severity": "Medium", + "subcategory": "Costs", + "text": "Ensure a good cost management process is in place for Azure VMware Solution - ", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "Azure OpenAI", - "services": [], + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74", + "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards", + "services": [ + "NetworkWatcher", + "AVS", + "Monitor" + ], "severity": "Medium", - "subcategory": "DevOps", - "text": "Evaluate the quality of prompts and applications when switching between model versions", - "waf": "Operational Excellence" + "subcategory": "Dashboard", + "text": "Connection monitor dashboard", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "Azure OpenAI", + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Send to an Azure Storage account or Azure EventHub for processing (direct to Log Analytics is pending)", + "guid": "f9afdcc9-649d-d840-9fb5-a3c0edcc697d", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", "services": [ + "Storage", + "AVS", "Monitor" ], "severity": "Medium", - "subcategory": "Development", - "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", - "waf": "Operational Excellence" + "subcategory": "Logs & Metrics", + "text": "Configure Azure VMware Solution logging ", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "Azure OpenAI", - "services": [], + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Must be on-premises, implement if available", + "guid": "7cbac8c3-4eda-d5d9-9bda-c6b5abba9fb6", + "link": "Is vROPS or vRealize Network Insight going to be used? ", + "services": [ + "AVS", + "Monitor" + ], "severity": "Medium", - "subcategory": "Development", - "text": "Evaluate your Azure AI Search results based on different search parameters", - "waf": "Operational Excellence" + "subcategory": "Logs & Metrics", + "text": "vRealize Operations", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "Azure OpenAI", - "services": [], + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", + "services": [ + "VM", + "AVS", + "Monitor" + ], "severity": "Medium", - "subcategory": "Development", - "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", - "waf": "Operational Excellence" + "subcategory": "Logs & Metrics", + "text": "AVS VM logging", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Azure OpenAI", - "services": [], + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Between on-premises to Azure are monitored using 'connection monitor'", + "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", + "services": [ + "AVS", + "VPN", + "NetworkWatcher", + "ExpressRoute", + "Monitor" + ], "severity": "Medium", - "subcategory": "Development", - "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", - "waf": "Operational Excellence" + "subcategory": "Network", + "text": "Monitor ExpressRoute and/or VPN connections ", + "waf": "Operations" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "Azure OpenAI", - "services": [], + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "To monitor the Azure VMware Solution back-end ExpressRoute connection (Azure native to AVS)", + "guid": "99209143-60fe-19f0-5633-8b5671277ba5", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", + "services": [ + "AVS", + "ExpressRoute", + "Monitor" + ], "severity": "Medium", - "subcategory": "Security Audits and Penetration Testing", - "text": "Red team your GenAI applications", - "waf": "Security" + "subcategory": "Network", + "text": "Monitor from an Azure native resource to an Azure VMware Solution VM", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "Azure OpenAI", - "services": [], + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "To monitor end-to-end, on-premises to AVS workloads", + "guid": "b9e5867c-57d3-036f-fb1b-3f0a71664efe", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", + "services": [ + "AVS", + "Monitor" + ], "severity": "Medium", - "subcategory": "End user feedback", - "text": "Provide end users with scoring options for LLM responses and track these scores. ", - "waf": "Operational Excellence" + "subcategory": "Network", + "text": "Monitor from an on-premises resource to an Azure VMware Solution VM", + "waf": "Operations" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Track requests to Azure VMware Solution and Azure VMware Solution based workloads", + "guid": "4af7c5f7-e5e9-bedf-a8cf-314b81735962", + "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)", "services": [ - "Cost" + "AVS", + "Monitor" ], - "severity": "High", - "subcategory": "Quota Management", - "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", - "waf": "Cost Optimization" + "severity": "Medium", + "subcategory": "Security", + "text": "Auditing and logging is implemented for inbound internet ", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "Azure OpenAI", + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "guid": "74be60a3-cfac-f057-eda6-3ee087e805d5", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", + "services": [ + "AVS", + "Monitor" + ], + "severity": "Medium", + "subcategory": "Security", + "text": "Session monitoring ", + "waf": "Operations" + }, + { + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Enable Diagnostic and metric logging on Azure VMware Solution", + "guid": "a434b3b5-f258-0845-cd76-d7df6ef5890e", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", "services": [ - "LoadBalancer", - "ACR", - "Entra", - "APIM" + "AVS", + "Monitor" ], "severity": "Medium", - "subcategory": "Load Balancing", - "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", - "waf": "Operational Excellence" + "subcategory": "VMWare", + "text": "Logging and diagnostics", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", - "service": "Azure OpenAI", + "category": "Monitoring", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Monitor AVS workloads (each VM in AVS)", + "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a", + "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard", "services": [ - "Storage" + "VM", + "AVS", + "Monitor" ], "severity": "Medium", - "subcategory": "Fine tuning", - "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", - "waf": "Reliability" + "subcategory": "VMware", + "text": "Log Analytics Agents deployed on Azure VMware Solution guest VM workloads", + "waf": "Operations" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Decision on traffic flow", + "guid": "a1354b87-e18e-bf5c-c50b-8ddf0540e971", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke", "services": [ - "Monitor" + "AVS" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", - "waf": "Reliability" + "subcategory": "Hub & Spoke", + "text": "North/South routing through Az Firewall or 3rd party ", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)", + "guid": "29a8a499-ec31-f336-3266-0895f035e379", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke", "services": [ - "Monitor" + "AVS" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", - "waf": "Reliability" + "subcategory": "Hub & Spoke", + "text": "East West (Internal to Azure)", + "waf": "Security" }, { - "category": "Responsible AI", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", - "service": "Azure OpenAI", - "services": [], + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Requires a 3rd party NVA with Azure Route server - Scenario 2 (see link)", + "guid": "ebd3cc3c-ac3d-4293-950d-cecd8445a523", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", + "services": [ + "NVA", + "AVS", + "ARS" + ], "severity": "Medium", - "subcategory": "Content Safety", - "text": "Tune content filters to minimize false positives from overly aggressive filters", - "waf": "Reliability" + "subcategory": "Hub & Spoke", + "text": "ExR without Global Reach", + "waf": "Operations" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", - "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", + "guid": "ffb5c5ca-bd89-ff1b-8b73-8a54d503d506", + "link": "https://learn.microsoft.com/azure/route-server/route-server-faq", "services": [ - "AKV" + "AVS", + "ARS" ], "severity": "Medium", - "subcategory": "Key Management", - "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", - "waf": "Security" + "subcategory": "Hub & Spoke", + "text": "Route server ", + "waf": "Operations" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Via on-premises, Az Firewall, 3rd Party, NSX-T pubic IP", + "guid": "a4070dad-3def-818d-e9f7-be440d10e7de", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-design-public-internet-access", "services": [ - "LoadBalancer" + "AVS" ], "severity": "Medium", - "subcategory": "Jailbreak protection", - "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", + "subcategory": "Internet", + "text": "Egress point(s)", "waf": "Security" }, { - "category": "Governance and Security", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "Azure OpenAI", - "services": [], + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Az Firewall, 3rd party NVA, Application Gateway, Azure Frontdoor ", + "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937", + "link": "Research and choose optimal solution for each application", + "services": [ + "AppGW", + "NVA", + "AVS", + "FrontDoor" + ], "severity": "Medium", - "subcategory": "Quota exhaustion", - "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", + "subcategory": "Internet", + "text": "Internet facing applications", "waf": "Security" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", + "guid": "e778a2ec-b4d7-1d27-574c-14476b167d37", + "link": "https://docs.microsoft.com/azure/route-server/route-server-faq#route-server-limits", "services": [ - "Cost" + "AVS", + "ARS" ], "severity": "Medium", - "subcategory": "Cost estimation", - "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", - "waf": "Cost Optimization" + "subcategory": "Routing", + "text": "When route server Route limit understood? ", + "waf": "Security" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", - "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "(VPN Gateway, AppGW, FrontDoor, Load balancer, VMs (etc) (Remove: enabled on ExR/VPN Gateway subnet in Azure)", + "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a", + "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection", "services": [ - "Cost" + "AppGW", + "AVS", + "VM", + "VPN", + "DDoS", + "ExpressRoute", + "LoadBalancer", + "VNet", + "FrontDoor" ], "severity": "Medium", - "subcategory": "Model selection", - "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", - "waf": "Cost Optimization" + "subcategory": "Security", + "text": "Is DDoS standard protection of public facing IP addresses? ", + "waf": "Security" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "To manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "guid": "d43da920-4ecc-a4e9-dd45-a2986ce81d32", + "link": "Best practice: Bastion or 3rd party tool", "services": [ - "Cost" + "AVS" ], "severity": "Medium", - "subcategory": "Usage Optimization", - "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", - "waf": "Cost Optimization" + "subcategory": "Security", + "text": "Use a dedicated privileged access workstation (PAW)", + "waf": "Security" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use NSX-T for inter-vmware-traffic inspection", + "guid": "a2dac74f-5380-6e39-25e6-f13b99ece51f", + "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-F6685367-7AA1-4771-927E-ED77727CFDA3.html", "services": [ - "Cost" + "AVS" ], "severity": "Medium", - "subcategory": "Usage Optimization", - "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", - "waf": "Cost Optimization" + "subcategory": "Traffic Inspection", + "text": "East West (Internal to AVS)", + "waf": "Security" }, { - "category": "Cost Optimization", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Decision on whether or not to use Secure hub for E/W and Internet traffic - requires Global Reach", + "guid": "3f621543-dfac-c471-54a6-7b2849b6909a", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", "services": [ - "Cost" + "VWAN", + "AVS", + "Firewall" ], "severity": "Medium", - "subcategory": "Token Optimization", - "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", - "waf": "Cost Optimization" + "subcategory": "Virtual WAN", + "text": "Use Secure Hub (Azure Firewall or 3rd party)", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", - "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", - "service": "Azure OpenAI", - "services": [], + "category": "Networking", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)", + "guid": "d7af5670-1b39-d95d-6da2-8d660dfbe16b", + "link": "https://learn.microsoft.com/azure/firewall-manager/secure-cloud-network", + "services": [ + "VWAN", + "AVS" + ], "severity": "Medium", - "subcategory": "IaC", - "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", - "waf": "Operational Excellence" + "subcategory": "Virtual WAN", + "text": "East West (Internal to Azure)", + "waf": "Security" }, { - "category": "Operations Management", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5855", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", - "service": "Azure OpenAI", - "services": [], + "category": "Other Services/Operations", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "guid": "7d049005-eb35-4a93-50a5-3b31a9f61161", + "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal", + "services": [ + "AVS", + "Subscriptions" + ], "severity": "Medium", - "subcategory": "Development", - "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", - "waf": "Operational Excellence" + "subcategory": "Automated Scale", + "text": "Scale out operations planning", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure API Management Review", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", - "service": "APIM", + "category": "Other Services/Operations", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale", "services": [ - "APIM", - "AzurePolicy" + "AzurePolicy", + "Storage", + "AVS" ], "severity": "Medium", - "subcategory": "Development best practices", - "text": "Implement an error handling policy at the global level", - "waf": "Operations" + "subcategory": "Automated Scale", + "text": "Scale in operations planning", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure API Management Review", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", - "service": "APIM", + "category": "Other Services/Operations", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "guid": "3233e49e-62ce-97f3-8737-8230e771b694", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale", "services": [ - "APIM", - "AzurePolicy" + "AVS" ], "severity": "Medium", - "subcategory": "Development best practices", - "text": "Ensure all APIs policies include a element.", - "waf": "Operations" + "subcategory": "Automated Scale", + "text": "Scale serialized operations planning", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure API Management Review", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", - "service": "APIM", + "category": "Other Services/Operations", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "guid": "68161d66-5707-319b-e77d-9217da892593", + "link": "Best practice (testing)", "services": [ - "ACR", - "APIM", - "AzurePolicy" + "AVS" ], "severity": "Medium", - "subcategory": "Development best practices", - "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", - "waf": "Operations" + "subcategory": "Automated Scale", + "text": "Scale rd operations planning", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure API Management Review", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", - "service": "APIM", + "category": "Other Services/Operations", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Define and enforce scale in/out maximum limits for your environment in the automations", + "guid": "c32cb953-e860-f204-957a-c79d61202669", + "link": "Operational planning - understand workload requirements", "services": [ - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "Monetization", - "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", - "waf": "Operations" + "subcategory": "Automated Scale", + "text": "Scale maximum operations planning", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure API Management Review", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", - "service": "APIM", + "category": "Other Services/Operations", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "guid": "7bd65a5e-7b5d-652d-dbea-fc6f73a42857", + "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring", "services": [ - "Monitor", - "APIM" + "AVS", + "Monitor" ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Enable Diagnostics Settings to export logs to Azure Monitor", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Automated Scale", + "text": "Monitor scaling operations ", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure API Management Review", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", - "service": "APIM", + "category": "Other Services/Operations", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Consider the use of Azure Private-Link when using other Azure Native Services", + "guid": "95e374af-8a2a-2672-7ab7-b4a1be43ada7", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", "services": [ - "Monitor", - "APIM" + "AVS", + "PrivateLink" ], "severity": "Medium", - "subcategory": "Monitoring", - "text": "Enable Application Insights for more detailed telemetry", - "waf": "Operations" + "subcategory": "Networking", + "text": "Private link", + "waf": "Performance" }, { - "category": "Governance", - "checklist": "Azure API Management Review", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", - "service": "APIM", + "category": "Other Services/Operations", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "guid": "71eff90d-5ad7-ac60-6244-2a6f7d3c51f2", + "link": "Best practice", "services": [ - "Monitor", - "APIM" + "AVS" ], - "severity": "High", - "subcategory": "Monitoring", - "text": "Configure alerts on the most critical metrics", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Networking", + "text": "Provisioning Vmware VLANs", + "waf": "Performance" }, { - "category": "Identity and Access Management", - "checklist": "Azure API Management Review", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "In which region will AVS be deployed", + "guid": "04e3a2f9-83b7-968a-1044-2811811a924b", + "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology", "services": [ - "AKV", - "APIM", - "Entra" + "AVS" ], - "severity": "High", - "subcategory": "Data protection", - "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", - "waf": "Security" + "severity": "Medium", + "subcategory": "Pre-deployment", + "text": "Region selected", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure API Management Review", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Are there regulatory or compliance policies in play", + "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b", + "link": "Internal policy or regulatory compliance", "services": [ - "Entra", - "APIM" + "AzurePolicy", + "AVS" ], - "severity": "High", - "subcategory": "Identity", - "text": "Protect incoming requests to APIs (data plane) with Azure AD", - "waf": "Security" + "severity": "Medium", + "subcategory": "Pre-deployment", + "text": "Data residency compliant with selected regions", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure API Management Review", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Request through the support blade", + "guid": "92bd5ad6-441f-a983-7aa9-05dd669d760b", + "link": "https://learn.microsoft.com/azure/migrate/concepts-azure-vmware-solution-assessment-calculation", "services": [ - "Entra", - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "Identity", - "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", - "waf": "Security" + "subcategory": "Pre-deployment", + "text": "Request for number of AVS hosts submitted ", + "waf": "Reliability" }, { - "category": "Identity and Access Management", - "checklist": "Azure API Management Review", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", - "service": "APIM", - "services": [ - "Entra", - "APIM" + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "PG approval for deployment", + "guid": "28370f63-1cb8-2e35-907f-c5516b6954fa", + "link": "Support request through portal or get help from Account Team", + "services": [ + "AVS" ], "severity": "Medium", - "subcategory": "Privileged access", - "text": "Create appropriate groups to control the visibility of the products", - "waf": "Security" + "subcategory": "Pre-deployment", + "text": "Region and number of AVS nodes approved", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Portal/subscription/resource providers/ Microsoft.AVS", + "guid": "96c76997-30a6-bb92-024d-f4f93f5f57fa", + "link": "Done through the subscription/resource providers/ AVS register in the portal", "services": [ - "APIM" + "AVS", + "Subscriptions" ], "severity": "Medium", - "subcategory": "Best practices", - "text": "Use Backends feature to eliminate redundant API backend configurations", - "waf": "Operations" + "subcategory": "Pre-deployment", + "text": "Resource provider for AVS registered", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Connectivity, subscription & governanace model", + "guid": "5898e3ff-5e6b-bee1-6f85-22fee261ce63", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone", "services": [ - "APIM", - "AzurePolicy" + "AVS", + "Subscriptions" ], "severity": "Medium", - "subcategory": "Best practices", - "text": "Use Named Values to store common values that can be used in policies", - "waf": "Operations" + "subcategory": "Pre-deployment", + "text": "Landing zone architecture", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "The name of the RG where AVS will exist", + "guid": "d0181fb8-9cb8-bf4b-f5e5-b5f9bf7ae4ea", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal", "services": [ - "ACR", - "APIM", - "ASR" + "AVS" ], "severity": "Medium", - "subcategory": "Business continuity and disaster recovery", - "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", + "subcategory": "Pre-deployment", + "text": "Resource group name selected", "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Each resource created as part of the deployment will also utilize this prefix in the name", + "guid": "0f0d20c2-5a19-726c-de20-0984e070d9d6", + "link": "Best practice - naming standards", "services": [ - "APIM", - "ASR" + "AVS" ], "severity": "Medium", - "subcategory": "Business continuity and disaster recovery", - "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", + "subcategory": "Pre-deployment", + "text": "Deployment prefix selected", "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "/22 unique non-overlapping IPv4 address space", + "guid": "7fbf2ab7-a36c-5957-c27a-67038557af2a", + "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations", "services": [ - "APIM", - "Backup", - "ASR" + "AVS" ], - "severity": "High", - "subcategory": "Business continuity and disaster recovery", - "text": "Ensure there is an automated backup routine", + "severity": "Medium", + "subcategory": "Pre-deployment", + "text": "Network space for AVS management layer", "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "vNets used by workloads running in AVS (non-stretched)", + "guid": "0c87f999-e517-21ef-f355-f210ad4134d2", + "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html", "services": [ - "APIM", - "AzurePolicy" + "AVS", + "VNet" ], "severity": "Medium", - "subcategory": "Failover and Caching", - "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", + "subcategory": "Pre-deployment", + "text": "Network space for AVS NSX-T segments", "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "f96ddac5-77ec-4fa9-8833-4327f052059e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Choose AV36, AV36P, AV52, AV36T (AV36T = Trial)", + "guid": "946c8966-f902-6f53-4f37-00847e8895c2", + "link": "https://azure.microsoft.com/pricing/details/azure-vmware/", "services": [ - "APIM", - "AzurePolicy" + "AVS" ], "severity": "Medium", - "subcategory": "Performance and scalability", - "text": "Consider using a external cache policy for APIs that can benefit from caching", - "training": "https://learn.microsoft.com/training/modules/improve-api-performance-with-apim-caching-policy/" + "subcategory": "Pre-deployment", + "text": "AVS SKU (region dependent)", + "waf": "Performance" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use the Azure migration assessment tool to determine the minimum number of nodes required (consider BCDR as well)", + "guid": "31833808-26ba-9c31-416f-d54a89a17f5d", + "link": "https://learn.microsoft.com/azure/migrate/how-to-assess", "services": [ - "APIM", - "AzurePolicy", - "EventHubs" + "AVS" ], - "severity": "Low", - "subcategory": "Performance and scalability", - "text": "If you need to log at high performance levels, consider Event Hubs policy", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Pre-deployment", + "text": "Number of hosts to be deployed", + "waf": "Performance" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Understand how and if you should be using reserved instances (cost control)", + "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f", + "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20", "services": [ - "APIM", - "AzurePolicy" + "AVS", + "Cost" ], "severity": "Medium", - "subcategory": "Performance and scalability", - "text": "Apply throttling policies to control the number of requests per second", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", - "waf": "Performance" + "subcategory": "Pre-deployment", + "text": "Reserverd Instances", + "waf": "Cost" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "guid": "94ac48ab-ade5-3fa7-f800-263feeb97070", + "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", "services": [ - "APIM" + "AVS", + "ASR" ], "severity": "Medium", - "subcategory": "Performance and scalability", - "text": "Configure autoscaling to scale out the number of instances when the load increases", + "subcategory": "Pre-deployment", + "text": "Capacity ", "waf": "Performance" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Identify which of the networking scenarios make ", + "guid": "1f9d4bd5-14b8-928c-b4cb-eb211f9b8de5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", "services": [ - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "Performance and scalability", - "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", - "waf": "Performance" + "subcategory": "Pre-deployment", + "text": "Networking & Connectivity See docs describing scenrario 1 through 5", + "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", + "category": "Planning", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "guid": "070db19b-8a2a-fd6a-c39b-4488d8780da9", + "link": "Please Check Partner Ecosystem", "services": [ - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "Premium Tier", - "text": "Use the premium tier for production workloads.", + "subcategory": "Pre-deployment", + "text": "3rd party application compatibility ", "waf": "Reliability" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", + "category": "Security", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646", + "link": "General recommendation for storing encryption keys.", "services": [ - "APIM", - "AzurePolicy" + "AKV", + "AVS" ], "severity": "Medium", - "subcategory": "Request Routing", - "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", - "waf": "Reliability" + "subcategory": "Encryption", + "text": "Use Azure Key Vault with in-guest encryption ", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", + "category": "Security", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "guid": "c1a81638-18df-0ce9-a73a-4b9a8a8dd392", + "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#data-at-rest-encryption", "services": [ - "Entra", - "APIM" + "AVS", + "SQL" ], - "severity": "High", - "subcategory": "Resource Limits", - "text": "Be aware of APIM's limits", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Encryption", + "text": "Use in-guest encryption", + "waf": "Security" }, { - "category": "Management", - "checklist": "Azure API Management Review", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", + "category": "Security", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e", + "link": "https://docs.microsoft.com/azure/key-vault/general/authentication", "services": [ - "APIM" + "AKV", + "AVS", + "ExpressRoute" ], - "severity": "High", - "subcategory": "Self-Hosted", - "text": "Ensure that the self-hosted gateway deployments are resilient.", - "waf": "Reliability" + "severity": "Medium", + "subcategory": "Encryption", + "text": "Keyvault use for secrets", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure API Management Review", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", + "category": "Security", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Older OS security patching configured for workloads running on Azure VMware Solution are eligible for ESU", + "guid": "4f8b20e9-a2a1-f80f-af9b-8aa3b26dca08", + "link": "https://docs.microsoft.com/windows-server/get-started/extended-security-updates-deploy", "services": [ - "Entra", - "APIM", - "FrontDoor" + "AVS" ], "severity": "Medium", - "subcategory": "Connectivity", - "text": "Use Azure Front Door in front of APIM for multi-region deployment", - "waf": "Performance" + "subcategory": "Extended support", + "text": "Ensure extended security update support ", + "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure API Management Review", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", + "category": "Security", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Use a SIEM/SOAR", + "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a", + "link": "https://learn.microsoft.com/azure/sentinel/overview", "services": [ - "APIM", - "VNet" + "Sentinel", + "AVS" ], "severity": "Medium", - "subcategory": "Security", - "text": "Deploy the service within a Virtual Network (VNet)", + "subcategory": "Investigation", + "text": "Enable Azure Sentinel or 3rd party SIEM ", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure API Management Review", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", + "category": "Security", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "MS Defender For Cloud, for workloads running on Azure VMware Solution", + "guid": "f42b0b09-c591-238a-1580-2de3c485ebd2", + "link": "https://learn.microsoft.com/azure/azure-vmware/azure-security-integration#prerequisites", "services": [ - "Monitor", - "APIM", - "Entra", - "VNet" + "AVS", + "Defender" ], "severity": "Medium", "subcategory": "Security", - "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", + "text": "Enable Advanced Threat Detection ", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure API Management Review", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", + "category": "Security", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Are the applicable policies enabled (compliance baselines added to MDfC)", + "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b", + "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration", "services": [ - "Entra", - "APIM", - "PrivateLink", - "VNet" + "AzurePolicy", + "AVS" ], "severity": "Medium", "subcategory": "Security", - "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", + "text": "Policy & Regulatory Compliance", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure API Management Review", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Azure to Azure (E/W), Azure to On-premises), AVS to Internet, AVS to Azure", + "guid": "607c1ca9-da92-ae19-5a4c-eb1e876acbe7", + "link": "https://techcommunity.microsoft.com/t5/azure-migration-and/firewall-integration-in-azure-vmware-solution/ba-p/2254961#:~:text=Azure%20VMware%20Solution%20customers%20have%20multiple%20security%20options,the%20box%20to%20provide%20East-West%20and%20North-South%20firewalling.", "services": [ - "APIM" + "AVS" ], - "severity": "High", - "subcategory": "Security", - "text": "Disable Public Network Access", + "severity": "Medium", + "subcategory": "Firewalls", + "text": "Azure / 3rd party firewall", "waf": "Security" }, { - "category": "Platform automation and DevOps", - "checklist": "Azure API Management Review", - "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", - "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "To allow HCX appliance to connect/sync", + "guid": "1d87925c-c02b-7fde-a425-7e95ad846a27", + "link": "https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-2CFE1654-9CC9-4EDB-A625-21317299E559.html", "services": [ - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "Automation", - "text": "Simplify management with PowerShell automation scripts", - "waf": "Operations" + "subcategory": "Firewalls", + "text": "Firewalls allow for East/West traffic inside AVS", + "waf": "Security" }, { - "category": "Platform automation and DevOps", - "checklist": "Azure API Management Review", - "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Decision on which tool to use (SRM requires additional license - enables automation & other features)", + "guid": "468b3495-2f6e-b65a-38ef-3ba631bcaa46", + "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-B842696B-89EF-4183-9C73-B77157F56055.html", "services": [ - "Entra", - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "Best practices", - "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", - "waf": "Operations" + "subcategory": "Networking", + "text": "HCX and/or SRM", + "waf": "Reliability" }, { - "category": "Platform automation and DevOps", - "checklist": "Azure API Management Review", - "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", - "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Read up on requirements for Service Mesh requirements and how HCX ", + "guid": "be2ced52-da08-d366-cf7c-044c19e29509", + "link": "https://docs.vmware.com/en/VMware-HCX/4.6/hcx-user-guide/GUID-76BCD059-A31A-4041-9105-ACFB56213E7C.html", "services": [ - "Entra", - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "Best practices", - "text": "Promote usage of Visual Studio Code APIM extension for faster API development", - "waf": "Operations" + "subcategory": "Networking", + "text": "Configuring and Managing the HCX Interconnect", + "waf": "Reliability" }, { - "category": "Platform automation and DevOps", - "checklist": "Azure API Management Review", - "guid": "354f1c03-8112-4965-85ad-c0074bddf231", - "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "If you are planning on using stretch networks ensure that your on-premises environment requirements", + "guid": "7dcac579-fc5c-5c9c-f1f7-9b1149ff2c37", + "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html", "services": [ - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "DevOps", - "text": "Implement DevOps and CI/CD in your workflow", + "subcategory": "Networking", + "text": "Restrictions and limitations for network extensions", + "waf": "Performance" + }, + { + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Do workloads require MoN?", + "guid": "cf45c0b9-6c4b-3bfb-86c5-62fe54061c73", + "link": "https://learn.microsoft.com/azure/azure-vmware/vmware-hcx-mon-guidance", + "services": [ + "AVS" + ], + "severity": "Medium", + "subcategory": "Networking", + "text": "Mobility optimized networking", + "waf": "Performance" + }, + { + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Operating system level of Vmware environment", + "guid": "b7cf11f3-b12e-5189-991a-06df5250d2ca", + "link": "https://learn.microsoft.com/azure/site-recovery/vmware-physical-azure-support-matrix", + "services": [ + "AVS" + ], + "severity": "Medium", + "subcategory": "On-premises pre-requisites", + "text": "Support matrix (OS versions etc).", "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure API Management Review", - "guid": "b6439493-426a-45f3-9697-cf65baee208d", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Required that all switches are dynamic", + "guid": "45fe9252-aa1b-4e30-45c6-bc02f3b76acf", + "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/vsan-network-design-guide/GUID-91E1CD6F-33A6-4AC6-BC22-3E4807296F86.html#:~:text=Migrate%20Management%20Network%201%20Add%20hosts%20to%20the,each%20host.%20...%204%20Finish%20the%20configuration.%20", "services": [ - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "APIs", - "text": "Secure APIs using client certificate authentication", - "waf": "Security" + "subcategory": "On-premises pre-requisites", + "text": "Standard switches converted to dynamic switches", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure API Management Review", - "guid": "2a67d143-1033-4c0a-8732-680896478f08", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "See sections on sizing and capacity in the link.", + "guid": "e9f6d736-ee44-e2ac-e7f9-e361f8c857f3", + "link": "https://learn.microsoft.com/azure/azure-vmware/plan-private-cloud-deployment", "services": [ - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "APIs", - "text": "Secure backend services using client certificate authentication", - "waf": "Security" + "subcategory": "On-premises pre-requisites", + "text": "Capacity for HCX appliance", + "waf": "Performance" }, { - "category": "Security", - "checklist": "Azure API Management Review", - "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", - "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Check hardware restrictions to ensure compatibility with AVS/OS ", + "guid": "1be2cdd6-15a7-9a33-aea7-113859035ce9", + "link": "https://kb.vmware.com/s/article/2007240#:~:text=ESXi%2FESX%20hosts%20and%20compatible%20virtual%20machine%20hardware%20versions,%20Not%20Supported%20%204%20more%20rows", "services": [ - "APIM" + "AVS" ], "severity": "Medium", - "subcategory": "APIs", - "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", - "waf": "Security" + "subcategory": "On-premises pre-requisites", + "text": "Hardware compatibility", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure API Management Review", - "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", - "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Need to be converted", + "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7", + "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html", "services": [ - "APIM" + "Storage", + "AVS" ], "severity": "Medium", - "subcategory": "APIs", - "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", - "waf": "Security" + "subcategory": "Storage", + "text": "VSAN RDM disks are converted - not supported.", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure API Management Review", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Need to be converted", + "guid": "eb2f9313-afb2-ab35-aa24-6d97a3cb0611", + "link": "3rd-Party tools", "services": [ - "APIM" + "VM", + "Storage", + "AVS" ], - "severity": "High", - "subcategory": "Ciphers", - "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Storage", + "text": "VM with SCSI shared bus are not supported", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure API Management Review", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Remove Direct IO before migration", + "guid": "3f2a5cff-c8a6-634a-1f1b-53ef9d321381", + "link": "Contact VMware", "services": [ - "AKV", - "APIM" + "VM", + "Storage", + "AVS" ], - "severity": "High", - "subcategory": "Data protection", - "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", - "waf": "Security" + "severity": "Medium", + "subcategory": "Storage", + "text": "VM with Direct IO require removing DirectPath device", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure API Management Review", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Cannot migrate clusters ", + "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266", + "link": "Contact VMware", "services": [ - "Entra", - "APIM" + "Storage", + "AVS" ], "severity": "Medium", - "subcategory": "Identities", - "text": "Use managed identities to authenticate to other Azure resources whenever possible", - "waf": "Security" + "subcategory": "Storage", + "text": "Shared VMDK files are not supported", + "waf": "Operations" }, { - "category": "Security", - "checklist": "Azure API Management Review", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Convert to a different format", + "guid": "ab6c89cd-a26f-b894-fe59-61863975458e", + "link": "Contact VMware", "services": [ - "WAF", - "Entra", - "APIM", - "AppGW" + "Storage", + "AVS" ], - "severity": "High", - "subcategory": "Network", - "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", - "waf": "Security" + "severity": "Medium", + "subcategory": "Storage", + "text": "RDM with 'physical compatibility mode' are not supported.", + "waf": "Operations" }, { - "category": "BCDR", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can also choose to encrypt the backup using a customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.", - "guid": "676f6951-0368-49e9-808d-c33a692c9a64", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning 'RAID-1 FTT-1' is default with Thin Provisioning", + "guid": "7628d446-6b10-9678-9cec-f407d990de43", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", "services": [ - "SQL", - "AKV", - "Backup" + "AzurePolicy", + "Storage", + "AVS", + "VM" ], "severity": "Medium", - "subcategory": "Azure Key Vault", - "text": "Protect your backup data with encryption and store keys safely in Azure Key Vault", - "waf": "Security" + "subcategory": "Storage", + "text": "Default storage policy", + "waf": "Operations" }, { - "category": "BCDR", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.", - "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "The default storage policy is set to RAID-1 (Mirroring) FTT-1, with Object Space Reservation set to Thin provisioning.", + "guid": "37fef358-7ab9-43a9-542c-22673955200e", + "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy", "services": [ - "SQL", + "AzurePolicy", "Storage", - "Backup" + "AVS", + "VM" ], "severity": "Medium", - "subcategory": "Backup", - "text": "Configure Azure SQL Database automated backups", - "waf": "Security" + "subcategory": "Storage", + "text": "Ensure that the appropriate VM template storage policy is used", + "waf": "Operations" }, { - "category": "BCDR", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region. For SQL Database, the backup storage redundancy can be configured at the time of database creation or can be updated for an existing database; the changes made to an existing database apply to future backups only.", - "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4", - "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7", + "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", "services": [ - "SQL", + "AzurePolicy", "Storage", - "Backup" + "AVS" ], - "severity": "Low", - "subcategory": "Backup", - "text": "Enable geo-redundant backup storage to protect against single region failure and data loss", - "waf": "Security" + "severity": "Medium", + "subcategory": "Storage", + "text": "Failure to tolerate policy", + "waf": "Operations" }, { - "category": "Code", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Malicious code can potentially circumvent security controls. Before deploying custom code to production, it is essential to review what's being deployed. Use a database tool like Azure Data Studio that supports source control. Implement tools and logic for code analysis, vulnerability and credential scanning.", - "guid": "7ca9f006-d2a9-4652-951c-de8e4ac5e76e", - "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server", + "category": "VMware", + "checklist": "Azure VMware Solution Implementation Checklist", + "description": "ANF can be used to extend storage for Azure VMware Solution,", + "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863", + "link": "https://learn.microsoft.com/azure/azure-vmware/netapp-files-with-azure-vmware-solution", "services": [ - "SQL" + "Storage", + "AVS" ], "severity": "Medium", - "subcategory": "Source Control and Code Review", - "text": "Use Source Control systems to store, maintain and review application code deployed inside Azure SQLDB Database", - "waf": "Security" + "subcategory": "Storage", + "text": "Use ANF for external storage", + "waf": "Operations" }, { - "category": "Data Discovery and Classification", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "In case of classification requirements Purview is the preferred option. Only use SQL Data Discovery & Classification in case Purview is not an option. Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.", - "guid": "d401509b-2629-4484-9a7f-af0d29a7778f", - "link": "https://learn.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql#faq---advanced-classification-capabilities", - "services": [ - "SQL" - ], - "severity": "Low", - "subcategory": "Data Discovery and Classification", - "text": "Plan and configure Data Discovery & Classification to protect the sensitive data", - "waf": "Security" + "category": "BC and DR", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", + "services": [], + "severity": "High", + "subcategory": "High Availability", + "text": "Select the right Function hosting plan based on your business & SLO requirements", + "waf": "Reliability" }, { - "category": "Data Masking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Usage of this feature is recommended only if column encryption is not an option and there is a specific requirement to preserve data types and formats. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer.", - "guid": "9391fd50-135e-453e-90a7-c1a23f88cc13", - "link": "https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview", - "services": [ - "SQL" - ], - "severity": "Low", - "subcategory": "Data Masking", - "text": "Use Data Masking to prevent unauthorized non-admin users data access if no encryption is possible", - "waf": "Security" + "category": "BC and DR", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", + "service": "Azure Functions", + "services": [], + "severity": "High", + "subcategory": "High Availability", + "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", + "waf": "Reliability" }, { - "category": "Defender", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "SQL Advanced Threat Detection (ATP) provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat.", - "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979", - "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure", + "category": "BC and DR", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", + "services": [], + "severity": "Medium", + "subcategory": "High Availability", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" + }, + { + "category": "BC and DR", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", "services": [ - "SQL", - "EventHubs", - "Defender" + "AppSvc" ], "severity": "High", - "subcategory": "Advanced Threat Protection", - "text": "Review and complete Advanced Threat Protection (ATP) configuration", - "waf": "Security" + "subcategory": "High Availability", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "category": "Defender", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.", - "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1", - "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql ", + "category": "BC and DR", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", + "service": "Azure Functions", "services": [ - "SQL", - "Subscriptions", - "Defender" + "AppSvc" ], "severity": "High", - "subcategory": "Defender for Azure SQL", - "text": "Enable Microsoft Defender for Azure SQL", - "waf": "Security" + "subcategory": "High Availability", + "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", + "waf": "Reliability" }, { - "category": "Defender", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Microsoft Defender for Azure SQL ATP detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Alerts can be configured and generated and will be reported in the Defender for console.", - "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea", - "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure", + "category": "BC and DR", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", "services": [ - "SQL", - "Monitor", - "Defender" + "Storage" ], - "severity": "High", - "subcategory": "Defender for Azure SQL", - "text": "Prepare a security response plan to promptly react to Microsoft Defender for Azure SQL alerts", - "waf": "Security" + "severity": "Medium", + "subcategory": "High Availability", + "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", + "waf": "Reliability" }, { - "category": "Defender", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.", - "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview", + "category": "Application Deployment", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", + "services": [], + "severity": "Medium", + "subcategory": "CI/CD", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", + "waf": "Operations" + }, + { + "category": "Governance", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", "services": [ - "SQL", - "Monitor", - "Defender" + "AzurePolicy", + "APIM" ], - "severity": "High", - "subcategory": "Vulnerability Assessment", - "text": "Configure Vulnerability Assessment (VA) findings and review recommendations", - "waf": "Security" + "severity": "Medium", + "subcategory": "Development best practices", + "text": "Implement an error handling policy at the global level", + "waf": "Operations" }, { - "category": "Defender", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL Databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.", - "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql", + "category": "Governance", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", "services": [ - "SQL", - "Defender" + "AzurePolicy", + "APIM" ], - "severity": "High", - "subcategory": "Vulnerability Assessment", - "text": "Regularly review of Vulnerability Assessment (VA) findings and recommendations and prepare a plan to fix", - "waf": "Security" + "severity": "Medium", + "subcategory": "Development best practices", + "text": "Ensure all APIs policies include a element.", + "waf": "Operations" }, { - "category": "Encryption", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Always Encrypted with Secure Enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with Secure Enclaves addresses these limitations by allowing some computations on plaintext data inside a secure enclave on the server side. Usage of this feature is recommended for the cases where you need to limit administrator access and need your queries to support more than equality matching of encrypted columns.", - "guid": "65d7e54a-10a6-4094-b673-9ff3809c9277", - "link": "https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves", + "category": "Governance", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", "services": [ - "SQL" + "AzurePolicy", + "ACR", + "APIM" ], "severity": "Medium", - "subcategory": "Always Encrypted", - "text": "If protecting sensitive PII data from admin users is a key requirement, but Column Encryption limitations cannot be tolerated, consider the adoption of Always Encrypted with Secure Enclaves", - "waf": "Security" + "subcategory": "Development best practices", + "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", + "waf": "Operations" }, { - "category": "Encryption", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This approach is called column encryption, because you can use it to encrypt specific columns with different encryption keys. Doing so gives you more granular encryption capability than TDE, which encrypts data in pages. Using Always Encrypted to ensure sensitive data isn't exposed in plaintext in Azure SQL Database or SQL Managed Instance, even in memory/in use. Always Encrypted protects the data from Database Administrators (DBAs) and cloud admins (or bad actors who can impersonate high-privileged but unauthorized users) and gives you more control over who can access your data.", - "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3", - "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption", + "category": "Governance", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", "services": [ - "SQL", - "AKV", - "Storage" + "APIM" ], - "severity": "Low", - "subcategory": "Column Encryption", - "text": "To protect sensitive PII data from non-admin users in specific table columns, consider using Column Encryption", - "waf": "Security" + "severity": "Medium", + "subcategory": "Monetization", + "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", + "waf": "Operations" }, { - "category": "Encryption", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Enabled by default, Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application.", - "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d", - "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server", + "category": "Governance", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", "services": [ - "SQL", - "Storage", - "Backup" + "Monitor", + "APIM" ], "severity": "High", - "subcategory": "Transparent Data Encryption", - "text": "Ensure Transparent Data Encryption (TDE) is kept enabled", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Enable Diagnostics Settings to export logs to Azure Monitor", + "waf": "Operations" }, { - "category": "Encryption", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "If separation of duties in the management of keys and data within the organization is required, leverage Customer Managed Keys (CMK) for Transparent Data Encryption (TDE) for your Azure SQLDB and use Azure Key Vault to store (refer to its checklist). Leverage this feature when you have strict security requirements which cannot be met by the managed service keys.", - "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25", - "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview", + "category": "Governance", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "services": [ - "SQL", - "AKV" + "Monitor", + "APIM" ], "severity": "Medium", - "subcategory": "Transparent Data Encryption", - "text": "Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increased transparency and granular control over the TDE protection", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Enable Application Insights for more detailed telemetry", + "waf": "Operations" }, { - "category": "Encryption", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.", - "guid": "7754b605-57fd-4bcb-8213-52c39d8e8225", - "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?source=recommendations&view=azuresql&tabs=azure-portal#minimal-tls-version", + "category": "Governance", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", "services": [ - "SQL" + "Monitor", + "APIM" ], "severity": "High", - "subcategory": "Transport Layer Security", - "text": "Enforce minimum TLS version to the latest available", - "waf": "Security" + "subcategory": "Monitoring", + "text": "Configure alerts on the most critical metrics", + "waf": "Operations" }, { - "category": "Identity", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Use Azure Active Directory (Azure AD) authentication for centralized identity management. Use SQL Authentication only if really necessary and document as exceptions.", - "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7", - "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview", + "category": "Identity and Access Management", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", "services": [ - "SQL", - "Entra" + "AKV", + "Entra", + "APIM" ], - "severity": "Medium", - "subcategory": "Azure Active Directory", - "text": "Leverage Azure AD authentication for connections to Azure SQL Databases", + "severity": "High", + "subcategory": "Data protection", + "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.", - "guid": "29820254-1d14-4778-ae90-ff4aeba504a3", - "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities", + "category": "Identity and Access Management", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", "services": [ - "SQL", - "Monitor", - "Entra" + "Entra", + "APIM" ], - "severity": "Medium", - "subcategory": "Azure Active Directory", - "text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server", + "severity": "High", + "subcategory": "Identity", + "text": "Protect incoming requests to APIs (data plane) with Azure AD", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Ensure that distinct system and user assigned managed identities, that are dedicated to the function, with least permissions assigned, are used for communication from Azure services and applications to the Azure SQLDB databases.", - "guid": "df3a09ee-03bb-4198-8637-d141acf5f289", - "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications", + "category": "Identity and Access Management", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", "services": [ - "SQL", - "Entra" + "Entra", + "APIM" ], "severity": "Medium", - "subcategory": "Azure Active Directory", - "text": "Minimize the use of password-based authentication for applications", + "subcategory": "Identity", + "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "System or User assigned managed identities enable Azure SQLDB to authenticate to other cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control to the specific Azure SQLDB instance. Do not share user assigned managed identities across multiple services if not strictly required.", - "guid": "69891194-5074-4e30-8f69-4efc3c580900", - "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", + "category": "Identity and Access Management", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", "services": [ - "ACR", - "RBAC", "Entra", - "SQL", - "AKV" + "APIM" ], - "severity": "Low", - "subcategory": "Managed Identities", - "text": "Assign Azure SQL Database a managed identity for outbound resource access", + "severity": "Medium", + "subcategory": "Privileged access", + "text": "Create appropriate groups to control the visibility of the products", "waf": "Security" }, { - "category": "Identity", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Use an Azure AD integrated authentication that eliminates the use of passwords. Password-based authentication methods are a weaker form of authentication. Credentials can be compromised or mistakenly given away. Use single sign-on authentication using Windows credentials. Federate the on-premises AD domain with Azure AD and use integrated Windows authentication (for domain-joined machines with Azure AD).", - "guid": "88287d4a-8bb8-4640-ad78-03f51354d003", - "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", "services": [ - "SQL", - "Entra" + "APIM" ], "severity": "Medium", - "subcategory": "Passwords", - "text": "Minimize the use of password-based authentication for users", - "waf": "Security" + "subcategory": "Best practices", + "text": "Use Backends feature to eliminate redundant API backend configurations", + "waf": "Operations" }, { - "category": "Ledger", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Confidential Ledger is one of the supported store, it can be used and supports automatic generation and storage of database digests. Azure Ledger provides advanced security features like Blockchain Ledger Proof and Confidential Hardware Enclaves. Use it only if advanced security features are required, otherwise revert to Azure storage.", - "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc", - "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", "services": [ - "SQL", - "Storage" + "AzurePolicy", + "APIM" ], "severity": "Medium", - "subcategory": "Database Digest", - "text": "Use Azure Confidential Ledger to store database digests only if advanced security features are required", - "waf": "Security" + "subcategory": "Best practices", + "text": "Use Named Values to store common values that can be used in policies", + "waf": "Operations" }, { - "category": "Ledger", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Blob Storage with Immutable Storage feature can be used and supports automatic generation and storage of database digests. To prevent tampering of your digest files, configure and lock a retention policy for your container.", - "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a", - "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", "services": [ - "SQL", - "Storage", - "AzurePolicy" + "ASR", + "ACR", + "APIM" ], "severity": "Medium", - "subcategory": "Database Digest", - "text": "If Azure storage account is used to store database digests, ensure security is properly configured", - "waf": "Security" + "subcategory": "Business continuity and disaster recovery", + "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", + "waf": "Reliability" }, { - "category": "Ledger", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Ledger provides a form of data integrity called forward integrity, which provides evidence of data tampering on data in your ledger tables. The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.", - "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420", - "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", "services": [ - "SQL", - "Storage" + "ASR", + "APIM" ], "severity": "Medium", - "subcategory": "Integrity", - "text": "Schedule the Ledger verification process regularly to verify data integrity", - "waf": "Security" + "subcategory": "Business continuity and disaster recovery", + "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", + "waf": "Reliability" }, { - "category": "Ledger", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "The Ledger feature provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with. Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators.", - "guid": "2563f498-e2d3-42ea-9e7b-5517881a06a2", - "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", "services": [ - "SQL" + "ASR", + "Backup", + "APIM" ], - "severity": "Medium", - "subcategory": "Ledger", - "text": "If cryptographic proof of data integrity is a critical requirement, Ledger feature should be considered", - "waf": "Security" + "severity": "High", + "subcategory": "Business continuity and disaster recovery", + "text": "Ensure there is an automated backup routine", + "waf": "Reliability" }, { - "category": "Ledger", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Depending on the type of tampering, there are cases where you can repair the ledger without losing data. In the article contained in the --More Info-- column, different scenarios and recovery techniques are described.", - "guid": "804fc554-6554-4842-91c1-713b32f99902", - "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-how-to-recover-after-tampering", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", "services": [ - "SQL" + "AzurePolicy", + "APIM" ], "severity": "Medium", - "subcategory": "Recovery", - "text": "Prepare a response plan to investigate and repair a database after a tampering event", - "waf": "Security" + "subcategory": "Failover and Caching", + "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", + "waf": "Reliability" }, { - "category": "Logging", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. By default auditing policy includes all actions (queries, stored procedures and successful and failed logins) against the databases, which may result in high volume of audit logs. It's recommended for customers to configure auditing for different types of actions and action groups using PowerShell.", - "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6", - "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "f96ddac5-77ec-4fa9-8833-4327f052059e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external", "services": [ - "SQL", - "Storage", - "AzurePolicy" + "AzurePolicy", + "APIM" ], "severity": "Medium", - "subcategory": "Auditing", - "text": "Ensure that Azure SQL Database Auditing is enabled at the server level", - "waf": "Security" + "subcategory": "Performance and scalability", + "text": "Consider using a external cache policy for APIs that can benefit from caching", + "training": "https://learn.microsoft.com/training/modules/improve-api-performance-with-apim-caching-policy/" }, { - "category": "Logging", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Azure SQL Database Auditing logs can be written to external storage accounts, Log Analytics workspace or Event Hub. Be sure to protect the target repository using backups and secured configuration. Use Azure SQL Database Managed Identity to access the storage and set an explicit retention period. Do not grant permissions to administrators to the audit log repository. Use a different target storage for --Enabling Auditing of Microsoft support operations--. ", - "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46", - "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", "services": [ - "Storage", + "AzurePolicy", "EventHubs", - "Monitor", - "SQL", - "Entra", - "Backup" + "APIM" ], "severity": "Low", - "subcategory": "Auditing", - "text": "Ensure that Azure SQL Database Auditing logs are backed up and secured in the selected repository type", - "waf": "Security" + "subcategory": "Performance and scalability", + "text": "If you need to log at high performance levels, consider Event Hubs policy", + "waf": "Operations" }, { - "category": "Logging", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).", - "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", "services": [ - "Storage", - "EventHubs", - "Monitor", - "SQL", - "Subscriptions" + "AzurePolicy", + "APIM" ], "severity": "Medium", - "subcategory": "Auditing", - "text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs", - "waf": "Security" + "subcategory": "Performance and scalability", + "text": "Apply throttling policies to control the number of requests per second", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "waf": "Performance" }, { - "category": "Logging", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.", - "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44", - "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", "services": [ - "SQL", - "Monitor" + "APIM" ], "severity": "Medium", - "subcategory": "SIEM/SOAR", - "text": "Ensure that Azure SQL Database Auditing logs are being presented in to your organizations SIEM/SOAR", - "waf": "Security" + "subcategory": "Performance and scalability", + "text": "Configure autoscaling to scale out the number of instances when the load increases", + "waf": "Performance" }, { - "category": "Logging", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.", - "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", "services": [ - "SQL", - "Monitor" + "APIM" ], "severity": "Medium", - "subcategory": "SIEM/SOAR", - "text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR", - "waf": "Security" + "subcategory": "Performance and scalability", + "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", + "waf": "Performance" }, { - "category": "Logging", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.", - "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", "services": [ - "SQL", - "EventHubs" + "APIM" ], "severity": "Medium", - "subcategory": "SIEM/SOAR", - "text": "Ensure that you have response plans for malicious or aberrant audit logging events", - "waf": "Security" + "subcategory": "Premium Tier", + "text": "Use the premium tier for production workloads.", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.", - "guid": "2c6d356a-1784-475b-a42c-ec187dc8c925", - "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", "services": [ - "SQL", - "PrivateLink" + "AzurePolicy", + "APIM" + ], + "severity": "Medium", + "subcategory": "Request Routing", + "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", + "waf": "Reliability" + }, + { + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", + "services": [ + "Entra", + "APIM" ], "severity": "High", - "subcategory": "Connectivity", - "text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload", - "waf": "Security" + "subcategory": "Resource Limits", + "text": "Be aware of APIM's limits", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "IMPORTANT: Connections to private endpoint only support Proxy as the connection policy. When using private endpoints connections are proxied via the Azure SQL Database gateway to the database nodes. Clients will not have a direct connection.", - "guid": "557b3ce5-bada-4296-8d52-a2d447bc1718", - "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture", + "category": "Management", + "checklist": "Azure API Management Review", + "graph": "resources | where type =~ 'microsoft.apimanagement/service' | extend compliant = (properties.platformVersion != 'stv1') | project id, compliant", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8ce", + "link": "https://learn.microsoft.com/en-us/azure/api-management/migrate-stv1-to-stv2", + "service": "APIM", "services": [ - "SQL", - "PrivateLink", - "AzurePolicy" + "APIM" ], - "severity": "Low", - "subcategory": "Connectivity", - "text": "Keep default Azure SQL Database Connection Policy if not differently required and justified", - "waf": "Security" + "severity": "High", + "subcategory": "Platform Version", + "text": "Upgrade the platform version and follow lifecyle. stv1 is retirng on 31 August 2024", + "waf": "Reliability" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.", - "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082", - "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview", + "category": "Management", + "checklist": "Azure API Management Review", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", "services": [ - "SQL", - "Subscriptions" + "APIM" ], "severity": "High", + "subcategory": "Self-Hosted", + "text": "Ensure that the self-hosted gateway deployments are resilient.", + "waf": "Reliability" + }, + { + "category": "Network Topology and Connectivity", + "checklist": "Azure API Management Review", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", + "service": "APIM", + "services": [ + "Entra", + "FrontDoor", + "APIM" + ], + "severity": "Medium", "subcategory": "Connectivity", - "text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall", - "waf": "Security" + "text": "Use Azure Front Door in front of APIM for multi-region deployment", + "waf": "Performance" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.", - "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e", - "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql", + "category": "Network Topology and Connectivity", + "checklist": "Azure API Management Review", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", + "service": "APIM", "services": [ - "SQL", - "APIM", - "EventHubs" + "VNet", + "APIM" ], "severity": "Medium", - "subcategory": "Outbound Control", - "text": "Block or restrict outbound REST API calls to external endpoints", + "subcategory": "Security", + "text": "Deploy the service within a Virtual Network (VNet)", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Outbound firewall rules limit network traffic from the Azure SQL Database logical server to a customer defined list of Azure Storage accounts and Azure SQL Database logical servers. Any attempt to access storage accounts or databases not in this list is denied.", - "guid": "a566dd3d-314e-4a94-9378-102c42d82b38", - "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview", + "category": "Network Topology and Connectivity", + "checklist": "Azure API Management Review", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", + "service": "APIM", "services": [ - "SQL", - "Storage" + "Entra", + "VNet", + "Monitor", + "APIM" ], "severity": "Medium", - "subcategory": "Outbound Control", - "text": "If outbound network access is required, it is recommended to configure outbound networking restrictions using built-in Azure SQL Database control feature", + "subcategory": "Security", + "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Private Endpoint is created inside a subnet in an Azure Virtual Network. Proper security configuration must be applied also to the containing network environment, including NSG/ASG, UDR, firewall, monitoring and auditing.", - "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860", - "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server", + "category": "Network Topology and Connectivity", + "checklist": "Azure API Management Review", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", + "service": "APIM", "services": [ - "Firewall", + "Entra", "PrivateLink", - "Monitor", - "SQL", - "VNet" + "VNet", + "APIM" ], "severity": "Medium", - "subcategory": "Private Access", - "text": "If Private Access connectivity is used, ensure that you are using the Private Endpoint, Azure Virtual Network, Azure Firewall, and Azure Network Security Group checklists", + "subcategory": "Security", + "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "When adding a Private Endpoint connection, public routing to your logical server isn't blocked by default. In the --Firewall and virtual networks-- pane, the setting --Deny public network access-- is not selected by default. To disable public network access, ensure that you select --Deny public network access--.", - "guid": "3a0808ee-ea7a-47ab-bdce-920a6a2b3881", - "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server", + "category": "Network Topology and Connectivity", + "checklist": "Azure API Management Review", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", + "service": "APIM", "services": [ - "SQL", - "PrivateLink", - "VNet" + "APIM" ], "severity": "High", - "subcategory": "Private Access", - "text": "If Private Endpoint (Private Access) is used, consider disabling Public Access connectivity", + "subcategory": "Security", + "text": "Disable Public Network Access", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Network Security Group (NSG) and Application Security Group (ASG) can be now applied to subnet containing Private Endpoints to restrict connections to Azure SQLDB based on internal source IP ranges.", - "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints", + "category": "Platform automation and DevOps", + "checklist": "Azure API Management Review", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", + "services": [ + "APIM" + ], + "severity": "Medium", + "subcategory": "Automation", + "text": "Simplify management with PowerShell automation scripts", + "waf": "Operations" + }, + { + "category": "Platform automation and DevOps", + "checklist": "Azure API Management Review", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", + "service": "APIM", + "services": [ + "Entra", + "APIM" + ], + "severity": "Medium", + "subcategory": "Best practices", + "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", + "waf": "Operations" + }, + { + "category": "Platform automation and DevOps", + "checklist": "Azure API Management Review", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", + "service": "APIM", "services": [ - "SQL", - "PrivateLink", - "VNet" + "Entra", + "APIM" ], "severity": "Medium", - "subcategory": "Private Access", - "text": "If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to limit incoming source IP address ranges", - "waf": "Security" + "subcategory": "Best practices", + "text": "Promote usage of Visual Studio Code APIM extension for faster API development", + "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. Applications and tools that are in the same or peered virtual network in the same region could access it directly. Applications and tools that are in different region could use virtual-network-to-virtual-network connection or ExpressRoute circuit peering to establish connection. Customer should use Network Security Groups (NSG), and eventually internal firewalls, to restrict access over port 1433 only to resources that require access to a managed instance.", - "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview", + "category": "Platform automation and DevOps", + "checklist": "Azure API Management Review", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", + "service": "APIM", "services": [ - "SQL", - "ExpressRoute", - "VNet" + "APIM" ], "severity": "Medium", - "subcategory": "Private Access", - "text": "Apply Network Security Groups (NSG) and firewall rules to restrict access to Azure SQL Managed Instance internal subnet", - "waf": "Security" + "subcategory": "DevOps", + "text": "Implement DevOps and CI/CD in your workflow", + "waf": "Operations" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Azure Virtual Network Service Endpoint is preferred solution if you want to establish a direct connection to the Azure SQL Database backend nodes using Redirect policy. This will allow access in high performance mode and is the recommended approach from a performance perspective.", - "guid": "55187443-6852-4fbd-99c6-ce303597ca7f", - "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules", + "category": "Security", + "checklist": "Azure API Management Review", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", + "service": "APIM", "services": [ - "SQL", - "AzurePolicy", - "VNet" + "APIM" ], - "severity": "High", - "subcategory": "Public Access", - "text": "If Public Access connectivity is used, leverage Service Endpoint to restrict access from selected Azure Virtual Networks", + "severity": "Medium", + "subcategory": "APIs", + "text": "Secure APIs using client certificate authentication", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted. This approach is fine for stable IP addresses that are outside the Azure private network.", - "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31", - "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview", + "category": "Security", + "checklist": "Azure API Management Review", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", + "service": "APIM", "services": [ - "SQL", - "Storage" + "APIM" ], "severity": "Medium", - "subcategory": "Public Access", - "text": "If Public Access connectivity is used, ensure that only specific known IPs are added to the firewall", + "subcategory": "APIs", + "text": "Secure backend services using client certificate authentication", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.", - "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768", - "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure", + "category": "Security", + "checklist": "Azure API Management Review", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", + "service": "APIM", "services": [ - "SQL", - "Storage" + "APIM" ], - "severity": "Low", - "subcategory": "Public Access", - "text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules", + "severity": "Medium", + "subcategory": "APIs", + "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. The Managed Instance public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. If company policy disallows the use of public endpoints, use Azure Policy to prevent enabling public endpoints in the first place.", - "guid": "b8435656-143e-41a8-9922-61d34edb751a", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview", + "category": "Security", + "checklist": "Azure API Management Review", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", + "service": "APIM", "services": [ - "SQL", - "AzurePolicy", - "VNet" + "APIM" ], - "severity": "High", - "subcategory": "Public Access", - "text": "Do not enable Azure SQL Managed Instance public endpoint", + "severity": "Medium", + "subcategory": "APIs", + "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", "waf": "Security" }, { - "category": "Networking", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "A Managed Instance (SQL MI) public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. In this case, it is recommended to apply a Network Security Groups (NSG) to restrict access to port 3342 only to trusted source IP addresses.", - "guid": "057dd298-8726-4aa6-b590-1f81d2e30421", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview", + "category": "Security", + "checklist": "Azure API Management Review", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", "services": [ - "SQL", - "VNet" + "APIM" ], "severity": "High", - "subcategory": "Public Access", - "text": "Restrict access if Azure SQL Managed Instance public endpoint is required", + "subcategory": "Ciphers", + "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", "waf": "Security" }, { - "category": "Privileged Access", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. In support scenarios where Microsoft needs to access customer data, Azure SQL Database supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.", - "guid": "37b6eb0f-553d-488f-8a8a-cb9bf97388ff", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "category": "Security", + "checklist": "Azure API Management Review", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", "services": [ - "SQL" + "AKV", + "APIM" ], - "severity": "Low", - "subcategory": "Lockbox", - "text": "Review and enable Customer Lockbox for Azure SQL Database access by Microsoft personnel", + "severity": "High", + "subcategory": "Data protection", + "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", "waf": "Security" }, { - "category": "Privileged Access", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "The principle of least privilege states that users shouldn't have more privileges than needed to complete their tasks. High-privileged database and server users can perform many configuration and maintenance activities on the database and can also drop databases in Azure SQL instance. Tracking database owners and privileged accounts is important to avoid having excessive permission.", - "guid": "5fe5281f-f0f9-4842-a682-8baf18bd8316", - "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege", + "category": "Security", + "checklist": "Azure API Management Review", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", "services": [ - "SQL" + "Entra", + "APIM" ], "severity": "Medium", - "subcategory": "Permissions", - "text": "Ensure that users are assigned the minimum level of access necessarily to complete their job functions", + "subcategory": "Identities", + "text": "Use managed identities to authenticate to other Azure resources whenever possible", "waf": "Security" }, { - "category": "Privileged Access", - "checklist": "Azure SQLDB Security Checklist (Preview)", - "description": "Identities (both Users and SPNs) should be scoped to the least amount of access needed to perform the function. A higher number of tightly scoped SPNs should be used, instead of having one SPN with multiple sets of unrelated permissions. For example, if there are three external web applications hosted on-prem that make queries to the Azure SQL Database, they should not all use the same SPN for these activities. Instead, they should each have their own tightly scoped SPN.", - "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access", + "category": "Security", + "checklist": "Azure API Management Review", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", "services": [ - "SQL", - "Entra" + "AppGW", + "Entra", + "WAF", + "APIM" ], - "severity": "Low", - "subcategory": "Permissions", - "text": "Ensure that distinct applications will be assigned different credentials with minimal permissions to access Azure SQL Database", + "severity": "High", + "subcategory": "Network", + "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", "waf": "Security" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", - "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", + "service": "CosmosDB", "services": [ - "AKV", - "FrontDoor" + "CosmosDB" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", - "waf": "Operations" + "subcategory": "Best Practices", + "text": "FTA Resiliency Playbook", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", - "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", "services": [ - "WAF", - "FrontDoor", - "AzurePolicy" + "CosmosDB" ], - "severity": "Medium", - "subcategory": "Front Door", - "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "severity": "High", + "subcategory": "High Availability", + "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", + "service": "CosmosDB", "services": [ - "WAF", - "AppGW", - "AzurePolicy", - "FrontDoor" + "CosmosDB" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "subcategory": "High Availability", + "text": "Run multiple replicas of the database (>1 ) in Prod", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", - "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", + "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", + "service": "CosmosDB", "services": [ - "WAF", - "FrontDoor", - "AzurePolicy" + "CosmosDB", + "ACR" ], - "severity": "High", - "subcategory": "Front Door", - "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", - "waf": "Security" + "severity": "Medium", + "subcategory": "High Availability", + "text": "Leverage Multi-Region Writes", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", - "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "description": "Span Cosmos account across two or more regions with multi-region writes", + "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", "services": [ - "TrafficManager", - "FrontDoor", - "EventHubs" + "CosmosDB", + "ACR" ], - "severity": "High", - "subcategory": "Front Door", - "text": "Avoid placing Traffic Manager behind Front Door.", - "waf": "Security" + "severity": "Medium", + "subcategory": "High Availability", + "text": "Distribute your data globally", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", - "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", + "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", + "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", + "service": "CosmosDB", "services": [ - "FrontDoor" + "CosmosDB" ], "severity": "High", - "subcategory": "Front Door", - "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", - "waf": "Security" + "subcategory": "High Availability", + "text": "Choose from several well-defined consistency models", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", - "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", + "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", + "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", + "service": "CosmosDB", "services": [ - "FrontDoor" + "CosmosDB" ], - "severity": "Low", - "subcategory": "Front Door", - "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "High Availability", + "text": "Enable Service managed failover", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", + "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", + "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", + "service": "CosmosDB", "services": [ - "FrontDoor" + "Storage", + "Backup", + "CosmosDB" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", + "subcategory": "Backup Strategy", + "text": "Enable Automatic Backups", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", - "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", + "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", + "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", + "service": "CosmosDB", "services": [ - "FrontDoor" + "Backup", + "CosmosDB" ], - "severity": "Low", - "subcategory": "Front Door", - "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", - "waf": "Performance" + "severity": "Medium", + "subcategory": "Backup Strategy", + "text": "Perform Periodic Backups", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", - "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "Front Door", + "category": "Operations Management", + "checklist": "CosmosDB Review Checklist", + "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", + "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", + "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", + "service": "CosmosDB", "services": [ - "Cost", - "AKV", - "FrontDoor" + "Backup", + "CosmosDB" ], - "severity": "High", - "subcategory": "Front Door", - "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", - "waf": "Operations" + "severity": "Medium", + "subcategory": "Backup Strategy", + "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", - "service": "Front Door", + "category": "Operations Management", + "checklist": "PostgreSQL Review Checklist", + "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", + "service": "PostgreSQL", "services": [ - "WAF", - "FrontDoor" + "SQL" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" + "subcategory": "Best Practices", + "text": "Leverage Flexible Server", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", - "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", - "service": "Front Door", + "category": "Operations Management", + "checklist": "PostgreSQL Review Checklist", + "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", + "service": "PostgreSQL", "services": [ - "FrontDoor" + "SQL" ], "severity": "High", - "subcategory": "Front Door", - "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", - "waf": "Security" + "subcategory": "Best Practices", + "text": "Leverage Availability Zones where regionally applicable", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", - "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", - "service": "Front Door", + "category": "Operations Management", + "checklist": "PostgreSQL Review Checklist", + "guid": "31b67c67-be59-4519-8083-845d587cb391", + "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", + "service": "PostgreSQL", "services": [ - "FrontDoor" + "SQL" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", - "waf": "Security" + "subcategory": "Best Practices", + "text": "Leverage cross-region read replicas for BCDR", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", - "service": "Front Door", - "services": [ - "WAF", - "FrontDoor" - ], + "category": "BC and DR", + "checklist": "Device Update Review", + "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", + "services": [], "severity": "High", - "subcategory": "Front Door", - "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", - "waf": "Security" + "subcategory": "High Availability", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", - "service": "Front Door", - "services": [ - "WAF", - "FrontDoor" - ], + "category": "BC and DR", + "checklist": "Device Update Review", + "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", + "services": [], "severity": "High", - "subcategory": "Front Door", - "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", - "waf": "Security" + "subcategory": "High Availability", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "Front Door", - "services": [ - "WAF", - "FrontDoor", - "AzurePolicy" - ], + "category": "BC and DR", + "checklist": "Device Update Review", + "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Device Update for IoT Hub", + "services": [], "severity": "High", - "subcategory": "Front Door", - "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", - "waf": "Security" + "subcategory": "High Availability", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", - "service": "Front Door", + "category": "BC and DR", + "checklist": "Device Update Review", + "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Device Update for IoT Hub", "services": [ - "WAF", - "FrontDoor" + "AppSvc" ], "severity": "High", - "subcategory": "Front Door", - "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", - "waf": "Security" + "subcategory": "High Availability", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", - "service": "Front Door", - "services": [ - "WAF", - "FrontDoor" - ], + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "guid": "65285269-440c-44be-9d3e-0844276d4bdc", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foudations-playbooks-ADB_v1.docx", + "services": [], "severity": "High", - "subcategory": "Front Door", - "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", - "waf": "Security" + "subcategory": "Best Practices", + "text": "Reference Databricks HA/DR playbook", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", - "service": "Front Door", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6", + "link": "https://learn.microsoft.com/azure/databricks/security/secrets/secret-scopes", "services": [ - "WAF", - "FrontDoor" + "Backup" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", - "waf": "Security" + "subcategory": "Backup", + "text": "Backup Your Workspace Configuration including ARM templates and Secret Scopes", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", - "service": "Front Door", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757", "services": [ - "WAF", - "FrontDoor" + "Backup", + "ACR" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", - "waf": "Security" + "subcategory": "Backup", + "text": "Share MetaData Across different Databricks Workspaces using Hive External Metastore", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", - "service": "Front Door", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "guid": "769e3969-0e78-428a-a936-657d03b0f466", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581", "services": [ - "WAF", - "FrontDoor" + "ASR", + "Backup" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", - "waf": "Security" + "subcategory": "Backup", + "text": "Plan Disaster Recovery Strategy in Databricks using the Hive External Metastore", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", - "service": "Front Door", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b", + "link": "https://www.databricks.com/blog/2021/04/20/attack-of-the-delta-clones-against-disaster-recovery-availability-complexity.html", "services": [ - "FrontDoor" + "Backup" ], - "severity": "Low", - "subcategory": "Front Door", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", - "waf": "Security" + "severity": "Medium", + "subcategory": "Backup", + "text": "Backup your data with deep and shallow clones", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", - "service": "Front Door", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "description": "Download the blob using Secondary Endpoint in RAGRS Storage Account", + "guid": "7abae48a-bd54-4cd7-ae2e-86768357c559", + "link": "https://techcommunity.microsoft.com/t5/azure-paas-blog/download-the-blob-using-secondary-endpoint-in-ragrs-storage/ba-p/2403750", "services": [ - "WAF", - "FrontDoor" + "Storage", + "Backup" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", - "waf": "Security" + "subcategory": "Backup", + "text": "Backup your data to Azure Storage RA-GRS", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "Front Door", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a", + "link": "https://learn.microsoft.com/azure/databricks/dev-tools/index-ci-cd", "services": [ - "WAF", - "Monitor", - "FrontDoor" + "Backup" ], - "severity": "Medium", - "subcategory": "Front Door", - "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", - "waf": "Operations" + "severity": "High", + "subcategory": "Backup", + "text": "Backup your code with DevOps", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "845f5f91-9c21-4674-a725-5ce890850e20", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "Front Door", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a", + "link": "https://learn.microsoft.com/azure/databricks/administration-guide/disaster-recovery", "services": [ - "WAF", - "Sentinel", - "FrontDoor" + "ASR" ], - "severity": "Medium", - "subcategory": "Front Door", - "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", - "waf": "Operations" + "severity": "High", + "subcategory": "Disaster Recovery", + "text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", - "service": "Front Door", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace", + "guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc", + "link": "https://github.com/databrickslabs/migrate", "services": [ - "FrontDoor", "Backup" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", + "subcategory": "Migration", + "text": "Use Databricks Migration tools", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", - "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", - "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", - "service": "Front Door", - "services": [ - "FrontDoor" - ], - "severity": "High", - "subcategory": "Front Door", - "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", + "category": "Operations Management", + "checklist": "DataBricks Review Checklist", + "guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd", + "link": "https://github.com/databrickslabs/databricks-sync", + "services": [], + "severity": "Low", + "subcategory": "Migration", + "text": "Use Databricks Sync", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", - "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", - "service": "Front Door", - "services": [ - "FrontDoor" - ], - "severity": "Medium", - "subcategory": "Front Door", - "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", + "category": "Operations Management", + "checklist": "Recovery Services Vault Checklist", + "guid": "cb7da8cf-aa62-4a15-a495-6da97dc3a242", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-plan-capacity-vmware", + "services": [], + "severity": "High", + "subcategory": "Replication", + "text": "Capacity planning is required to make sure you have sufficient bandwidth for replication and an estimated number of CPU cores & disk types that will be needed in Azure for failover", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Recovery Services Vault Checklist", + "guid": "67b23587-05a1-4652-aded-fa8a488cdec4", + "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-policy", "services": [ - "FrontDoor" + "AzurePolicy", + "VM", + "ASR" ], - "severity": "Medium", - "subcategory": "Front Door", - "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", + "severity": "High", + "subcategory": "Replication", + "text": "Use Azure Policy to ensure that all critical Azure VMs are protected with ASR", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", - "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Recovery Services Vault Checklist", + "guid": "862bc3bc-14be-4b7f-96e8-d9b3bec228e7", + "link": "https://learn.microsoft.com/azure/site-recovery/recovery-plan-overview", "services": [ - "FrontDoor" + "VM" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", - "waf": "Security" + "subcategory": "Replication", + "text": "Define recovery plans to automate the failover sequence for VMs. You can also include automation scripts to reduce manual steps and improve recovery time", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", - "services": [ - "FrontDoor" - ], + "category": "Operations Management", + "checklist": "Recovery Services Vault Checklist", + "guid": "437b1736-db55-4f67-a613-334bd09dc234", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=recovery-services-vault", + "services": [], "severity": "Medium", - "subcategory": "Front Door", - "text": "Use caching for endpoints that support it.", - "waf": "Cost" + "subcategory": "Data Protection", + "text": "Enable and LOCK immutability for vaults. This ensures recovery points cannot be deleted before their intended expiry", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", - "guid": "34069d73-e4de-46c5-a36f-625f87575a56", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "services": [ - "FrontDoor" - ], - "severity": "Low", - "subcategory": "Front Door", - "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", - "waf": "Cost" + "category": "Operations Management", + "checklist": "Recovery Services Vault Checklist", + "guid": "19db6128-1265-404b-a47a-493a08042729", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", + "services": [], + "severity": "Medium", + "subcategory": "Data Protection", + "text": "Enable 'Always-on soft delete' for vaults protecting critical workloads", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Recovery Services Vault Checklist", + "guid": "4798b158-8b31-4aa5-9ceb-54445135a227", + "link": "https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-storage-redundancy", "services": [ - "Storage", - "FrontDoor" + "Storage" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", - "waf": "Operations" + "subcategory": "Redudancy", + "text": "When creating Recovery Service Vaults choose the best storage redundancy option for your requirements. Vaults support local, geo and zone redundancy but this setting cannot be changed once the vault is protecting one or more resources", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", "services": [ - "AKV", - "FrontDoor" + "Entra" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Use wildcard TLS certificates when possible.", - "waf": "Operations" + "subcategory": "Entra ID", + "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", "services": [ - "FrontDoor" + "Entra" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", - "waf": "Performance" + "subcategory": "AAD B2C", + "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", "services": [ - "Storage", - "FrontDoor" + "Entra" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Use file compression when you're accessing downloadable content.", + "subcategory": "AAD B2C", + "text": "Custom brand assets should be hosted on a CDN", "waf": "Performance" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", - "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", - "link": "https://learn.microsoft.com/azure/cdn/tier-migration", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", "services": [ - "FrontDoor" + "Entra" ], - "severity": "High", - "subcategory": "Front Door", - "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", - "waf": "Operations" + "severity": "Low", + "subcategory": "AAD B2C", + "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", + "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", - "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "services": [ - "TrafficManager", - "Storage", - "FrontDoor" + "VM", + "Entra" ], "severity": "Medium", - "subcategory": "Front Door", - "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", + "subcategory": "Windows Server AD", + "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", "waf": "Reliability" }, { - "category": "Network Topology and Connectivity", - "checklist": "Azure Application Delivery Networking", - "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", - "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", - "service": "Front Door", + "category": "Operations Management", + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "services": [ - "AppSvc", - "FrontDoor" + "Entra" ], - "severity": "High", - "subcategory": "Front Door", - "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", - "waf": "Security" + "severity": "Medium", + "subcategory": "Windows Server AD", + "text": "Don't replicate! Replication can create issues with directory synchronization", + "waf": "Reliability" }, { "category": "Operations Management", - "checklist": "MySQL Review Checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "services": [ - "SQL" + "Entra" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Leverage Flexible Server", + "subcategory": "Windows Server AD", + "text": "Have active-active for multi-regions", "waf": "Reliability" }, { "category": "Operations Management", - "checklist": "MySQL Review Checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "services": [ - "SQL" + "Entra" ], - "severity": "High", - "subcategory": "Best Practices", - "text": "Leverage Availability Zones where regionally applicable", + "severity": "Medium", + "subcategory": "Entra Domain Services", + "text": "Add Azure AD Domain service stamps to additional regions and locations", "waf": "Reliability" }, { "category": "Operations Management", - "checklist": "MySQL Review Checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "services": [ - "SQL" + "Entra" ], "severity": "Medium", - "subcategory": "Best Practices", - "text": "Leverage Data-in replication for cross-region DR scenarios", + "subcategory": "Entra Domain Services", + "text": "Use Replica Sets for DR", "waf": "Reliability" } ], "metadata": { "name": "Master checklist", - "timestamp": "October 02, 2024" + "timestamp": "October 21, 2024" }, "severities": [ { diff --git a/checklists/datasecurity_checklist.en.json b/checklists/datasecurity_checklist.en.json index 7d821e5ef..55b269c66 100644 --- a/checklists/datasecurity_checklist.en.json +++ b/checklists/datasecurity_checklist.en.json @@ -1,811 +1,809 @@ -{ - "items": [ - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Restrict use of local users on sql workloads on Synapse", - "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "32d41e36-11c8-417b-8afb-c410d4391898", - "id": "A01.01", - "severity": "High" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Use managed identity to authenticate to the services", - "description": "Use Microsoft Entra ID as the default authentication method to control your data plane access.", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", - "id": "A01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", - "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", - "id": "A01.03", - "severity": "High" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Use Azure RBAC to control access on storage and Synapse RBAC to control access on workspace level depending on the personas of the team to fine grain the access on data and compute", - "description": "Azure Synapse also includes Synapse role-based access control (RBAC) roles to manage different aspects of Synapse Studio. Leverage these built-in roles to assign permissions to users, groups, or other security principals to manage who can Publish code artifacts and list or access published code artifacts,Execute code on Apache Spark pools and integration runtimes,Access linked (data) services that are protected by credentials,Monitor or cancel job executions, review job output and execution logs.", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", - "id": "A01.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Implement RLS, CLS and data masking on sql workloads in dedicated sql pool to add additional layer of security", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", - "id": "A01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "Use managed vnet workspace to restrict the access over public internet", - "description": "When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network. This can be selected when deploying a workspace", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", - "id": "B01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "Configure private endpoints to connect to the external services and disable public access", - "description": "To protect any sensitive data, it's recommended to disable public access to the workspace endpoints entirely. By doing so, it ensures all workspace endpoints can only be accessed using�private endpoints.", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", - "id": "B01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "If enabling public access highly recommended to configure IP firewall rules", - "description": "If public access needs to be enabled, it's highly recommended to configure the IP firewall rules to allow inbound connections only from the specified list of public IP addresses.", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "294798b1-178a-42c5-a46c-eb544350d092", - "id": "B01.03", - "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", - "id": "B01.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "Enable Data Exfiltration Protection (DEP)", - "description": "This can be done only when deploying the workspace, but Python libraries installed from public repositories like PyPI are not supported. (Think about the limitation before enabling it)", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", - "id": "B01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Data Encryption at rest using Customer managed Keys for workspace", - "description": "First layer of encryption is done by Microsoft managed keys, you can add a second layer of encryption using Customer managed Keys", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "e337897e-31b6-47d6-9be5-962a1193846d", - "id": "C01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Data Encryption in transit ", - "description": "Azure Synapse leverages TLS to ensure data is encrypted in motion. SQL dedicated pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", - "id": "C01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Store passwords, secerts and keys in Azure key vault", - "description": "Use Keyvaults to store your secrets and credentials", - "waf": "Security", - "service": "Azure Synapse Analytics", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", - "id": "C01.03", - "severity": "High" - }, - { - "category": "", - "subcategory": "", - "text": "Use Azure Key Vault secrets in pipeline activities", - "description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.", - "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", - "id": "D01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Restrict use of local users whereever necessary", - "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", - "id": "E01.01", - "severity": "High" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Use managed identity to authenticate to the services", - "description": "Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication.", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", - "id": "E01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", - "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "id": "E01.03", - "severity": "High" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "Disable access over public internet and configure either firewall rules or trusted services rules", - "service": "Azure Data Factory", - "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", - "id": "F01.01", - "severity": "Medium" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "6898a535-e337-4897-b31b-67d67be5962a", - "id": "F01.02", - "severity": "Medium" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "Use managed vnet IR to restrict the access over public internet for Azure Integration Runtime", - "description": "When you create an Azure integration runtime within a Data Factory managed virtual network, the integration runtime is provisioned with the managed virtual network. It uses private endpoints to securely connect to supported data stores.", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", - "id": "F01.03", - "severity": "Medium" - }, - { - "category": "Network Security", - "subcategory": "", - "text": "Configure managed private endpoints to connect to resources using managed azure IR", - "description": "Managed private endpoints are private endpoints created in the Data Factory managed virtual network that establishes a private link to Azure resources. Data Factory manages these private endpoints on your behalf.", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", - "id": "F01.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints" - }, - { - "category": "", - "subcategory": "", - "text": "Configure Private Links to connect to sources in customer Vnet and data factory", - "description": "By using Azure Private Link, you can connect to various platform as a service (PaaS) deployments in Azure via a private endpoint. A private endpoint is a private IP address within a specific virtual network and subnet", - "guid": "b47a393a-0804-4272-a479-8b1578b219a4", - "id": "G01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Data Encryption at rest by Microsoft managed keys", - "description": "This is a default setting", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "6ceb5443-5135-4922-9442-93bb628637a5", - "id": "H01.01", - "severity": "Medium" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Data Encryption in transit by Microsoft managed keys", - "description": "This is a default setting", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", - "id": "H01.02", - "severity": "Medium" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Data Encryption in transit by BYOK (Customer managed keys)", - "description": "When you specify a customer-managed key, Data Factory uses�both�the factory system key and the CMK to encrypt customer data. Missing either would result in Deny of Access to data and factory.", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", - "id": "H01.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Store passwords, secrets in Azure Key Vault", - "waf": "Security", - "service": "Azure Data Factory", - "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", - "id": "H01.04", - "severity": "High", - "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Use Azure Key Vault secrets in pipeline activities", - "description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.", - "service": "Azure Data Factory", - "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", - "id": "H01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Encrypt credentials for on-premises using SHIR data stores in Azure Data Factory", - "description": "You can encrypt and store credentials for any of your on-premises data stores (linked services with sensitive information) on a machine with self-hosted integration runtime.", - "service": "Azure Data Factory", - "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", - "id": "H01.06", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Define roles and responsibilities to manage Microsoft Purview in control plane and data plane", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "6db55f57-9603-4334-adf9-cc23418db612", - "id": "I01.01", - "severity": "Medium" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Define roles and tasks required to deploy and manage Microsoft Purview inside an Azure subscription (control plane)", - "description": "Use Azure RBACs for this", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "8126504b-b47a-4393-a080-427294798b15", - "id": "I01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Define roles and task needed to perform data management and governance using Microsoft Purview. (Data plane for Data Map and Data Catalog.)", - "description": "Use Microsoft Purview roles for this.", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "78b219a4-6ceb-4544-9513-5922744293bb", - "id": "I01.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Assign roles to Microsoft Entra groups instead of assigning roles to individual users.", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", - "id": "I01.04", - "severity": "Medium" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Use Azure�Active Directory Entitlement Management�to map user access to Microsoft Entra groups using Access Packages.", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", - "id": "I01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Enforce multifactor authentication for Microsoft Purview users, especially, for users with privileged roles such as collection admins, data source admins or data curators.", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", - "id": "I01.06", - "severity": "High" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Use Microsoft Entra ID to provide authentication and authorization to all users, security groups registered in Entra, service principal and managed identities inside collections in Microsoft Purview", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", - "id": "I01.07", - "severity": "High" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Define Least Privilege model and Lower exposure of privileged accounts", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", - "id": "I01.08", - "severity": "High" - }, - { - "category": "Network security", - "subcategory": "", - "text": "Enable�end-to-end network isolation�using Private Link Service. (Microsoft Purview Data Map)", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", - "id": "J01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end" - }, - { - "category": "Network security", - "subcategory": "", - "text": "Use�Microsoft Purview Firewall�to disable Public access. (Microsoft Purview Data Map)", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "418db612-8126-4504-ab47-a393a0804272", - "id": "J01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access" - }, - { - "category": "Network security", - "subcategory": "", - "text": "Deploy�Network Security Group (NSG) rules�for subnets where Azure data sources private endpoints, Microsoft Purview private endpoints and self-hosted runtime VMs are deployed. (Microsoft Purview Data Map)", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "94798b15-78b2-419a-96ce-b54435135922", - "id": "J01.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups" - }, - { - "category": "Network security", - "subcategory": "", - "text": "Implement Microsoft Purview with private endpoints managed by a Network Virtual Appliance, such as�Azure Firewall�for network inspection and network filtering. (Microsoft Purview Data Map)", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "744293bb-6286-437a-9511-9b08e8f58543", - "id": "J01.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/firewall/overview" - }, - { - "category": "Network security", - "subcategory": "", - "text": "Deploy private endpoints for Microsoft Purview accounts to add another layer of security, so only client calls that are originated from within the virtual network are allowed to access the Microsoft Purview account", - "description": "This private endpoint is also a prerequisite for the portal private endpoint. The Microsoft Purview�portal�private endpoint is required to enable connectivity to Microsoft Purview governance portal using a private network. Microsoft Purview can scan data sources in Azure or an on-premises environment by using ingestion private endpoints. Limitations on using private endpoints https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", - "id": "J01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/purview/concept-best-practices-network" - }, - { - "category": "Network security", - "subcategory": "", - "text": "Block public access using Microsoft Purview firewall", - "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitation to be reviewed: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", - "id": "J01.06", - "severity": "Medium" - }, - { - "category": "Network security", - "subcategory": "", - "text": "Use Network Security Groups to filter network traffic to and from Azure resources in an Azure virtual network", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", - "id": "J01.07", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "If you have sensitive data that cannot leave the boundary of your on-prem vnet it is highly recommended to use SHIR VMs inside your corporate vnet to extract your metadata ", - "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", - "id": "K01.01", - "severity": "High" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Use Azure RBACs to restrict the access of your storage account (not managed by MS) only to intended users.", - "description": "Metadata is extracted and stored in Microsoft Purview Data Map, if you are not using managed storage account for your Purview account they are open to be accessed by all so implement proper RBACs and retrict the access of Data to only intended users. Applicable to Accounts deployed after December 15, 2023 (or deployed using API version 2023-05-01-preview onwards", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", - "id": "K01.02", - "severity": "Medium" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Data in rest is encrypted by microsoft managed keys", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", - "id": "K01.03", - "severity": "Medium" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Data in transit is encrypted by TLS 1.3", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", - "id": "K01.04", - "severity": "Medium" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Always use Azure key vaults to store all credentials if not using managed identities or without password need methods", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", - "id": "K01.05", - "severity": "High" - }, - { - "category": "Protection against accidential deletion", - "subcategory": "", - "text": "Prevent accidental deletion of Microsoft Purview accounts by applying resource Locks", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", - "id": "L01.01", - "severity": "Medium" - }, - { - "category": "", - "subcategory": "", - "text": "Plan for a break glass strategy for your Microsoft Entra tenant, Azure subscription and Microsoft Purview accounts to prevent tenant-wide account lockout.", - "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", - "id": "M01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access" - }, - { - "category": "Additional security recommendation", - "subcategory": "", - "text": "Integrate with Microsoft 365 and Microsoft Defender for Cloud", - "waf": "Security", - "service": "Microsoft Purview", - "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", - "id": "N01.01", - "severity": "Medium" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Define Least Privilege model and Lower exposure of privileged accounts", - "description": "Separate admin accounts from normal user accounts.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "id": "O01.01", - "severity": "High" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Configure single sign-on and unified login. Enable multi-factor authentication.", - "description": "Azure Databricks supports Microsoft Entra ID conditional access, which allows administrators to control where and when users are permitted to sign in to Azure Databricks. Conditional access policies can restrict sign-in to your corporate network or can require multi-factor authentication (MFA).", - "waf": "Security", - "service": "Azure Databricks", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "id": "O01.02", - "severity": "High", - "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Use token management.", - "description": "Customers can use the Token Management API or UI controls to enable or disable personal access tokens (PATs) for REST API authentication, limit the users who are allowed to use PATs, set the maximum lifetime for new tokens, and manage existing tokens. Highly-secure customers typically provision a maximum token lifetime for new tokens for a workspace. This feature requires the Premium pricing tier.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", - "id": "O01.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Separate admin accounts from normal user accounts", - "description": "If you have Databricks administrators who are also normal users of the Databricks platform (for example, there�s a lead data engineer who administers the platform and also does data engineering work), Databricks recommends creating a separate account for administrative tasks. It�s important to note that as part of the Azure RBAC model, users that are given Contributor or above permissions to the Resource Group for a deployed Azure Databricks workspace automatically become administrators when they login to that workspace. Therefore, the same considerations outlined above should be applied to Azure portal users too.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", - "id": "O01.04", - "severity": "High" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "SCIM synchronization of users and groups.", - "description": "SCIM (System for Cross-domain Identity Management) allows you to sync users and groups from Microsoft Entra ID to Azure Databricks. There are three major benefits of this approach: 1. When you remove a user, the user is automatically removed from Databricks. 2. Users can also be disabled temporarily via SCIM. Customers have used this capability for scenarios where customers believe that an account may be compromised and need to investigate 3. Groups are automatically synchronized Please refer to the documentation for detailed instructions on how to configure SCIM for Azure Databricks. This feature requires the Premium pricing tier", - "waf": "Security", - "service": "Azure Databricks", - "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", - "id": "O01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Limit cluster creation rights.", - "description": "Using either cluster policies or the older cluster ACLs, admins can define what users or groups within the organization are able to create clusters. Cluster ACLs allow you to specify which users can attach a notebook to a given cluster. Note that if a user shares a notebook already attached to a standard mode cluster, the recipient will also be able to execute code on that cluster. This does not apply to clusters that enforce user isolation: SQL Warehouses, high concurrency with table ACLs clusters, and high concurrency with credential passthrough clusters. Customers who use Unity Catalog can also enable single-user clusters to enforce isolation clusters.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", - "id": "O01.06", - "severity": "Medium" - }, - { - "category": "", - "subcategory": "", - "text": "Restrict workspace admins", - "description": "Account admins can configure a workspace setting called RestrictWorkspaceAdmins to restrict workspace admins to only change a job owner to themselves and the job run as setting to a service principal that they have the Service Principal User role on.", - "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", - "id": "P01.01", - "severity": "High", - "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Store passwords, secrets in Azure Key Vault", - "description": "It�s important to note that even if customers use Azure Key Vault to store their secrets, access controls still need to be defined within Azure Databricks. This is because the same service identity is used to retrieve the secret for all users of an Azure Databricks workspace.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", - "id": "Q01.01", - "severity": "High" - }, - { - "category": "", - "subcategory": "", - "text": "Regenerate/rotate keys if using them periodically", - "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", - "id": "R01.01", - "severity": "High" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Use clusters that support user isolation.", - "description": "Clusters with user isolation include enforcement such that each user runs as a different non-privileged user account on the cluster host. Languages are also limited to those that can be implemented in an isolated manner (SQL and Python), and Spark APIs must be on an allowlist of those we believe to be isolation-safe.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", - "id": "S01.01", - "severity": "Medium" - }, - { - "category": "Identity and Access Management", - "subcategory": "", - "text": "Use service principals to run production jobs. Use proper access control for workspace level (ACLs), account level (RBACs) and data level (Unity catalog) security controls", - "description": "It is against security best practices to tie production workloads to individual user accounts, and so we recommend configuring Service Principals within Databricks. Service Principles separate administrator and user actions from the workload and prevent workloads from being impacted if a user leaves an organization. With Databricks, you can configure jobs to run as service principals and generate Personal Access Tokens for Service Principals.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "e29711b1-352b-4eee-879b-588defc5972c", - "id": "S01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Avoid storing production data in DBFS.", - "description": "By default, DBFS is a filesystem that is accessible to all users of the given workspace and can be accessed via API. This is not necessarily a major data exfiltration concern as you can limit access to accessing data via the DBFS API or Databricks cli using IP access lists or private network access. However, as use of Azure Databricks grows and more users join a workspace, those users would have access to any data stored in DBFS, creating the potential for undesired information sharing. Databricks recommends that our customers do not store production data in DBFS.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", - "id": "T01.01", - "severity": "High" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Encrypt storage and restrict access.", - "description": "For the storage accounts that you manage, it is your responsibility to ensure that the storage accounts are protected according to your requirements. Examples might include: Encryption with your customer-managed key, Restrict access to trusted networks with a storage firewall, Anonymous public access is not allowed", - "waf": "Security", - "service": "Azure Databricks", - "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", - "id": "T01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys" - }, - { - "category": "Data Protection", - "subcategory": "", - "text": "Add a customer-managed key for managed services and workspace storage", - "description": "Add a customer-managed key for select data stored within the Azure Databricks control plane, such as notebooks, secrets, Databricks SQL queries, and Databricks SQL query history and for the root storage account used for DBFS. Azure Databricks requires access to this key for ongoing operations. You can revoke access to the key to prevent Azure Databricks from accessing encrypted data within the control plane (or in our backups). This is like a �nuclear option� where the workspace ceases to function, but it provides an emergency control for extreme situations. This feature requires the Premium pricing tier.", - "waf": "Security", - "service": "Azure Databricks", - "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", - "id": "T01.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys" - }, - { - "category": "Networking", - "subcategory": "", - "text": "Enable IP access lists to restrict access to certain IP addresses.", - "description": "Configure IP access lists that restrict the IP addresses that can authenticate to Databricks at account console and workspace level by checking if the user or API client is coming from a known good IP address range such as a VPN or office network. Established user sessions do not work if the user moves to a bad IP address, such as when disconnecting from the VPN. ", - "waf": "Security", - "service": "Azure Databricks", - "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", - "id": "U01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list" - }, - { - "category": "Networking", - "subcategory": "", - "text": "Configure and use Azure Private Link to access Azure resources.", - "description": "Azure Private Link provides a private network route from one Azure environment to another. Private Link can be configured both between Azure Databricks users and the control plane, and also between the control plane and the data plane. Between Databricks users and the control plane, Private Link provides strong controls that limit the source for inbound requests. If a company already routes traffic through an Azure environment, they can use Private Link so that the communication between users and the Azure Databricks control plane does not traverse public IP addresses. This feature requires the Premium pricing tier. Use Azure Private Link to connect from Azure Databricks to your Azure resources. Not only does Private Link ensure", - "waf": "Security", - "service": "Azure Databricks", - "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", - "id": "U01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link" - } - ], - "categories": [ - ], - "waf": [ - { - "name": "Reliability" - }, - { - "name": "Security" - }, - { - "name": "Cost" - }, - { - "name": "Operations" - }, - { - "name": "Performance" - } - ], - "yesno": [ - { - "name": "Yes" - }, - { - "name": "No" - } - ], - "status": [ - { - "name": "Not verified", - "description": "This check has not been looked at yet" - }, - { - "name": "Open", - "description": "There is an action item associated to this check" - }, - { - "name": "Fulfilled", - "description": "This check has been verified, and there are no further action items associated to it" - }, - { - "name": "Not required", - "description": "Recommendation understood, but not needed by current requirements" - }, - { - "name": "N/A", - "description": "Not applicable for current design" - } - ], - "severities": [ - { - "name": "High" - }, - { - "name": "Medium" - }, - { - "name": "Low" - } - ], - "metadata": { - "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist", - "state": "Preview", - "waf": "Security", - "timestamp": "10/17/2024 09:16:59" - } -} - +{ + "items": [ + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Restrict use of local users on sql workloads on Synapse", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "id": "A01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use managed identity to authenticate to the services", + "description": "Use Microsoft Entra ID as the default authentication method to control your data plane access.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "id": "A01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "id": "A01.03", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use Azure RBAC to control access on storage and Synapse RBAC to control access on workspace level depending on the personas of the team to fine grain the access on data and compute", + "description": "Azure Synapse also includes Synapse role-based access control (RBAC) roles to manage different aspects of Synapse Studio. Leverage these built-in roles to assign permissions to users, groups, or other security principals to manage who can Publish code artifacts and list or access published code artifacts,Execute code on Apache Spark pools and integration runtimes,Access linked (data) services that are protected by credentials,Monitor or cancel job executions, review job output and execution logs.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "id": "A01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Implement RLS, CLS and data masking on sql workloads in dedicated sql pool to add additional layer of security", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "id": "A01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "Use managed vnet workspace to restrict the access over public internet", + "description": "When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network. This can be selected when deploying a workspace", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "id": "B01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "Configure private endpoints to connect to the external services and disable public access", + "description": "To protect any sensitive data, it's recommended to disable public access to the workspace endpoints entirely. By doing so, it ensures all workspace endpoints can only be accessed using\ufffdprivate endpoints.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "id": "B01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "If enabling public access highly recommended to configure IP firewall rules", + "description": "If public access needs to be enabled, it's highly recommended to configure the IP firewall rules to allow inbound connections only from the specified list of public IP addresses.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "id": "B01.03", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn\ufffdt leave your corporate network", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "id": "B01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "Enable Data Exfiltration Protection (DEP)", + "description": "This can be done only when deploying the workspace, but Python libraries installed from public repositories like PyPI are not supported. (Think about the limitation before enabling it)", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "id": "B01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Data Encryption at rest using Customer managed Keys for workspace", + "description": "First layer of encryption is done by Microsoft managed keys, you can add a second layer of encryption using Customer managed Keys", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "id": "C01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Data Encryption in transit ", + "description": "Azure Synapse leverages TLS to ensure data is encrypted in motion. SQL dedicated pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "id": "C01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Store passwords, secerts and keys in Azure key vault", + "description": "Use Keyvaults to store your secrets and credentials", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "id": "C01.03", + "severity": "High" + }, + { + "category": "", + "subcategory": "", + "text": "Use Azure Key Vault secrets in pipeline activities", + "description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.", + "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", + "id": "D01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Restrict use of local users whereever necessary", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "id": "E01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use managed identity to authenticate to the services", + "description": "Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "id": "E01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "id": "E01.03", + "severity": "High" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "Disable access over public internet and configure either firewall rules or trusted services rules", + "service": "Azure Data Factory", + "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", + "id": "F01.01", + "severity": "Medium" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn\ufffdt leave your corporate network", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "id": "F01.02", + "severity": "Medium" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "Use managed vnet IR to restrict the access over public internet for Azure Integration Runtime", + "description": "When you create an Azure integration runtime within a Data Factory managed virtual network, the integration runtime is provisioned with the managed virtual network. It uses private endpoints to securely connect to supported data stores.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "id": "F01.03", + "severity": "Medium" + }, + { + "category": "Network Security", + "subcategory": "", + "text": "Configure managed private endpoints to connect to resources using managed azure IR", + "description": "Managed private endpoints are private endpoints created in the Data Factory managed virtual network that establishes a private link to Azure resources. Data Factory manages these private endpoints on your behalf.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "id": "F01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints" + }, + { + "category": "", + "subcategory": "", + "text": "Configure Private Links to connect to sources in customer Vnet and data factory", + "description": "By using Azure Private Link, you can connect to various platform as a service (PaaS) deployments in Azure via a private endpoint. A private endpoint is a private IP address within a specific virtual network and subnet", + "guid": "b47a393a-0804-4272-a479-8b1578b219a4", + "id": "G01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Data Encryption at rest by Microsoft managed keys", + "description": "This is a default setting", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "id": "H01.01", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Data Encryption in transit by Microsoft managed keys", + "description": "This is a default setting", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "id": "H01.02", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Data Encryption in transit by BYOK (Customer managed keys)", + "description": "When you specify a customer-managed key, Data Factory uses\ufffdboth\ufffdthe factory system key and the CMK to encrypt customer data. Missing either would result in Deny of Access to data and factory.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "id": "H01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Store passwords, secrets in Azure Key Vault", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "id": "H01.04", + "severity": "High", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Use Azure Key Vault secrets in pipeline activities", + "description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.", + "service": "Azure Data Factory", + "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", + "id": "H01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Encrypt credentials for on-premises using SHIR data stores in Azure Data Factory", + "description": "You can encrypt and store credentials for any of your on-premises data stores (linked services with sensitive information) on a machine with self-hosted integration runtime.", + "service": "Azure Data Factory", + "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", + "id": "H01.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Define roles and responsibilities to manage Microsoft Purview in control plane and data plane", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "I01.01", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Define roles and tasks required to deploy and manage Microsoft Purview inside an Azure subscription (control plane)", + "description": "Use Azure RBACs for this", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "id": "I01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Define roles and task needed to perform data management and governance using Microsoft Purview. (Data plane for Data Map and Data Catalog.)", + "description": "Use Microsoft Purview roles for this.", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "id": "I01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Assign roles to Microsoft Entra groups instead of assigning roles to individual users.", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "id": "I01.04", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use Azure\ufffdActive Directory Entitlement Management\ufffdto map user access to Microsoft Entra groups using Access Packages.", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "id": "I01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Enforce multifactor authentication for Microsoft Purview users, especially, for users with privileged roles such as collection admins, data source admins or data curators.", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "id": "I01.06", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use Microsoft Entra ID to provide authentication and authorization to all users, security groups registered in Entra, service principal and managed identities inside collections in Microsoft Purview", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "id": "I01.07", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "id": "I01.08", + "severity": "High" + }, + { + "category": "Network security", + "subcategory": "", + "text": "Enable\ufffdend-to-end network isolation\ufffdusing Private Link Service. (Microsoft Purview Data Map)", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "id": "J01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end" + }, + { + "category": "Network security", + "subcategory": "", + "text": "Use\ufffdMicrosoft Purview Firewall\ufffdto disable Public access. (Microsoft Purview Data Map)", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "id": "J01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access" + }, + { + "category": "Network security", + "subcategory": "", + "text": "Deploy\ufffdNetwork Security Group (NSG) rules\ufffdfor subnets where Azure data sources private endpoints, Microsoft Purview private endpoints and self-hosted runtime VMs are deployed. (Microsoft Purview Data Map)", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "id": "J01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups" + }, + { + "category": "Network security", + "subcategory": "", + "text": "Implement Microsoft Purview with private endpoints managed by a Network Virtual Appliance, such as\ufffdAzure Firewall\ufffdfor network inspection and network filtering. (Microsoft Purview Data Map)", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "id": "J01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/firewall/overview" + }, + { + "category": "Network security", + "subcategory": "", + "text": "Deploy private endpoints for Microsoft Purview accounts to add another layer of security, so only client calls that are originated from within the virtual network are allowed to access the Microsoft Purview account", + "description": "This private endpoint is also a prerequisite for the portal private endpoint. The Microsoft Purview\ufffdportal\ufffdprivate endpoint is required to enable connectivity to Microsoft Purview governance portal using a private network. Microsoft Purview can scan data sources in Azure or an on-premises environment by using ingestion private endpoints. Limitations on using private endpoints https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "id": "J01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network" + }, + { + "category": "Network security", + "subcategory": "", + "text": "Block public access using Microsoft Purview firewall", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitation to be reviewed: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "id": "J01.06", + "severity": "Medium" + }, + { + "category": "Network security", + "subcategory": "", + "text": "Use Network Security Groups to filter network traffic to and from Azure resources in an Azure virtual network", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "id": "J01.07", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "If you have sensitive data that cannot leave the boundary of your on-prem vnet it is highly recommended to use SHIR VMs inside your corporate vnet to extract your metadata ", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "id": "K01.01", + "severity": "High" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Use Azure RBACs to restrict the access of your storage account (not managed by MS) only to intended users.", + "description": "Metadata is extracted and stored in Microsoft Purview Data Map, if you are not using managed storage account for your Purview account they are open to be accessed by all so implement proper RBACs and retrict the access of Data to only intended users. Applicable to Accounts deployed after December 15, 2023 (or deployed using API version 2023-05-01-preview onwards", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "id": "K01.02", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Data in rest is encrypted by microsoft managed keys", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "id": "K01.03", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Data in transit is encrypted by TLS 1.3", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "id": "K01.04", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Always use Azure key vaults to store all credentials if not using managed identities or without password need methods", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "id": "K01.05", + "severity": "High" + }, + { + "category": "Protection against accidential deletion", + "subcategory": "", + "text": "Prevent accidental deletion of Microsoft Purview accounts by applying resource Locks", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "id": "L01.01", + "severity": "Medium" + }, + { + "category": "", + "subcategory": "", + "text": "Plan for a break glass strategy for your Microsoft Entra tenant, Azure subscription and Microsoft Purview accounts to prevent tenant-wide account lockout.", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "id": "M01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access" + }, + { + "category": "Additional security recommendation", + "subcategory": "", + "text": "Integrate with Microsoft 365 and Microsoft Defender for Cloud", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "id": "N01.01", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", + "description": "Separate admin accounts from normal user accounts.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "id": "O01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Configure single sign-on and unified login. Enable multi-factor authentication.", + "description": "Azure Databricks supports Microsoft Entra ID conditional access, which allows administrators to control where and when users are permitted to sign in to Azure Databricks. Conditional access policies can restrict sign-in to your corporate network or can require multi-factor authentication (MFA).", + "waf": "Security", + "service": "Azure Databricks", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "id": "O01.02", + "severity": "High", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use token management.", + "description": "Customers can use the Token Management API or UI controls to enable or disable personal access tokens (PATs) for REST API authentication, limit the users who are allowed to use PATs, set the maximum lifetime for new tokens, and manage existing tokens. Highly-secure customers typically provision a maximum token lifetime for new tokens for a workspace. This feature requires the Premium pricing tier.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "id": "O01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Separate admin accounts from normal user accounts", + "description": "If you have Databricks administrators who are also normal users of the Databricks platform (for example, there\ufffds a lead data engineer who administers the platform and also does data engineering work), Databricks recommends creating a separate account for administrative tasks. It\ufffds important to note that as part of the Azure RBAC model, users that are given Contributor or above permissions to the Resource Group for a deployed Azure Databricks workspace automatically become administrators when they login to that workspace. Therefore, the same considerations outlined above should be applied to Azure portal users too.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "id": "O01.04", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "SCIM synchronization of users and groups.", + "description": "SCIM (System for Cross-domain Identity Management) allows you to sync users and groups from Microsoft Entra ID to Azure Databricks. There are three major benefits of this approach: 1. When you remove a user, the user is automatically removed from Databricks. 2. Users can also be disabled temporarily via SCIM. Customers have used this capability for scenarios where customers believe that an account may be compromised and need to investigate 3. Groups are automatically synchronized Please refer to the documentation for detailed instructions on how to configure SCIM for Azure Databricks. This feature requires the Premium pricing tier", + "waf": "Security", + "service": "Azure Databricks", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "id": "O01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Limit cluster creation rights.", + "description": "Using either cluster policies or the older cluster ACLs, admins can define what users or groups within the organization are able to create clusters. Cluster ACLs allow you to specify which users can attach a notebook to a given cluster. Note that if a user shares a notebook already attached to a standard mode cluster, the recipient will also be able to execute code on that cluster. This does not apply to clusters that enforce user isolation: SQL Warehouses, high concurrency with table ACLs clusters, and high concurrency with credential passthrough clusters. Customers who use Unity Catalog can also enable single-user clusters to enforce isolation clusters.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "id": "O01.06", + "severity": "Medium" + }, + { + "category": "", + "subcategory": "", + "text": "Restrict workspace admins", + "description": "Account admins can configure a workspace setting called RestrictWorkspaceAdmins to restrict workspace admins to only change a job owner to themselves and the job run as setting to a service principal that they have the Service Principal User role on.", + "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", + "id": "P01.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Store passwords, secrets in Azure Key Vault", + "description": "It\ufffds important to note that even if customers use Azure Key Vault to store their secrets, access controls still need to be defined within Azure Databricks. This is because the same service identity is used to retrieve the secret for all users of an Azure Databricks workspace.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "id": "Q01.01", + "severity": "High" + }, + { + "category": "", + "subcategory": "", + "text": "Regenerate/rotate keys if using them periodically", + "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", + "id": "R01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use clusters that support user isolation.", + "description": "Clusters with user isolation include enforcement such that each user runs as a different non-privileged user account on the cluster host. Languages are also limited to those that can be implemented in an isolated manner (SQL and Python), and Spark APIs must be on an allowlist of those we believe to be isolation-safe.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "id": "S01.01", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": "", + "text": "Use service principals to run production jobs. Use proper access control for workspace level (ACLs), account level (RBACs) and data level (Unity catalog) security controls", + "description": "It is against security best practices to tie production workloads to individual user accounts, and so we recommend configuring Service Principals within Databricks. Service Principles separate administrator and user actions from the workload and prevent workloads from being impacted if a user leaves an organization. With Databricks, you can configure jobs to run as service principals and generate Personal Access Tokens for Service Principals.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "id": "S01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Avoid storing production data in DBFS.", + "description": "By default, DBFS is a filesystem that is accessible to all users of the given workspace and can be accessed via API. This is not necessarily a major data exfiltration concern as you can limit access to accessing data via the DBFS API or Databricks cli using IP access lists or private network access. However, as use of Azure Databricks grows and more users join a workspace, those users would have access to any data stored in DBFS, creating the potential for undesired information sharing. Databricks recommends that our customers do not store production data in DBFS.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "id": "T01.01", + "severity": "High" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Encrypt storage and restrict access.", + "description": "For the storage accounts that you manage, it is your responsibility to ensure that the storage accounts are protected according to your requirements. Examples might include: Encryption with your customer-managed key, Restrict access to trusted networks with a storage firewall, Anonymous public access is not allowed", + "waf": "Security", + "service": "Azure Databricks", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "id": "T01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys" + }, + { + "category": "Data Protection", + "subcategory": "", + "text": "Add a customer-managed key for managed services and workspace storage", + "description": "Add a customer-managed key for select data stored within the Azure Databricks control plane, such as notebooks, secrets, Databricks SQL queries, and Databricks SQL query history and for the root storage account used for DBFS. Azure Databricks requires access to this key for ongoing operations. You can revoke access to the key to prevent Azure Databricks from accessing encrypted data within the control plane (or in our backups). This is like a \ufffdnuclear option\ufffd where the workspace ceases to function, but it provides an emergency control for extreme situations. This feature requires the Premium pricing tier.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "id": "T01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Enable IP access lists to restrict access to certain IP addresses.", + "description": "Configure IP access lists that restrict the IP addresses that can authenticate to Databricks at account console and workspace level by checking if the user or API client is coming from a known good IP address range such as a VPN or office network. Established user sessions do not work if the user moves to a bad IP address, such as when disconnecting from the VPN. ", + "waf": "Security", + "service": "Azure Databricks", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "id": "U01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list" + }, + { + "category": "Networking", + "subcategory": "", + "text": "Configure and use Azure Private Link to access Azure resources.", + "description": "Azure Private Link provides a private network route from one Azure environment to another. Private Link can be configured both between Azure Databricks users and the control plane, and also between the control plane and the data plane. Between Databricks users and the control plane, Private Link provides strong controls that limit the source for inbound requests. If a company already routes traffic through an Azure environment, they can use Private Link so that the communication between users and the Azure Databricks control plane does not traverse public IP addresses. This feature requires the Premium pricing tier. Use Azure Private Link to connect from Azure Databricks to your Azure resources. Not only does Private Link ensure", + "waf": "Security", + "service": "Azure Databricks", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "id": "U01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link" + } + ], + "categories": [], + "waf": [ + { + "name": "Reliability" + }, + { + "name": "Security" + }, + { + "name": "Cost" + }, + { + "name": "Operations" + }, + { + "name": "Performance" + } + ], + "yesno": [ + { + "name": "Yes" + }, + { + "name": "No" + } + ], + "status": [ + { + "name": "Not verified", + "description": "This check has not been looked at yet" + }, + { + "name": "Open", + "description": "There is an action item associated to this check" + }, + { + "name": "Fulfilled", + "description": "This check has been verified, and there are no further action items associated to it" + }, + { + "name": "Not required", + "description": "Recommendation understood, but not needed by current requirements" + }, + { + "name": "N/A", + "description": "Not applicable for current design" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "metadata": { + "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "state": "Preview", + "waf": "Security", + "timestamp": "October 21, 2024" + } +} \ No newline at end of file diff --git a/checklists/datasecurity_checklist.es.json b/checklists/datasecurity_checklist.es.json new file mode 100644 index 000000000..eb1812e84 --- /dev/null +++ b/checklists/datasecurity_checklist.es.json @@ -0,0 +1,809 @@ +{ + "categories": [], + "items": [ + { + "category": "Gestión de identidades y accesos", + "description": "Restrinja el uso de métodos de autenticación locales para el acceso al plano de datos. En su lugar, use Microsoft Entra ID como método de autenticación predeterminado para controlar el acceso al plano de datos.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "id": "A01.01", + "service": "Azure Synapse Analytics", + "severity": "Alto", + "subcategory": "", + "text": "Restringir el uso de usuarios locales en cargas de trabajo de SQL en Synapse", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Use el identificador de Microsoft Entra como método de autenticación predeterminado para controlar el acceso al plano de datos.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "id": "A01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Uso de la identidad administrada para autenticarse en los servicios", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Si no es necesario para las operaciones administrativas rutinarias, deshabilite o restrinja las cuentas de administrador local solo para uso de emergencia.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "id": "A01.03", + "service": "Azure Synapse Analytics", + "severity": "Alto", + "subcategory": "", + "text": "Separe y limite los usuarios administrativos o con muchos privilegios y habilite las directivas condicionales y de MFA", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Azure Synapse también incluye roles de control de acceso basado en roles (RBAC) de Synapse para administrar diferentes aspectos de Synapse Studio. Aproveche estos roles integrados para asignar permisos a usuarios, grupos u otras entidades de seguridad para administrar quién puede publicar artefactos de código y enumerar o acceder a artefactos de código publicados,Ejecutar código en grupos de Apache Spark y entornos de ejecución de integración,Acceder a servicios vinculados (datos) protegidos por credenciales,Supervisar o cancelar ejecuciones de trabajos, revisar la salida de trabajos y los registros de ejecución.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "id": "A01.04", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Use Azure RBAC para controlar el acceso en el almacenamiento y Synapse RBAC para controlar el acceso en el nivel de área de trabajo en función de los roles del equipo para precisar el acceso a los datos y el proceso", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "id": "A01.05", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Implemente RLS, CLS y enmascaramiento de datos en cargas de trabajo de SQL en un grupo de SQL dedicado para agregar una capa adicional de seguridad", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "description": "Al crear el área de trabajo de Azure Synapse, puede optar por asociarla a una red virtual de Microsoft Azure. Azure Synapse administra la red virtual asociada al área de trabajo. Esta red virtual se denomina red virtual de área de trabajo administrada. Esto se puede seleccionar al implementar un área de trabajo", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "id": "B01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Uso del área de trabajo de red virtual administrada para restringir el acceso a través de la red pública de Internet", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "description": "Para proteger los datos confidenciales, se recomienda deshabilitar por completo el acceso público a los puntos de conexión del área de trabajo. Al hacerlo, garantiza que solo se pueda acceder a todos los puntos de conexión del área de trabajo mediante puntos de conexión privados.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "id": "B01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Configurar puntos de conexión privados para conectarse a los servicios externos y deshabilitar el acceso público", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "description": "Si es necesario habilitar el acceso público, se recomienda encarecidamente configurar las reglas de firewall de IP para permitir conexiones entrantes solo desde la lista especificada de direcciones IP públicas.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "id": "B01.03", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "subcategory": "", + "text": "Si se habilita el acceso público, se recomienda encarecidamente configurar las reglas de firewall de IP", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "id": "B01.04", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Implemente máquinas virtuales SHIR en la red virtual si trabaja con datos confidenciales que no deben salir de la red corporativa", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "description": "Esto solo se puede hacer cuando se implementa el área de trabajo, pero las bibliotecas de Python instaladas desde repositorios públicos como PyPI no son compatibles. (Piense en la limitación antes de habilitarlo)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "id": "B01.05", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Habilitar la protección de exfiltración de datos (DEP)", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "La primera capa de cifrado la realizan las claves administradas por Microsoft, puede agregar una segunda capa de cifrado mediante claves administradas por el cliente", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "id": "C01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Cifrado de datos en reposo mediante claves administradas por el cliente para el área de trabajo", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "Azure Synapse aprovecha TLS para garantizar que los datos se cifran en movimiento. Los grupos dedicados de SQL admiten las versiones TLS 1.0, TLS 1.1 y TLS 1.2 para el cifrado, en los que los controladores proporcionados por Microsoft usan TLS 1.2 de forma predeterminada. El grupo de SQL sin servidor y el grupo de Apache Spark usan TLS 1.2 para todas las conexiones de salida.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "id": "C01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "subcategory": "", + "text": "Cifrado de datos en tránsito ", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "Uso de Keyvaults para almacenar sus secretos y credenciales", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "id": "C01.03", + "service": "Azure Synapse Analytics", + "severity": "Alto", + "subcategory": "", + "text": "Almacenamiento de contraseñas, seguridades y claves en Azure Key Vault", + "waf": "Seguridad" + }, + { + "category": "", + "description": "Puede almacenar credenciales o valores secretos en una instancia de Azure Key Vault y usarlos durante la ejecución de la canalización para pasarlos a sus actividades.", + "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", + "id": "D01.01", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "severity": "Medio", + "subcategory": "", + "text": "Uso de secretos de Azure Key Vault en actividades de canalización" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Restrinja el uso de métodos de autenticación locales para el acceso al plano de datos. En su lugar, use Microsoft Entra ID como método de autenticación predeterminado para controlar el acceso al plano de datos.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "id": "E01.01", + "service": "Azure Data Factory", + "severity": "Alto", + "subcategory": "", + "text": "Restrinja el uso de usuarios locales siempre que sea necesario", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Las identidades administradas eliminan la necesidad de administrar credenciales. Las identidades administradas proporcionan una identidad para la instancia de servicio al conectarse a recursos que admiten la autenticación de Microsoft Entra.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "id": "E01.02", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Uso de la identidad administrada para autenticarse en los servicios", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Si no es necesario para las operaciones administrativas rutinarias, deshabilite o restrinja las cuentas de administrador local solo para uso de emergencia.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "id": "E01.03", + "service": "Azure Data Factory", + "severity": "Alto", + "subcategory": "", + "text": "Separe y limite los usuarios administrativos o con muchos privilegios y habilite las directivas condicionales y de MFA", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", + "id": "F01.01", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Deshabilite el acceso a través de Internet público y configure las reglas de firewall o las reglas de servicios de confianza" + }, + { + "category": "Seguridad de la red", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "id": "F01.02", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Implemente máquinas virtuales SHIR en la red virtual si trabaja con datos confidenciales que no deben salir de la red corporativa", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "description": "Al crear un entorno de ejecución de integración de Azure dentro de una red virtual administrada de Data Factory, el entorno de ejecución de integración se aprovisiona con la red virtual administrada. Utiliza puntos de conexión privados para conectarse de forma segura a los almacenes de datos compatibles.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "id": "F01.03", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Uso de IR de red virtual administrada para restringir el acceso a través de la red pública de Internet para Azure Integration Runtime", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "description": "Los puntos de conexión privados administrados son puntos de conexión privados creados en la red virtual administrada de Data Factory que establece un vínculo privado a los recursos de Azure. Data Factory administra estos puntos de conexión privados en su nombre.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "id": "F01.04", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Configuración de puntos de conexión privados administrados para conectarse a recursos mediante Azure IR administrado", + "waf": "Seguridad" + }, + { + "category": "", + "description": "Con Azure Private Link, puede conectarse a varias implementaciones de plataforma como servicio (PaaS) en Azure a través de un punto de conexión privado. Un punto de conexión privado es una dirección IP privada dentro de una red virtual y una subred específicas", + "guid": "b47a393a-0804-4272-a479-8b1578b219a4", + "id": "G01.01", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link", + "severity": "Medio", + "subcategory": "", + "text": "Configuración de vínculos privados para conectarse a orígenes en la red virtual del cliente y la factoría de datos" + }, + { + "category": "Protección de datos", + "description": "Esta es una configuración predeterminada", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "id": "H01.01", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Cifrado de datos en reposo mediante claves administradas de Microsoft", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "Esta es una configuración predeterminada", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "id": "H01.02", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Cifrado de datos en tránsito por claves administradas de Microsoft", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "Cuando se especifica una clave administrada por el cliente, Data Factory usa tanto la clave del sistema de fábrica como la CMK para cifrar los datos del cliente. Si no se produce ninguno de ellos, se denegaría el acceso a los datos y a la fábrica.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "id": "H01.03", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Cifrado de datos en tránsito por BYOK (claves administradas por el cliente)", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "id": "H01.04", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "Alto", + "subcategory": "", + "text": "Almacenamiento de contraseñas y secretos en Azure Key Vault", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "Puede almacenar credenciales o valores secretos en una instancia de Azure Key Vault y usarlos durante la ejecución de la canalización para pasarlos a sus actividades.", + "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", + "id": "H01.05", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Uso de secretos de Azure Key Vault en actividades de canalización" + }, + { + "category": "Protección de datos", + "description": "Puede cifrar y almacenar credenciales para cualquiera de los almacenes de datos locales (servicios vinculados con información confidencial) en un equipo con tiempo de ejecución de integración autohospedado.", + "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", + "id": "H01.06", + "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime", + "service": "Azure Data Factory", + "severity": "Medio", + "subcategory": "", + "text": "Cifrado de credenciales para el entorno local mediante almacenes de datos SHIR en Azure Data Factory" + }, + { + "category": "Gestión de identidades y accesos", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "I01.01", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Definir roles y responsabilidades para administrar Microsoft Purview en el plano de control y el plano de datos", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Use RBAC de Azure para esto", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "id": "I01.02", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Definición de roles y tareas necesarios para implementar y administrar Microsoft Purview dentro de una suscripción de Azure (plano de control)", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Use los roles de Microsoft Purview para esto.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "id": "I01.03", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Defina los roles y las tareas necesarias para realizar la administración y la gobernanza de datos mediante Microsoft Purview. (Plano de datos para el mapa de datos y el catálogo de datos).", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "id": "I01.04", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Asigne roles a grupos de Microsoft Entra en lugar de asignar roles a usuarios individuales.", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "id": "I01.05", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Use Azure Active Directory Entitlement Management para asignar el acceso de los usuarios a los grupos de Microsoft Entra mediante paquetes de acceso.", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "id": "I01.06", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Aplique la autenticación multifactor para los usuarios de Microsoft Purview, especialmente para los usuarios con roles con privilegios, como administradores de colecciones, administradores de orígenes de datos o conservadores de datos.", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "id": "I01.07", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Use el identificador de Microsoft Entra para proporcionar autenticación y autorización a todos los usuarios, grupos de seguridad registrados en Entra, entidad de servicio e identidades administradas dentro de colecciones en Microsoft Purview", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "id": "I01.08", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Definir el modelo de privilegios mínimos y la menor exposición de cuentas con privilegios", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "id": "J01.01", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Habilite el aislamiento de red de extremo a extremo mediante el servicio Private Link. (Mapa de datos de Microsoft Purview)", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "id": "J01.02", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Use el firewall de Microsoft Purview para deshabilitar el acceso público. (Mapa de datos de Microsoft Purview)", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "id": "J01.03", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Implemente reglas de grupo de seguridad de red (NSG) para subredes en las que se implementan puntos de conexión privados de orígenes de datos de Azure, puntos de conexión privados de Microsoft Purview y máquinas virtuales en tiempo de ejecución autohospedadas. (Mapa de datos de Microsoft Purview)", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "id": "J01.04", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Implemente Microsoft Purview con puntos de conexión privados administrados por una aplicación virtual de red, como Azure Firewall, para la inspección y el filtrado de red. (Mapa de datos de Microsoft Purview)", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "description": "Este punto de conexión privado también es un requisito previo para el punto de conexión privado del portal. El punto de conexión privado del portal de Microsoft Purview es necesario para habilitar la conectividad con el portal de gobernanza de Microsoft Purview mediante una red privada. Microsoft Purview puede examinar orígenes de datos en Azure o en un entorno local mediante puntos de conexión privados de ingesta. Limitaciones en el uso de puntos de conexión privados https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "id": "J01.05", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Implemente puntos de conexión privados para cuentas de Microsoft Purview para agregar otra capa de seguridad, de modo que solo las llamadas de cliente que se originan desde la red virtual puedan acceder a la cuenta de Microsoft Purview", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitación a revisar: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "id": "J01.06", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Bloquear el acceso público mediante el firewall de Microsoft Purview", + "waf": "Seguridad" + }, + { + "category": "Seguridad de la red", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "id": "J01.07", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Uso de grupos de seguridad de red para filtrar el tráfico de red hacia y desde los recursos de Azure en una red virtual de Azure", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "id": "K01.01", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Si tiene datos confidenciales que no pueden salir del límite de la red virtual local, se recomienda encarecidamente usar máquinas virtuales SHIR dentro de la red virtual corporativa para extraer los metadatos ", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "Los metadatos se extraen y almacenan en el mapa de datos de Microsoft Purview, si no usa una cuenta de almacenamiento administrado para su cuenta de Purview, están abiertos para que todos puedan acceder a ellos, por lo que debe implementar los RBAC adecuados y restringir el acceso de los datos solo a los usuarios previstos. Aplicable a las cuentas implementadas después del 15 de diciembre de 2023 (o implementadas con la versión de API 2023-05-01-preview en adelante", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "id": "K01.02", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Use RBAC de Azure para restringir el acceso de la cuenta de almacenamiento (no administrada por MS) solo a los usuarios previstos.", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "id": "K01.03", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Los datos en reposo se cifran mediante claves administradas de Microsoft", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "id": "K01.04", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Los datos en tránsito se cifran mediante TLS 1.3", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "id": "K01.05", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Use siempre Azure Key Vaults para almacenar todas las credenciales si no usa identidades administradas o sin métodos de necesidad de contraseña", + "waf": "Seguridad" + }, + { + "category": "Protección contra la eliminación accidental", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "id": "L01.01", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Evitar la eliminación accidental de cuentas de Microsoft Purview mediante la aplicación de bloqueos de recursos", + "waf": "Seguridad" + }, + { + "category": "", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "id": "M01.01", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Planee una estrategia de emergencia para el inquilino de Microsoft Entra, la suscripción de Azure y las cuentas de Microsoft Purview para evitar el bloqueo de cuentas en todo el inquilino.", + "waf": "Seguridad" + }, + { + "category": "Recomendación de seguridad adicional", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "id": "N01.01", + "service": "Microsoft Purview", + "severity": "Medio", + "subcategory": "", + "text": "Integración con Microsoft 365 y Microsoft Defender for Cloud", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Separe las cuentas de administrador de las cuentas de usuario normales.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "id": "O01.01", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Definir el modelo de privilegios mínimos y la menor exposición de cuentas con privilegios", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Azure Databricks admite el acceso condicional de identificador de Microsoft Entra, que permite a los administradores controlar dónde y cuándo se permite a los usuarios iniciar sesión en Azure Databricks. Las directivas de acceso condicional pueden restringir el inicio de sesión en la red corporativa o pueden requerir autenticación multifactor (MFA).", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "id": "O01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Configure el inicio de sesión único y el inicio de sesión unificado. Habilite la autenticación multifactor.", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Los clientes pueden usar la API de administración de tokens o los controles de la interfaz de usuario para habilitar o deshabilitar los tokens de acceso personal (PAT) para la autenticación de la API de REST, limitar los usuarios que pueden usar PAT, establecer la duración máxima de los nuevos tokens y administrar los tokens existentes. Los clientes de alta seguridad suelen aprovisionar una duración máxima del token para los nuevos tokens de un área de trabajo. Esta característica requiere el plan de tarifa Premium.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "id": "O01.03", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Utilice la administración de tokens.", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Si tiene administradores de Databricks que también son usuarios normales de la plataforma Databricks (por ejemplo, hay un ingeniero de datos principal que administra la plataforma y también realiza trabajos de ingeniería de datos), Databricks recomienda crear una cuenta independiente para las tareas administrativas. Es importante tener en cuenta que, como parte del modelo RBAC de Azure, los usuarios a los que se les conceden permisos de colaborador o superior para el grupo de recursos de un área de trabajo de Azure Databricks implementada se convierten automáticamente en administradores cuando inician sesión en esa área de trabajo. Por lo tanto, las mismas consideraciones descritas anteriormente también deben aplicarse a los usuarios de Azure Portal.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "id": "O01.04", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Separe las cuentas de administrador de las cuentas de usuario normales", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "SCIM (System for Cross-domain Identity Management) permite sincronizar usuarios y grupos de Microsoft Entra ID con Azure Databricks. Hay tres ventajas principales de este enfoque: 1. Al quitar un usuario, el usuario se quita automáticamente de Databricks. 2. Los usuarios también pueden ser deshabilitados temporalmente a través de SCIM. Los clientes han usado esta funcionalidad para escenarios en los que creen que una cuenta puede estar en peligro y necesitan investigar 3. Los grupos se sincronizan automáticamente Consulte la documentación para obtener instrucciones detalladas sobre cómo configurar SCIM para Azure Databricks. Esta característica requiere el plan de tarifa Premium", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "id": "O01.05", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Sincronización SCIM de usuarios y grupos.", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Mediante el uso de políticas de clúster o las ACL de clúster más antiguas, los administradores pueden definir qué usuarios o grupos dentro de la organización pueden crear clústeres. Las ACL de clúster permiten especificar qué usuarios pueden adjuntar un bloc de notas a un clúster determinado. Tenga en cuenta que si un usuario comparte un bloc de notas que ya está conectado a un clúster de modo estándar, el destinatario también podrá ejecutar código en ese clúster. Esto no se aplica a los clústeres que aplican el aislamiento de usuarios: Almacenes SQL, alta simultaneidad con clústeres de ACL de tabla y alta simultaneidad con clústeres de paso a través de credenciales. Los clientes que usan Unity Catalog también pueden habilitar clústeres de un solo usuario para aplicar clústeres de aislamiento.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "id": "O01.06", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Limite los derechos de creación de clústeres.", + "waf": "Seguridad" + }, + { + "category": "", + "description": "Los administradores de cuentas pueden configurar una configuración del área de trabajo denominada RestrictWorkspaceAdmins para restringir a los administradores del área de trabajo para que solo cambien el propietario de un trabajo a sí mismos y la configuración de ejecución del trabajo como a una entidad de servicio en la que tengan el rol de usuario de entidad de servicio.", + "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", + "id": "P01.01", + "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins", + "severity": "Alto", + "subcategory": "", + "text": "Restringir a los administradores del espacio de trabajo" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Es importante tener en cuenta que, aunque los clientes usen Azure Key Vault para almacenar sus secretos, los controles de acceso deben definirse en Azure Databricks. Esto se debe a que se usa la misma identidad de servicio para recuperar el secreto de todos los usuarios de un área de trabajo de Azure Databricks.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "id": "Q01.01", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Almacenamiento de contraseñas y secretos en Azure Key Vault", + "waf": "Seguridad" + }, + { + "category": "", + "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", + "id": "R01.01", + "severity": "Alto", + "subcategory": "", + "text": "Regenere/gire las teclas si las usa periódicamente" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Los clústeres con aislamiento de usuario incluyen la aplicación de modo que cada usuario se ejecute como una cuenta de usuario sin privilegios diferente en el host del clúster. Los lenguajes también se limitan a aquellos que se pueden implementar de forma aislada (SQL y Python), y las API de Spark deben estar en una lista de permitidos de aquellos que creemos que son seguros para el aislamiento.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "id": "S01.01", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Utilice clústeres que admitan el aislamiento de usuarios.", + "waf": "Seguridad" + }, + { + "category": "Gestión de identidades y accesos", + "description": "Va en contra de los procedimientos recomendados de seguridad vincular las cargas de trabajo de producción a cuentas de usuario individuales, por lo que se recomienda configurar entidades de servicio dentro de Databricks. Los principios de servicio separan las acciones del administrador y del usuario de la carga de trabajo y evitan que las cargas de trabajo se vean afectadas si un usuario abandona una organización. Con Databricks, puede configurar trabajos para que se ejecuten como entidades de servicio y generar tokens de acceso personal para entidades de servicio.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "id": "S01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Use entidades de servicio para ejecutar trabajos de producción. Utilice el control de acceso adecuado para los controles de seguridad de nivel de área de trabajo (ACL), nivel de cuenta (RBAC) y nivel de datos (catálogo de Unity)", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "De forma predeterminada, DBFS es un sistema de archivos al que pueden acceder todos los usuarios del espacio de trabajo determinado y al que se puede acceder a través de la API. Esto no es necesariamente un problema importante de exfiltración de datos, ya que puede limitar el acceso al acceso a los datos a través de la API de DBFS o la CLI de Databricks mediante listas de acceso IP o acceso a redes privadas. Sin embargo, a medida que crezca el uso de Azure Databricks y más usuarios se unan a un área de trabajo, esos usuarios tendrían acceso a los datos almacenados en DBFS, lo que crearía la posibilidad de que se compartiera información no deseada. Databricks recomienda a nuestros clientes que no almacenen datos de producción en DBFS.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "id": "T01.01", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Evite almacenar datos de producción en DBFS.", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "En el caso de las cuentas de almacenamiento que administra, es su responsabilidad asegurarse de que las cuentas de almacenamiento estén protegidas según sus requisitos. Algunos ejemplos pueden ser: Cifrado con la clave administrada por el cliente, Restricción del acceso a redes de confianza con un firewall de almacenamiento, No se permite el acceso público anónimo", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "id": "T01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Cifre el almacenamiento y restrinja el acceso.", + "waf": "Seguridad" + }, + { + "category": "Protección de datos", + "description": "Agregue una clave administrada por el cliente para los datos seleccionados almacenados en el plano de control de Azure Databricks, como cuadernos, secretos, consultas SQL de Databricks y el historial de consultas SQL de Databricks, así como para la cuenta de almacenamiento raíz usada para DBFS. Azure Databricks requiere acceso a esta clave para las operaciones en curso. Puede revocar el acceso a la clave para impedir que Azure Databricks acceda a los datos cifrados en el plano de control (o en nuestras copias de seguridad). Esto es como una opción nuclear donde el espacio de trabajo deja de funcionar, pero proporciona un control de emergencia para situaciones extremas. Esta característica requiere el plan de tarifa Premium.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "id": "T01.03", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Adición de una clave administrada por el cliente para los servicios administrados y el almacenamiento del área de trabajo", + "waf": "Seguridad" + }, + { + "category": "Gestión de redes", + "description": "Configure listas de acceso IP que restrinjan las direcciones IP que se pueden autenticar en Databricks en el nivel de la consola de cuenta y el área de trabajo comprobando si el usuario o el cliente de API procede de un intervalo de direcciones IP correcto conocido, como una VPN o una red de oficina. Las sesiones de usuario establecidas no funcionan si el usuario se mueve a una dirección IP incorrecta, como cuando se desconecta de la VPN. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "id": "U01.01", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Habilite las listas de acceso IP para restringir el acceso a determinadas direcciones IP.", + "waf": "Seguridad" + }, + { + "category": "Gestión de redes", + "description": "Azure Private Link proporciona una ruta de red privada de un entorno de Azure a otro. Private Link se puede configurar tanto entre los usuarios de Azure Databricks y el plano de control, como entre el plano de control y el plano de datos. Entre los usuarios de Databricks y el plano de control, Private Link proporciona controles seguros que limitan el origen de las solicitudes entrantes. Si una empresa ya enruta el tráfico a través de un entorno de Azure, puede usar Private Link para que la comunicación entre los usuarios y el plano de control de Azure Databricks no atraviese direcciones IP públicas. Esta característica requiere el plan de tarifa Premium. Use Azure Private Link para conectarse desde Azure Databricks a los recursos de Azure. Private Link no solo garantiza", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "id": "U01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", + "severity": "Medio", + "subcategory": "", + "text": "Configure y use Azure Private Link para acceder a los recursos de Azure.", + "waf": "Seguridad" + } + ], + "metadata": { + "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "state": "Preview", + "timestamp": "October 21, 2024", + "waf": "Security" + }, + "severities": [ + { + "name": "Alto" + }, + { + "name": "Medio" + }, + { + "name": "Bajo" + } + ], + "status": [ + { + "description": "Esta comprobación aún no se ha examinado", + "name": "No verificado" + }, + { + "description": "Hay un elemento de acción asociado a esta comprobación", + "name": "Abrir" + }, + { + "description": "Esta comprobación se ha verificado y no hay más elementos de acción asociados a ella", + "name": "Cumplido" + }, + { + "description": "Recomendación comprendida, pero no necesaria por los requisitos actuales", + "name": "No es necesario" + }, + { + "description": "No aplicable para el diseño actual", + "name": "N/A" + } + ], + "waf": [ + { + "name": "Fiabilidad" + }, + { + "name": "Seguridad" + }, + { + "name": "Costar" + }, + { + "name": "Operaciones" + }, + { + "name": "Rendimiento" + } + ], + "yesno": [ + { + "name": "Sí" + }, + { + "name": "No" + } + ] +} \ No newline at end of file diff --git a/checklists/datasecurity_checklist.ja.json b/checklists/datasecurity_checklist.ja.json new file mode 100644 index 000000000..a8c87ff8b --- /dev/null +++ b/checklists/datasecurity_checklist.ja.json @@ -0,0 +1,809 @@ +{ + "categories": [], + "items": [ + { + "category": "ID およびアクセス管理", + "description": "データ プレーン アクセスのローカル認証方法の使用を制限します。代わりに、データ プレーン アクセスを制御するための既定の認証方法として Microsoft Entra ID を使用します。", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "id": "A01.01", + "service": "Azure Synapse Analytics", + "severity": "高い", + "subcategory": "", + "text": "Synapse 上の sql ワークロードでのローカル ユーザーの使用を制限する", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "Microsoft Entra ID を既定の認証方法として使用して、データ プレーン アクセスを制御します。", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "id": "A01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "マネージド ID を使用してサービスに対して認証する", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "日常的な管理操作に必要ない場合は、緊急時のみの使用のためにローカル管理者アカウントを無効または制限します。", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "id": "A01.03", + "service": "Azure Synapse Analytics", + "severity": "高い", + "subcategory": "", + "text": "高い権限を持つユーザーや管理ユーザーを分離して制限し、MFAと条件付きポリシーを有効にする", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "Azure Synapse には、Synapse Studio のさまざまな側面を管理するための Synapse ロールベースのアクセス制御 (RBAC) ロールも含まれています。これらの組み込みロールを活用して、ユーザー、グループ、またはその他のセキュリティ プリンシパルにアクセス許可を割り当て、コード成果物の発行、公開されたコード成果物の一覧表示またはアクセス、Apache Spark プールと統合ランタイムでのコードの実行、資格情報で保護されているリンクされた (データ) サービスへのアクセス、ジョブ実行の監視またはキャンセル、ジョブ出力と実行ログの確認を行うことができます。", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "id": "A01.04", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "Azure RBAC を使用してストレージへのアクセスを制御し、Synapse RBAC を使用してチームのペルソナに応じてワークスペース レベルでアクセスを制御して、データとコンピューティングへのアクセスをきめ細かくします", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "id": "A01.05", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "RLS、CLS、データ マスキングを専用の SQL プール内の SQL ワークロードに実装して、セキュリティのレイヤーを追加する", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "description": "Azure Synapse ワークスペースを作成するときに、Microsoft Azure Virtual Network に関連付けることを選択できます。ワークスペースに関連付けられている仮想ネットワークは、Azure Synapse によって管理されます。この仮想ネットワークは、マネージド ワークスペース仮想ネットワークと呼ばれます。これは、ワークスペースをデプロイするときに選択できます", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "id": "B01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "マネージド vnet ワークスペースを使用して、パブリック インターネット経由のアクセスを制限する", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "description": "機密データを保護するために、ワークスペース エンドポイントへのパブリック アクセスを完全に無効にすることをお勧めします。これにより、すべてのワークスペース エンドポイントにプライベート エンドポイントを使用してのみアクセスできるようになります。", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "id": "B01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "外部サービスに接続し、パブリックアクセスを無効にするようにプライベートエンドポイントを設定します", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "description": "パブリック アクセスを有効にする必要がある場合は、指定したパブリック IP アドレスの一覧からの受信接続のみを許可するように IP ファイアウォール規則を構成することを強くお勧めします。", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "id": "B01.03", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "subcategory": "", + "text": "パブリック アクセスを有効にする場合は、IP ファイアウォール ルールを構成することを強くお勧めします", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "id": "B01.04", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "企業ネットワークから離れるべきではない機密データを扱っている場合は、vnet に SHIR VM をデプロイします", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "description": "これはワークスペースをデプロイするときにのみ実行できますが、PyPI などのパブリック リポジトリからインストールされた Python ライブラリはサポートされていません。(有効にする前に制限について考えてください)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "id": "B01.05", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "データ流出防止 (DEP) を有効にする", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "暗号化の最初のレイヤーは Microsoft マネージド キーによって行われますが、カスタマー マネージド キーを使用して 2 番目の暗号化レイヤーを追加できます", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "id": "C01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "ワークスペースのカスタマー マネージド キーを使用した保存時のデータ暗号化", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "Azure Synapse は TLS を利用して、移動中のデータが暗号化されるようにします。SQL 専用プールでは、暗号化のために TLS 1.0、TLS 1.1、TLS 1.2 バージョンがサポートされています。このバージョンでは、Microsoft が提供するドライバーでは既定で TLS 1.2 が使用されます。サーバーレス SQL プールと Apache Spark プールでは、すべての送信接続に TLS 1.2 が使用されます。", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "id": "C01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "subcategory": "", + "text": "転送中のデータ暗号化", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "Keyvaults を使用してシークレットと資格情報を格納する", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "id": "C01.03", + "service": "Azure Synapse Analytics", + "severity": "高い", + "subcategory": "", + "text": "パスワード、セキュリティ、キーを Azure Key Vault に格納する", + "waf": "安全" + }, + { + "category": "", + "description": "資格情報またはシークレット値を Azure Key Vault に格納し、パイプラインの実行中にそれらを使用してアクティビティに渡すことができます。", + "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", + "id": "D01.01", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "severity": "中程度", + "subcategory": "", + "text": "パイプライン アクティビティで Azure Key Vault シークレットを使用する" + }, + { + "category": "ID およびアクセス管理", + "description": "データ プレーン アクセスのローカル認証方法の使用を制限します。代わりに、データ プレーン アクセスを制御するための既定の認証方法として Microsoft Entra ID を使用します。", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "id": "E01.01", + "service": "Azure Data Factory", + "severity": "高い", + "subcategory": "", + "text": "必要に応じてローカルユーザーの使用を制限する", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "マネージド ID を使用すると、資格情報を管理する必要がなくなります。マネージド ID は、Microsoft Entra 認証をサポートするリソースに接続するときに、サービス インスタンスの ID を提供します。", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "id": "E01.02", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "マネージド ID を使用してサービスに対して認証する", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "日常的な管理操作に必要ない場合は、緊急時のみの使用のためにローカル管理者アカウントを無効または制限します。", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "id": "E01.03", + "service": "Azure Data Factory", + "severity": "高い", + "subcategory": "", + "text": "高い権限を持つユーザーや管理ユーザーを分離して制限し、MFAと条件付きポリシーを有効にする", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", + "id": "F01.01", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "パブリックインターネット経由のアクセスを無効にし、ファイアウォールルールまたは信頼できるサービスルールのいずれかを設定します" + }, + { + "category": "ネットワークセキュリティ", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "id": "F01.02", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "企業ネットワークから離れるべきではない機密データを扱っている場合は、vnet に SHIR VM をデプロイします", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "description": "Data Factory マネージド仮想ネットワーク内に Azure 統合ランタイムを作成すると、統合ランタイムはマネージド仮想ネットワークと共にプロビジョニングされます。プライベート エンドポイントを使用して、サポートされているデータ ストアに安全に接続します。", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "id": "F01.03", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "マネージド vnet IR を使用して、Azure Integration Runtime のパブリック インターネット経由のアクセスを制限する", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "description": "マネージド プライベート エンドポイントは、Azure リソースへのプライベート リンクを確立する Data Factory マネージド仮想ネットワークで作成されたプライベート エンドポイントです。Data Factory は、ユーザーに代わってこれらのプライベート エンドポイントを管理します。", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "id": "F01.04", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "マネージド プライベート エンドポイントを構成して、マネージド Azure IR を使用してリソースに接続する", + "waf": "安全" + }, + { + "category": "", + "description": "Azure Private Link を使用すると、プライベート エンドポイントを介して Azure のさまざまなサービスとしてのプラットフォーム (PaaS) デプロイに接続できます。プライベート エンドポイントは、特定の仮想ネットワークとサブネット内のプライベート IP アドレスです", + "guid": "b47a393a-0804-4272-a479-8b1578b219a4", + "id": "G01.01", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link", + "severity": "中程度", + "subcategory": "", + "text": "顧客の Vnet とデータ ファクトリのソースに接続するように Private Link を構成する" + }, + { + "category": "データ保護", + "description": "これはデフォルト設定です", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "id": "H01.01", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "Microsoft マネージド キーによる保存時のデータ暗号化", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "これはデフォルト設定です", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "id": "H01.02", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "Microsoft マネージド キーによる転送中のデータ暗号化", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "カスタマー マネージド キーを指定すると、Data Factory はファクトリ システム キーと CMK の両方を使用して顧客データを暗号化します。どちらかが欠落していると、データとファクトリへのアクセスが拒否されます。", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "id": "H01.03", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "BYOK (カスタマー マネージド キー) による転送中のデータ暗号化", + "waf": "安全" + }, + { + "category": "データ保護", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "id": "H01.04", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "高い", + "subcategory": "", + "text": "パスワードとシークレットを Azure Key Vault に格納する", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "資格情報またはシークレット値を Azure Key Vault に格納し、パイプラインの実行中にそれらを使用してアクティビティに渡すことができます。", + "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", + "id": "H01.05", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "パイプライン アクティビティで Azure Key Vault シークレットを使用する" + }, + { + "category": "データ保護", + "description": "オンプレミスのデータ ストア (機密情報を含むリンクされたサービス) の資格情報を暗号化して、セルフホステッド統合ランタイムを備えたマシンに格納できます。", + "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", + "id": "H01.06", + "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime", + "service": "Azure Data Factory", + "severity": "中程度", + "subcategory": "", + "text": "Azure Data Factory の SHIR データ ストアを使用してオンプレミスの資格情報を暗号化する" + }, + { + "category": "ID およびアクセス管理", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "I01.01", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "コントロール プレーンとデータ プレーンで Microsoft Purview を管理するためのロールと責任を定義する", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "これには Azure RBAC を使用します", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "id": "I01.02", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Azure サブスクリプション (コントロール プレーン) 内で Microsoft Purview をデプロイおよび管理するために必要なロールとタスクを定義する", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "これには、Microsoft Purview ロールを使用します。", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "id": "I01.03", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Microsoft Purview を使用してデータ管理とガバナンスを実行するために必要なロールとタスクを定義します。(Data Map と Data Catalog のデータ プレーン。", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "id": "I01.04", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "個々のユーザーにロールを割り当てるのではなく、Microsoft Entra グループにロールを割り当てます。", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "id": "I01.05", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Azure Active Directory エンタイトルメント管理を使用して、アクセス パッケージを使用してユーザー アクセスを Microsoft Entra グループにマップします。", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "id": "I01.06", + "service": "Microsoft Purview", + "severity": "高い", + "subcategory": "", + "text": "Microsoft Purview ユーザー (特に、コレクション管理者、データ ソース管理者、データ キュレーターなどの特権ロールを持つユーザー) に対して多要素認証を適用します。", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "id": "I01.07", + "service": "Microsoft Purview", + "severity": "高い", + "subcategory": "", + "text": "Microsoft Entra ID を使用して、すべてのユーザー、Entra に登録されているセキュリティ グループ、Microsoft Purview のコレクション内のサービス プリンシパルとマネージド ID に認証と承認を提供します", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "id": "I01.08", + "service": "Microsoft Purview", + "severity": "高い", + "subcategory": "", + "text": "最小特権モデルを定義し、特権アカウントの露出を減らす", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "id": "J01.01", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Private Link サービスを使用して、エンドツーエンドのネットワーク分離を有効にします。(Microsoft Purview データ マップ)", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "id": "J01.02", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Microsoft Purview ファイアウォールを使用して、パブリック アクセスを無効にします。(Microsoft Purview データ マップ)", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "id": "J01.03", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Azure データ ソースのプライベート エンドポイント、Microsoft Purview プライベート エンドポイント、セルフホステッド ランタイム VM がデプロイされるサブネットのネットワーク セキュリティ グループ (NSG) ルールをデプロイします。(Microsoft Purview データ マップ)", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "id": "J01.04", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "ネットワーク検査やネットワーク フィルタリングのための Azure Firewall など、ネットワーク仮想アプライアンスによって管理されるプライベート エンドポイントを使用して Microsoft Purview を実装します。(Microsoft Purview データ マップ)", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "description": "このプライベート エンドポイントは、ポータルのプライベート エンドポイントの前提条件でもあります。プライベート ネットワークを使用して Microsoft Purview ガバナンス ポータルへの接続を有効にするには、Microsoft Purview ポータルのプライベート エンドポイントが必要です。Microsoft Purview では、インジェスト プライベート エンドポイントを使用して、Azure またはオンプレミス環境のデータ ソースをスキャンできます。プライベートエンドポイントの使用に関する制限 https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "id": "J01.05", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Microsoft Purview アカウントのプライベート エンドポイントをデプロイしてセキュリティの別のレイヤーを追加し、仮想ネットワーク内から発信されたクライアント呼び出しのみが Microsoft Purview アカウントにアクセスできるようにします", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access。確認すべき制限: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "id": "J01.06", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Microsoft Purview ファイアウォールを使用してパブリック アクセスをブロックする", + "waf": "安全" + }, + { + "category": "ネットワークセキュリティ", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "id": "J01.07", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "ネットワーク セキュリティ グループを使用して、Azure 仮想ネットワーク内の Azure リソースとの間のネットワーク トラフィックをフィルター処理します", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "id": "K01.01", + "service": "Microsoft Purview", + "severity": "高い", + "subcategory": "", + "text": "オンプレミスの vnet の境界を離れることができない機密データがある場合は、企業の vnet 内で SHIR VM を使用してメタデータを抽出することを強くお勧めします", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "メタデータは抽出されて Microsoft Purview Data Map に格納されますが、Purview アカウントにマネージド ストレージ アカウントを使用していない場合は、すべてのユーザーがアクセスできるように公開されているため、適切な RBAC を実装し、データへのアクセスを目的のユーザーのみに制限します。2023 年 12 月 15 日以降にデプロイされたアカウント (または API バージョン 2023-05-01-preview 以降を使用してデプロイされたアカウント) に適用されます", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "id": "K01.02", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Azure RBAC を使用して、ストレージ アカウント (MS によって管理されていない) のアクセスを目的のユーザーのみに制限します。", + "waf": "安全" + }, + { + "category": "データ保護", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "id": "K01.03", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "保存データは、Microsoft マネージド キーによって暗号化されます", + "waf": "安全" + }, + { + "category": "データ保護", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "id": "K01.04", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "転送中のデータは TLS 1.3 によって暗号化されます", + "waf": "安全" + }, + { + "category": "データ保護", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "id": "K01.05", + "service": "Microsoft Purview", + "severity": "高い", + "subcategory": "", + "text": "マネージド ID を使用していない場合、またはパスワードが必要なメソッドを使用しない場合は、常に Azure Key Vault を使用してすべての資格情報を格納します", + "waf": "安全" + }, + { + "category": "誤削除に対する保護", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "id": "L01.01", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "リソース ロックを適用して Microsoft Purview アカウントの誤削除を防ぐ", + "waf": "安全" + }, + { + "category": "", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "id": "M01.01", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "テナント全体のアカウント ロックアウトを防ぐために、Microsoft Entra テナント、Azure サブスクリプション、Microsoft Purview アカウントの非常用戦略を計画します。", + "waf": "安全" + }, + { + "category": "追加のセキュリティに関する推奨事項", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "id": "N01.01", + "service": "Microsoft Purview", + "severity": "中程度", + "subcategory": "", + "text": "Microsoft 365 および Microsoft Defender for Cloud と統合する", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "管理者アカウントを通常のユーザーアカウントから分離します。", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "id": "O01.01", + "service": "Azure Databricks", + "severity": "高い", + "subcategory": "", + "text": "最小特権モデルを定義し、特権アカウントの露出を減らす", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "Azure Databricks では Microsoft Entra ID の条件付きアクセスがサポートされているため、管理者はユーザーが Azure Databricks にサインインできる場所とタイミングを制御できます。条件付きアクセス ポリシーでは、企業ネットワークへのサインインを制限したり、多要素認証 (MFA) を要求したりできます。", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "id": "O01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "高い", + "subcategory": "", + "text": "シングルサインオンと統合ログインを設定します。多要素認証を有効にします。", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "お客様は、トークン管理 API または UI コントロールを使用して、REST API 認証のパーソナル アクセス トークン (PAT) を有効または無効にしたり、PAT を使用できるユーザーの制限を行ったり、新しいトークンの最大有効期間を設定したり、既存のトークンを管理したりできます。安全性の高いお客様は、通常、ワークスペースの新しいトークンに対してトークンの最大有効期間をプロビジョニングします。この機能には、Premium 価格レベルが必要です。", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "id": "O01.03", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "トークン管理を使用します。", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "Databricks プラットフォームの通常のユーザーでもある Databricks 管理者がいる場合 (たとえば、プラットフォームを管理し、データ エンジニアリング作業も行うリード データ エンジニアがいる場合)、Databricks では管理タスク用に別のアカウントを作成することをお勧めします。Azure RBAC モデルの一部として、デプロイされた Azure Databricks ワークスペースのリソース グループに対する共同作成者以上のアクセス許可を付与されたユーザーは、そのワークスペースにログインすると自動的に管理者になることに注意してください。したがって、上記で説明したのと同じ考慮事項を Azure portal ユーザーにも適用する必要があります。", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "id": "O01.04", + "service": "Azure Databricks", + "severity": "高い", + "subcategory": "", + "text": "管理者アカウントを通常のユーザーアカウントから分離する", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "SCIM (System for Cross-domain Identity Management) を使用すると、ユーザーとグループを Microsoft Entra ID から Azure Databricks に同期できます。このアプローチには、主に 3 つの利点があります: 1. ユーザーを削除すると、そのユーザーは Databricks から自動的に削除されます。2. ユーザーは、SCIMを介して一時的に無効にすることもできます。お客様は、アカウントが侵害された可能性があり、調査する必要があるとお客様が考えるシナリオで、この機能を使用しています 3.グループは自動的に同期されます Azure Databricks の SCIM を構成する方法の詳細については、ドキュメントを参照してください。この機能には Premium 価格レベルが必要です", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "id": "O01.05", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "ユーザーとグループの SCIM 同期。", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "管理者は、クラスターポリシーまたは古いクラスター ACL を使用して、組織内のどのユーザーまたはグループがクラスターを作成できるかを定義できます。クラスター ACL を使用すると、特定のクラスターにノートブックをアタッチできるユーザーを指定できます。ユーザーが標準モードのクラスターに既にアタッチされているノートブックを共有している場合、受信者もそのクラスターでコードを実行できることに注意してください。これは、ユーザーの分離を強制するクラスター (SQL ウェアハウス、テーブル ACL クラスターによる高いコンカレンシー、資格情報パススルー クラスターによる高いコンカレンシー) には適用されません。Unity Catalog を使用しているお客様は、シングルユーザー クラスターを有効にして、分離クラスターを適用することもできます。", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "id": "O01.06", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "クラスターの作成権限を制限します。", + "waf": "安全" + }, + { + "category": "", + "description": "アカウント管理者は、RestrictWorkspaceAdmins というワークスペース設定を構成して、ワークスペース管理者がジョブ所有者を自分自身に変更し、ジョブ実行設定をサービス プリンシパル ユーザー ロールを持つサービス プリンシパルに変更するように制限できます。", + "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", + "id": "P01.01", + "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins", + "severity": "高い", + "subcategory": "", + "text": "ワークスペース管理者を制限する" + }, + { + "category": "ID およびアクセス管理", + "description": "お客様が Azure Key Vault を使用してシークレットを格納する場合でも、アクセス制御は Azure Databricks 内で定義する必要があることに注意することが重要です。これは、同じサービス ID を使用して、Azure Databricks ワークスペースのすべてのユーザーのシークレットが取得されるためです。", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "id": "Q01.01", + "service": "Azure Databricks", + "severity": "高い", + "subcategory": "", + "text": "パスワードとシークレットを Azure Key Vault に格納する", + "waf": "安全" + }, + { + "category": "", + "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", + "id": "R01.01", + "severity": "高い", + "subcategory": "", + "text": "キーを定期的に使用する場合は、キーを再生成/ローテーションします" + }, + { + "category": "ID およびアクセス管理", + "description": "ユーザー分離が設定されたクラスターには、各ユーザーがクラスター ホスト上で異なる非特権ユーザー アカウントとして実行されるような強制が含まれます。また、言語は分離された方法で実装できる言語 (SQL と Python) に限定されており、Spark API は分離セーフであると思われる言語の許可リストに含まれている必要があります。", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "id": "S01.01", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "ユーザーの分離をサポートするクラスターを使用します。", + "waf": "安全" + }, + { + "category": "ID およびアクセス管理", + "description": "運用ワークロードを個々のユーザー アカウントに関連付けることはセキュリティのベスト プラクティスに反するため、Databricks 内でサービス プリンシパルを構成することをお勧めします。サービス原則は、管理者とユーザーのアクションをワークロードから分離し、ユーザーが組織を離れた場合にワークロードが影響を受けるのを防ぎます。Databricks を使用すると、ジョブをサービス プリンシパルとして実行するように構成し、サービス プリンシパルの個人用アクセス トークンを生成できます。", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "id": "S01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "サービス プリンシパルを使用して、運用ジョブを実行します。ワークスペース レベル (ACL)、アカウント レベル (RBAC)、データ レベル (Unity カタログ) のセキュリティ制御に適切なアクセス制御を使用する", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "デフォルトでは、DBFSは、特定のワークスペースのすべてのユーザーがアクセスでき、APIを介してアクセスできるファイルシステムです。IP アクセス リストまたはプライベート ネットワーク アクセスを使用して、DBFS API または Databricks cli を介したデータへのアクセスを制限できるため、これは必ずしもデータ流出の大きな懸念事項ではありません。ただし、Azure Databricks の使用が拡大し、ワークスペースに参加するユーザーが増えると、それらのユーザーは DBFS に格納されている任意のデータにアクセスできるようになり、望ましくない情報共有が発生する可能性があります。Databricks では、お客様が運用データを DBFS に保存しないことをお勧めします。", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "id": "T01.01", + "service": "Azure Databricks", + "severity": "高い", + "subcategory": "", + "text": "運用データを DBFS に格納しないでください。", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "管理するストレージ アカウントについては、要件に従ってストレージ アカウントが保護されていることを確認するのは、ユーザーの責任です。例としては、カスタマー マネージド キーによる暗号化、ストレージ ファイアウォールによる信頼できるネットワークへのアクセスの制限、匿名のパブリック アクセスは許可されないなどがあります", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "id": "T01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "ストレージを暗号化し、アクセスを制限します。", + "waf": "安全" + }, + { + "category": "データ保護", + "description": "Azure Databricks コントロール プレーン内に格納されている選択データ (ノートブック、シークレット、Databricks SQL クエリ、Databricks SQL クエリ履歴など) と、DBFS に使用されるルート ストレージ アカウントに対して、カスタマー マネージド キーを追加します。Azure Databricks では、継続的な操作のためにこのキーにアクセスする必要があります。キーへのアクセスを取り消すと、Azure Databricks がコントロール プレーン内 (またはバックアップ内) の暗号化データにアクセスできないようにすることができます。これは、ワークスペースが機能しなくなる核オプションのようなものですが、極端な状況に対する緊急制御を提供します。この機能には、Premium 価格レベルが必要です。", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "id": "T01.03", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "マネージド サービスとワークスペース ストレージのカスタマー マネージド キーを追加する", + "waf": "安全" + }, + { + "category": "ネットワーキング", + "description": "アカウント コンソールとワークスペース レベルで Databricks に対して認証できる IP アドレスを制限する IP アクセス リストを構成するには、ユーザーまたは API クライアントが VPN やオフィス ネットワークなどの既知の良好な IP アドレス範囲から来ているかどうかを確認します。確立されたユーザーセッションは、VPNから切断するときなど、ユーザーが不正なIPアドレスに移動した場合、機能しません。", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "id": "U01.01", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "IP アクセス リストを有効にして、特定の IP アドレスへのアクセスを制限します。", + "waf": "安全" + }, + { + "category": "ネットワーキング", + "description": "Azure Private Link は、ある Azure 環境から別の Azure 環境へのプライベート ネットワーク ルートを提供します。Private Link は、Azure Databricks ユーザーとコントロール プレーンの間、およびコントロール プレーンとデータ プレーンの間の両方で構成できます。Databricks ユーザーとコントロール プレーンの間では、Private Link は受信要求のソースを制限する強力な制御を提供します。企業が既に Azure 環境経由でトラフィックをルーティングしている場合は、Private Link を使用して、ユーザーと Azure Databricks コントロール プレーン間の通信がパブリック IP アドレスを経由しないようにすることができます。この機能には、Premium 価格レベルが必要です。Azure Private Link を使用して、Azure Databricks から Azure リソースに接続します。Private Link は、", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "id": "U01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", + "severity": "中程度", + "subcategory": "", + "text": "Azure Private Link を構成して使用し、Azure リソースにアクセスします。", + "waf": "安全" + } + ], + "metadata": { + "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "state": "Preview", + "timestamp": "October 21, 2024", + "waf": "Security" + }, + "severities": [ + { + "name": "高い" + }, + { + "name": "中程度" + }, + { + "name": "低い" + } + ], + "status": [ + { + "description": "このチェックはまだ見ていません", + "name": "未確認" + }, + { + "description": "このチェックにはアクションアイテムが関連付けられています", + "name": "開ける" + }, + { + "description": "このチェックは検証済みであり、これ以上のアクション アイテムは関連付けられていません", + "name": "達成" + }, + { + "description": "推奨事項は理解されているが、現在の要件では必要ではない", + "name": "必須ではありません" + }, + { + "description": "現在のデザインには適用されません", + "name": "該当なし" + } + ], + "waf": [ + { + "name": "確実" + }, + { + "name": "安全" + }, + { + "name": "費用" + }, + { + "name": "オペレーションズ" + }, + { + "name": "パフォーマンス" + } + ], + "yesno": [ + { + "name": "はい" + }, + { + "name": "いいえ" + } + ] +} \ No newline at end of file diff --git a/checklists/datasecurity_checklist.ko.json b/checklists/datasecurity_checklist.ko.json new file mode 100644 index 000000000..6788bac11 --- /dev/null +++ b/checklists/datasecurity_checklist.ko.json @@ -0,0 +1,809 @@ +{ + "categories": [], + "items": [ + { + "category": "ID 및 액세스 관리", + "description": "데이터 플레인 액세스에 대한 로컬 인증 방법의 사용을 제한합니다. 대신 Microsoft Entra ID를 기본 인증 방법으로 사용하여 데이터 평면 액세스를 제어합니다.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "id": "A01.01", + "service": "Azure Synapse Analytics", + "severity": "높다", + "subcategory": "", + "text": "Synapse의 SQL 워크로드에서 로컬 사용자 사용 제한", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "Microsoft Entra ID를 기본 인증 방법으로 사용하여 데이터 평면 액세스를 제어합니다.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "id": "A01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "관리 ID를 사용하여 서비스에 인증", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "일상적인 관리 작업에 필요하지 않은 경우 긴급 용도로만 로컬 관리자 계정을 사용하지 않도록 설정하거나 제한합니다.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "id": "A01.03", + "service": "Azure Synapse Analytics", + "severity": "높다", + "subcategory": "", + "text": "높은 권한이 부여된/관리 사용자를 분리 및 제한하고 MFA 및 조건부 정책을 사용하도록 설정합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "Azure Synapse에는 Synapse Studio의 다양한 측면을 관리하기 위한 Synapse RBAC(역할 기반 액세스 제어) 역할도 포함되어 있습니다. 이러한 기본 제공 역할을 활용하여 사용자, 그룹 또는 기타 보안 주체에 권한을 할당하여 코드 아티팩트를 게시하고, 게시된 코드 아티팩트를 나열하거나 액세스할 수 있는 사용자를 관리하고, Apache Spark 풀 및 통합 런타임에서 코드를 실행하고, 자격 증명으로 보호되는 연결된(데이터) 서비스에 액세스하고, 작업 실행을 모니터링 또는 취소하고, 작업 출력 및 실행 로그를 검토합니다.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "id": "A01.04", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "Azure RBAC를 사용하여 스토리지에 대한 액세스를 제어하고 Synapse RBAC를 사용하여 팀의 가상 사용자에 따라 작업 영역 수준에서 액세스를 제어하여 데이터 및 컴퓨팅에 대한 액세스를 세분화합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "id": "A01.05", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "전용 SQL 풀에서 SQL 워크로드에 RLS, CLS 및 데이터 마스킹을 구현하여 보안 계층을 추가합니다.", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "description": "Azure Synapse 작업 영역을 만들 때 Microsoft Azure Virtual Network에 연결하도록 선택할 수 있습니다. 작업 영역과 연결된 Virtual Network는 Azure Synapse에서 관리됩니다. 이 Virtual Network를 관리형 작업 영역 Virtual Network라고 합니다. 작업 영역을 배포할 때 선택할 수 있습니다", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "id": "B01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "관리되는 vnet 작업 영역을 사용하여 공용 인터넷을 통한 액세스 제한", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "description": "중요한 데이터를 보호하려면 작업 영역 엔드포인트에 대한 공용 액세스를 완전히 사용하지 않도록 설정하는 것이 좋습니다. 이렇게 하면 프라이빗 엔드포인트를 통해서만 모든 작업 영역 엔드포인트에 액세스할 수 있습니다.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "id": "B01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "외부 서비스에 연결하고 공용 액세스를 사용하지 않도록 프라이빗 엔드포인트를 구성합니다.", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "description": "공용 액세스를 사용하도록 설정해야 하는 경우 지정된 공용 IP 주소 목록에서만 인바운드 연결을 허용하도록 IP 방화벽 규칙을 구성하는 것이 좋습니다.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "id": "B01.03", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "subcategory": "", + "text": "공용 액세스를 사용하도록 설정하는 경우 IP 방화벽 규칙을 구성하는 것이 좋습니다.", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "id": "B01.04", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "회사 네트워크를 벗어나지 않아야 하는 중요한 데이터로 작업하는 경우 VN에 SHIR VM을 배포합니다.", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "description": "이 작업은 작업 영역을 배포할 때만 수행할 수 있지만 PyPI와 같은 공용 리포지토리에서 설치된 Python 라이브러리는 지원되지 않습니다. (활성화하기 전에 제한 사항에 대해 생각하십시오)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "id": "B01.05", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "DEP(데이터 반출 보호) 사용", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "첫 번째 암호화 계층은 Microsoft 관리형 키에 의해 수행되며, 고객 관리형 키를 사용하여 두 번째 암호화 계층을 추가할 수 있습니다", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "id": "C01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "작업 영역에 대한 고객 관리형 키를 사용한 미사용 데이터 암호화Data Encryption at rest using Customer managed Keys for workspace", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "Azure Synapse는 TLS를 활용하여 이동 중인 데이터가 암호화되도록 합니다. SQL 전용 풀은 암호화를 위해 TLS 1.0, TLS 1.1 및 TLS 1.2 버전을 지원하며, Microsoft에서 제공하는 드라이버는 기본적으로 TLS 1.2를 사용합니다. 서버리스 SQL 풀 및 Apache Spark 풀은 모든 아웃바운드 연결에 TLS 1.2를 사용합니다.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "id": "C01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "severity": "보통", + "subcategory": "", + "text": "전송 중 데이터 암호화 ", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "Keyvaults를 사용하여 비밀 및 자격 증명 저장", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "id": "C01.03", + "service": "Azure Synapse Analytics", + "severity": "높다", + "subcategory": "", + "text": "Azure Key Vault에 암호, secerts 및 키 저장Store passwords, secerts and keys in Azure key vault", + "waf": "안전" + }, + { + "category": "", + "description": "Azure Key Vault에 자격 증명 또는 비밀 값을 저장하고 파이프라인 실행 중에 사용하여 활동에 전달할 수 있습니다.", + "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", + "id": "D01.01", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "severity": "보통", + "subcategory": "", + "text": "파이프라인 활동에서 Azure Key Vault 비밀 사용Use Azure Key Vault secrets in pipeline activities" + }, + { + "category": "ID 및 액세스 관리", + "description": "데이터 플레인 액세스에 대한 로컬 인증 방법의 사용을 제한합니다. 대신 Microsoft Entra ID를 기본 인증 방법으로 사용하여 데이터 평면 액세스를 제어합니다.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "id": "E01.01", + "service": "Azure Data Factory", + "severity": "높다", + "subcategory": "", + "text": "필요한 경우 로컬 사용자 사용 제한", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "관리 ID를 사용하면 자격 증명을 관리할 필요가 없습니다. 관리 ID는 Microsoft Entra 인증을 지원하는 리소스에 연결할 때 서비스 인스턴스에 대한 ID를 제공합니다.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "id": "E01.02", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "관리 ID를 사용하여 서비스에 인증", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "일상적인 관리 작업에 필요하지 않은 경우 긴급 용도로만 로컬 관리자 계정을 사용하지 않도록 설정하거나 제한합니다.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "id": "E01.03", + "service": "Azure Data Factory", + "severity": "높다", + "subcategory": "", + "text": "높은 권한이 부여된/관리 사용자를 분리 및 제한하고 MFA 및 조건부 정책을 사용하도록 설정합니다.", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", + "id": "F01.01", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "공용 인터넷을 통한 액세스를 비활성화하고 방화벽 규칙 또는 신뢰할 수 있는 서비스 규칙을 구성합니다." + }, + { + "category": "네트워크 보안", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "id": "F01.02", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "회사 네트워크를 벗어나지 않아야 하는 중요한 데이터로 작업하는 경우 VN에 SHIR VM을 배포합니다.", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "description": "Data Factory 관리 가상 네트워크 내에서 Azure 통합 런타임을 만들 때 통합 런타임은 관리되는 가상 네트워크로 프로비전됩니다. 프라이빗 엔드포인트를 사용하여 지원되는 데이터 저장소에 안전하게 연결합니다.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "id": "F01.03", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "관리형 vnet IR을 사용하여 Azure Integration Runtime에 대한 공용 인터넷을 통한 액세스 제한", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "description": "관리형 프라이빗 엔드포인트는 Azure 리소스에 대한 프라이빗 링크를 설정하는 Data Factory 관리형 가상 네트워크에서 만든 프라이빗 엔드포인트입니다. Data Factory는 사용자를 대신하여 이러한 프라이빗 엔드포인트를 관리합니다.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "id": "F01.04", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "관리형 Azure IR을 사용하여 리소스에 연결하도록 관리형 프라이빗 엔드포인트 구성", + "waf": "안전" + }, + { + "category": "", + "description": "Azure Private Link를 사용하면 프라이빗 엔드포인트를 통해 Azure의 다양한 PaaS(Platform as a Service) 배포에 연결할 수 있습니다. 프라이빗 엔드포인트는 특정 가상 네트워크 및 서브넷 내의 개인 IP 주소입니다", + "guid": "b47a393a-0804-4272-a479-8b1578b219a4", + "id": "G01.01", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link", + "severity": "보통", + "subcategory": "", + "text": "고객 Vnet 및 데이터 팩터리의 원본에 연결하도록 Private Links 구성" + }, + { + "category": "데이터 보호", + "description": "이것이 기본 설정입니다", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "id": "H01.01", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "Microsoft 관리형 키를 통한 미사용 데이터 암호화", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "이것이 기본 설정입니다", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "id": "H01.02", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "Microsoft 관리형 키를 통한 전송 중 데이터 암호화", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "고객 관리형 키를 지정하면 Data Factory는 팩터리 시스템 키와 CMK를 모두 사용하여 고객 데이터를 암호화합니다. 둘 중 하나라도 누락되면 데이터 및 공장에 대한 액세스가 거부됩니다.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "id": "H01.03", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "BYOK에 의한 전송 중 데이터 암호화(고객 관리형 키)", + "waf": "안전" + }, + { + "category": "데이터 보호", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "id": "H01.04", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "높다", + "subcategory": "", + "text": "Azure Key Vault에 암호, 비밀 저장Store passwords, secrets in Azure Key Vault", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "Azure Key Vault에 자격 증명 또는 비밀 값을 저장하고 파이프라인 실행 중에 사용하여 활동에 전달할 수 있습니다.", + "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", + "id": "H01.05", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "파이프라인 활동에서 Azure Key Vault 비밀 사용Use Azure Key Vault secrets in pipeline activities" + }, + { + "category": "데이터 보호", + "description": "자체 호스팅 통합 런타임이 있는 컴퓨터에서 온-프레미스 데이터 저장소(중요한 정보가 있는 연결된 서비스)에 대한 자격 증명을 암호화하고 저장할 수 있습니다.", + "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", + "id": "H01.06", + "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime", + "service": "Azure Data Factory", + "severity": "보통", + "subcategory": "", + "text": "Azure Data Factory에서 SHIR 데이터 저장소를 사용하여 온-프레미스에 대한 자격 증명 암호화" + }, + { + "category": "ID 및 액세스 관리", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "I01.01", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "컨트롤 플레인 및 데이터 플레인에서 Microsoft Purview를 관리하기 위한 역할 및 책임 정의", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "이를 위해 Azure RBAC를 사용합니다.", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "id": "I01.02", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Azure 구독(컨트롤 플레인) 내에서 Microsoft Purview를 배포하고 관리하는 데 필요한 역할 및 작업 정의", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "이를 위해 Microsoft Purview 역할을 사용합니다.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "id": "I01.03", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Microsoft Purview를 사용하여 데이터 관리 및 거버넌스를 수행하는 데 필요한 역할과 작업을 정의합니다. (데이터 맵 및 데이터 카탈로그에 대한 데이터 평면)", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "id": "I01.04", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "개별 사용자에게 역할을 할당하는 대신 Microsoft Entra 그룹에 역할을 할당합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "id": "I01.05", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Azure Active Directory 권한 관리를 사용하여 액세스 패키지를 통해 Microsoft Entra 그룹에 대한 사용자 액세스를 매핑합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "id": "I01.06", + "service": "Microsoft Purview", + "severity": "높다", + "subcategory": "", + "text": "Microsoft Purview 사용자, 특히 컬렉션 관리자, 데이터 원본 관리자 또는 데이터 큐레이터와 같은 권한 있는 역할이 있는 사용자에 대해 다단계 인증을 적용합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "id": "I01.07", + "service": "Microsoft Purview", + "severity": "높다", + "subcategory": "", + "text": "Microsoft Entra ID를 사용하여 모든 사용자, Entra에 등록된 보안 그룹, 서비스 주체 및 Microsoft Purview의 컬렉션 내 관리 ID에 인증 및 권한 부여를 제공합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "id": "I01.08", + "service": "Microsoft Purview", + "severity": "높다", + "subcategory": "", + "text": "Least Privilege 모델을 정의하고 권한 있는 계정의 노출을 줄입니다.", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "id": "J01.01", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Private Link 서비스를 사용하여 엔드투엔드 네트워크 격리를 사용하도록 설정합니다. (Microsoft Purview 데이터 맵)", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "id": "J01.02", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Microsoft Purview 방화벽을 사용하여 공용 액세스를 사용하지 않도록 설정합니다. (Microsoft Purview 데이터 맵)", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "id": "J01.03", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Azure 데이터 원본 프라이빗 엔드포인트, Microsoft Purview 프라이빗 엔드포인트 및 자체 호스팅 런타임 VM이 배포되는 서브넷에 대한 NSG(네트워크 보안 그룹) 규칙을 배포합니다. (Microsoft Purview 데이터 맵)", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "id": "J01.04", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "네트워크 검사 및 네트워크 필터링을 위한 Azure Firewall과 같은 네트워크 가상 어플라이언스에서 관리하는 프라이빗 엔드포인트를 사용하여 Microsoft Purview를 구현합니다. (Microsoft Purview 데이터 맵)", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "description": "이 프라이빗 엔드포인트는 포털 프라이빗 엔드포인트의 필수 구성 요소이기도 합니다. 프라이빗 네트워크를 사용하여 Microsoft Purview 거버넌스 포털에 연결할 수 있도록 하려면 Microsoft Purview 포털 프라이빗 엔드포인트가 필요합니다. Microsoft Purview는 수집 프라이빗 엔드포인트를 사용하여 Azure 또는 온-프레미스 환경에서 데이터 원본을 검사할 수 있습니다. 프라이빗 엔드포인트 사용에 대한 제한 사항 https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "id": "J01.05", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Microsoft Purview 계정에 대한 프라이빗 엔드포인트를 배포하여 또 다른 보안 계층을 추가하면 가상 네트워크 내에서 시작된 클라이언트 호출만 Microsoft Purview 계정에 액세스할 수 있습니다", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. 검토해야 할 제한 사항: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "id": "J01.06", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Microsoft Purview 방화벽을 사용하여 공용 액세스 차단", + "waf": "안전" + }, + { + "category": "네트워크 보안", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "id": "J01.07", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "네트워크 보안 그룹을 사용하여 Azure 가상 네트워크의 Azure 리소스에서 들어오고 나가는 네트워크 트래픽 필터링Use Network Security Groups to filter network traffic into Azure resources in an Azure virtual network", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "id": "K01.01", + "service": "Microsoft Purview", + "severity": "높다", + "subcategory": "", + "text": "온-프레미스 vnet의 경계를 벗어날 수 없는 중요한 데이터가 있는 경우 회사 vnet 내에서 SHIR VM을 사용하여 메타데이터를 추출하는 것이 좋습니다 ", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "메타데이터는 추출되어 Microsoft Purview 데이터 맵에 저장되며, Purview 계정에 관리 스토리지 계정을 사용하지 않는 경우 모든 사용자가 액세스할 수 있도록 열려 있으므로 적절한 RBAC를 구현하고 의도된 사용자에게만 데이터 액세스를 제한합니다. 2023년 12월 15일 이후에 배포된 계정(또는 API 버전 2023-05-01-preview 이후를 사용하여 배포된 계정)에 적용됩니다.", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "id": "K01.02", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Azure RBAC를 사용하여 스토리지 계정(MS에서 관리하지 않음)의 액세스를 의도한 사용자로만 제한합니다.", + "waf": "안전" + }, + { + "category": "데이터 보호", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "id": "K01.03", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "미사용 데이터는 Microsoft 관리형 키로 암호화됩니다.", + "waf": "안전" + }, + { + "category": "데이터 보호", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "id": "K01.04", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "전송 중인 데이터는 TLS 1.3으로 암호화됩니다.", + "waf": "안전" + }, + { + "category": "데이터 보호", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "id": "K01.05", + "service": "Microsoft Purview", + "severity": "높다", + "subcategory": "", + "text": "관리 ID를 사용하지 않거나 암호 필요 메서드가 없는 경우 항상 Azure Key Vault를 사용하여 모든 자격 증명을 저장합니다.", + "waf": "안전" + }, + { + "category": "우발적인 삭제에 대한 보호", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "id": "L01.01", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "리소스 잠금을 적용하여 Microsoft Purview 계정의 실수로 삭제되는 것을 방지합니다.", + "waf": "안전" + }, + { + "category": "", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "id": "M01.01", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "테넌트 전체 계정 잠금을 방지하기 위해 Microsoft Entra 테넌트, Azure 구독 및 Microsoft Purview 계정에 대한 비상 전략을 계획합니다.", + "waf": "안전" + }, + { + "category": "추가 보안 권장 사항", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "id": "N01.01", + "service": "Microsoft Purview", + "severity": "보통", + "subcategory": "", + "text": "Microsoft 365 및 클라우드용 Microsoft Defender와 통합", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "관리자 계정을 일반 사용자 계정과 구분합니다.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "id": "O01.01", + "service": "Azure Databricks", + "severity": "높다", + "subcategory": "", + "text": "Least Privilege 모델을 정의하고 권한 있는 계정의 노출을 줄입니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "Azure Databricks는 관리자가 사용자가 Azure Databricks에 로그인할 수 있는 위치와 시기를 제어할 수 있는 Microsoft Entra ID 조건부 액세스를 지원합니다. 조건부 액세스 정책은 회사 네트워크에 대한 로그인을 제한하거나 MFA(다단계 인증)를 요구할 수 있습니다.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "id": "O01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "높다", + "subcategory": "", + "text": "Single Sign-On 및 통합 로그인을 구성합니다. Multi-Factor Authentication을 사용하도록 설정합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "고객은 토큰 관리 API 또는 UI 컨트롤을 사용하여 REST API 인증을 위해 PAT(개인용 액세스 토큰)를 사용하거나 사용하지 않도록 설정하고, PAT를 사용할 수 있는 사용자를 제한하고, 새 토큰의 최대 수명을 설정하고, 기존 토큰을 관리할 수 있습니다. 보안이 매우 안전한 고객은 일반적으로 작업 영역의 새 토큰에 대한 최대 토큰 수명을 프로비전합니다. 이 기능을 사용하려면 프리미엄 가격 책정 계층이 필요합니다.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "id": "O01.03", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "토큰 관리를 사용합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "Databricks 플랫폼의 일반 사용자이기도 한 Databricks 관리자가 있는 경우(예: 플랫폼을 관리하고 데이터 엔지니어링 작업도 수행하는 수석 데이터 엔지니어가 있는 경우) Databricks는 관리 작업을 위해 별도의 계정을 만드는 것이 좋습니다. Azure RBAC 모델의 일부로, 배포된 Azure Databricks 작업 영역에 대한 리소스 그룹에 대한 기여자 이상의 권한이 부여된 사용자는 해당 작업 영역에 로그인할 때 자동으로 관리자가 된다는 점에 유의해야 합니다. 따라서 위에서 설명한 것과 동일한 고려 사항을 Azure Portal 사용자에게도 적용해야 합니다.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "id": "O01.04", + "service": "Azure Databricks", + "severity": "높다", + "subcategory": "", + "text": "일반 사용자 계정과 관리자 계정 분리", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "SCIM(System for Cross-domain Identity Management)을 사용하면 Microsoft Entra ID에서 Azure Databricks로 사용자 및 그룹을 동기화할 수 있습니다. 이 방법에는 세 가지 주요 이점이 있습니다. 1. 사용자를 제거하면 사용자가 Databricks에서 자동으로 제거됩니다. 2. SCIM을 통해 사용자를 일시적으로 비활성화할 수도 있습니다. 고객은 계정이 손상되었을 수 있으며 조사가 필요하다고 생각하는 시나리오에 이 기능을 사용했습니다 3. 그룹이 자동으로 동기화됨 Azure Databricks에 대해 SCIM을 구성하는 방법에 대한 자세한 지침은 설명서를 참조하세요. 이 기능을 사용하려면 프리미엄 가격 책정 계층이 필요합니다", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "id": "O01.05", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "사용자 및 그룹의 SCIM 동기화.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "관리자는 클러스터 정책 또는 이전 클러스터 ACL을 사용하여 조직 내에서 클러스터를 생성할 수 있는 사용자 또는 그룹을 정의할 수 있습니다. 클러스터 ACL을 사용하면 지정된 클러스터에 노트북을 연결할 수 있는 사용자를 지정할 수 있습니다. 사용자가 표준 모드 클러스터에 이미 연결된 Notebook을 공유하는 경우 수신자도 해당 클러스터에서 코드를 실행할 수 있습니다. 이는 사용자 격리를 적용하는 클러스터(SQL 웨어하우스, 테이블 ACL 클러스터와의 높은 동시성, 자격 증명 통과 클러스터의 높은 동시성)에는 적용되지 않습니다. Unity 카탈로그를 사용하는 고객은 단일 사용자 클러스터를 활성화하여 격리 클러스터를 적용할 수도 있습니다.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "id": "O01.06", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "클러스터 생성 권한을 제한합니다.", + "waf": "안전" + }, + { + "category": "", + "description": "계정 관리자는 RestrictWorkspaceAdmins라는 작업 영역 설정을 구성하여 작업 영역 관리자가 작업 소유자를 자신으로만 변경하고 작업 실행 설정을 서비스 주체 사용자 역할이 있는 서비스 주체로 제한할 수 있습니다.", + "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", + "id": "P01.01", + "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins", + "severity": "높다", + "subcategory": "", + "text": "작업 영역 관리자 제한" + }, + { + "category": "ID 및 액세스 관리", + "description": "고객이 Azure Key Vault를 사용하여 비밀을 저장하더라도 Azure Databricks 내에서 액세스 제어를 정의해야 합니다. 이는 Azure Databricks 작업 영역의 모든 사용자에 대한 비밀을 검색하는 데 동일한 서비스 ID가 사용되기 때문입니다.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "id": "Q01.01", + "service": "Azure Databricks", + "severity": "높다", + "subcategory": "", + "text": "Azure Key Vault에 암호, 비밀 저장Store passwords, secrets in Azure Key Vault", + "waf": "안전" + }, + { + "category": "", + "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", + "id": "R01.01", + "severity": "높다", + "subcategory": "", + "text": "키를 주기적으로 사용하는 경우 키를 재생/회전합니다." + }, + { + "category": "ID 및 액세스 관리", + "description": "사용자 격리가 있는 클러스터에는 각 사용자가 클러스터 호스트에서 권한이 없는 다른 사용자 계정으로 실행되는 적용이 포함됩니다. 또한 언어는 격리된 방식으로 구현할 수 있는 언어(SQL 및 Python)로 제한되며, Spark API는 격리로부터 안전하다고 생각되는 언어의 허용 목록에 있어야 합니다.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "id": "S01.01", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "사용자 격리를 지원하는 클러스터를 사용합니다.", + "waf": "안전" + }, + { + "category": "ID 및 액세스 관리", + "description": "프로덕션 워크로드를 개별 사용자 계정에 연결하는 것은 보안 모범 사례에 위배되므로 Databricks 내에서 서비스 주체를 구성하는 것이 좋습니다. 서비스 원칙은 관리자와 사용자 작업을 워크로드에서 분리하고 사용자가 조직을 떠날 경우 워크로드가 영향을 받지 않도록 합니다. Databricks를 사용하면 서비스 주체로 실행되고 서비스 주체에 대한 개인용 액세스 토큰을 생성하도록 작업을 구성할 수 있습니다.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "id": "S01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "서비스 주체를 사용하여 프로덕션 작업을 실행합니다. 워크스페이스 레벨(ACL), 계정 레벨(RBAC) 및 데이터 레벨(Unity 카탈로그) 보안 컨트롤에 대한 적절한 액세스 제어 사용", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "기본적으로 DBFS는 지정된 작업 영역의 모든 사용자가 액세스할 수 있고 API를 통해 액세스할 수 있는 파일 시스템입니다. IP 액세스 목록 또는 개인 네트워크 액세스를 사용하여 DBFS API 또는 Databricks CLI를 통해 데이터 액세스에 대한 액세스를 제한할 수 있으므로 반드시 주요 데이터 반출 문제는 아닙니다. 그러나 Azure Databricks의 사용이 증가하고 더 많은 사용자가 작업 영역에 참여함에 따라 해당 사용자는 DBFS에 저장된 모든 데이터에 액세스할 수 있으므로 원치 않는 정보 공유가 발생할 수 있습니다. Databricks는 고객이 프로덕션 데이터를 DBFS에 저장하지 않는 것을 권장합니다.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "id": "T01.01", + "service": "Azure Databricks", + "severity": "높다", + "subcategory": "", + "text": "프로덕션 데이터를 DBFS에 저장하지 마십시오.", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "관리하는 스토리지 계정의 경우 스토리지 계정이 요구 사항에 따라 보호되도록 하는 것은 사용자의 책임입니다. 예를 들어 고객 관리형 키를 사용한 암호화, 스토리지 방화벽을 사용하여 신뢰할 수 있는 네트워크에 대한 액세스 제한, 익명 공용 액세스는 허용되지 않음 등이 있습니다", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "id": "T01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "스토리지를 암호화하고 액세스를 제한합니다.", + "waf": "안전" + }, + { + "category": "데이터 보호", + "description": "Notebook, 비밀, Databricks SQL 쿼리 및 Databricks SQL 쿼리 기록과 같은 Azure Databricks 컨트롤 플레인 내에 저장된 선택 데이터 및 DBFS에 사용되는 루트 스토리지 계정에 대한 고객 관리형 키를 추가합니다. Azure Databricks는 진행 중인 작업을 위해 이 키에 액세스해야 합니다. 키에 대한 액세스를 취소하여 Azure Databricks가 컨트롤 플레인(또는 백업) 내에서 암호화된 데이터에 액세스하지 못하도록 할 수 있습니다. 이는 작업 공간이 기능을 멈추는 핵 옵션과 같지만 극한 상황에 대한 비상 제어를 제공합니다. 이 기능을 사용하려면 프리미엄 가격 책정 계층이 필요합니다.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "id": "T01.03", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "관리 서비스 및 작업 영역 스토리지에 대한 고객 관리형 키 추가Add a customer-managed key for managed services and workspace storage", + "waf": "안전" + }, + { + "category": "네트워킹", + "description": "사용자 또는 API 클라이언트가 VPN 또는 사무실 네트워크와 같은 알려진 양호한 IP 주소 범위에서 오는지 확인하여 계정 콘솔 및 작업 영역 수준에서 Databricks에 인증할 수 있는 IP 주소를 제한하는 IP 액세스 목록을 구성합니다. 사용자가 VPN 연결을 끊을 때와 같이 잘못된 IP 주소로 이동하는 경우 설정된 사용자 세션이 작동하지 않습니다. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "id": "U01.01", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "IP 액세스 목록을 활성화하여 특정 IP 주소에 대한 액세스를 제한합니다.", + "waf": "안전" + }, + { + "category": "네트워킹", + "description": "Azure Private Link는 한 Azure 환경에서 다른 환경으로의 프라이빗 네트워크 경로를 제공합니다. Private Link는 Azure Databricks 사용자와 컨트롤 플레인 간에, 그리고 컨트롤 플레인과 데이터 플레인 사이에도 구성할 수 있습니다. Databricks 사용자와 컨트롤 플레인 간에 Private Link는 인바운드 요청의 원본을 제한하는 강력한 컨트롤을 제공합니다. 회사가 이미 Azure 환경을 통해 트래픽을 라우팅하는 경우 사용자와 Azure Databricks 컨트롤 플레인 간의 통신이 공용 IP 주소를 트래버스하지 않도록 Private Link를 사용할 수 있습니다. 이 기능을 사용하려면 프리미엄 가격 책정 계층이 필요합니다. Azure Private Link를 사용하여 Azure Databricks에서 Azure 리소스로 연결합니다. Private Link는 다음을 보장합니다.", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "id": "U01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", + "severity": "보통", + "subcategory": "", + "text": "Azure Private Link를 구성하고 사용하여 Azure 리소스에 액세스합니다.", + "waf": "안전" + } + ], + "metadata": { + "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "state": "Preview", + "timestamp": "October 21, 2024", + "waf": "Security" + }, + "severities": [ + { + "name": "높다" + }, + { + "name": "보통" + }, + { + "name": "낮다" + } + ], + "status": [ + { + "description": "이 검사는 아직 검토되지 않았습니다", + "name": "확인되지 않음" + }, + { + "description": "이 검사와 연관된 작업 항목이 있습니다", + "name": "열다" + }, + { + "description": "이 검사는 확인되었으며 이와 관련된 추가 작업 항목이 없습니다", + "name": "성취" + }, + { + "description": "권장 사항을 이해했지만 현재 요구 사항에 필요하지 않음", + "name": "필요 없음" + }, + { + "description": "현재 설계에는 적용되지 않습니다.", + "name": "해당 없음" + } + ], + "waf": [ + { + "name": "신뢰도" + }, + { + "name": "안전" + }, + { + "name": "비용" + }, + { + "name": "작업" + }, + { + "name": "공연" + } + ], + "yesno": [ + { + "name": "예" + }, + { + "name": "아니요" + } + ] +} \ No newline at end of file diff --git a/checklists/datasecurity_checklist.pt.json b/checklists/datasecurity_checklist.pt.json new file mode 100644 index 000000000..2cf308c63 --- /dev/null +++ b/checklists/datasecurity_checklist.pt.json @@ -0,0 +1,809 @@ +{ + "categories": [], + "items": [ + { + "category": "Gerenciamento de identidade e acesso", + "description": "Restrinja o uso de métodos de autenticação local para acesso ao plano de dados. Em vez disso, use a ID do Microsoft Entra como o método de autenticação padrão para controlar o acesso ao plano de dados.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "id": "A01.01", + "service": "Azure Synapse Analytics", + "severity": "Alto", + "subcategory": "", + "text": "Restringir o uso de usuários locais em cargas de trabalho sql no Synapse", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Use a ID do Microsoft Entra como o método de autenticação padrão para controlar o acesso ao plano de dados.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "id": "A01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Usar identidade gerenciada para autenticar nos serviços", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Se não for necessário para operações administrativas de rotina, desabilite ou restrinja todas as contas de administrador local apenas para uso emergencial.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "id": "A01.03", + "service": "Azure Synapse Analytics", + "severity": "Alto", + "subcategory": "", + "text": "Separe e limite usuários altamente privilegiados/administrativos e habilite políticas condicionais e de MFA", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "O Azure Synapse também inclui funções RBAC (controle de acesso baseado em função) do Synapse para gerenciar diferentes aspectos do Synapse Studio. Aproveite essas funções internas para atribuir permissões a usuários, grupos ou outras entidades de segurança para gerenciar quem pode Publicar artefatos de código e listar ou acessar artefatos de código publicados,Executar código em pools do Apache Spark e runtimes de integração,Acessar serviços vinculados (dados) protegidos por credenciais,Monitorar ou cancelar execuções de trabalho, revisar a saída do trabalho e os logs de execução.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "id": "A01.04", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Use o RBAC do Azure para controlar o acesso no armazenamento e o RBAC do Synapse para controlar o acesso no nível do workspace, dependendo das personas da equipe, para granular o acesso aos dados e à computação", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "id": "A01.05", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Implemente RLS, CLS e mascaramento de dados em cargas de trabalho SQL em pool sql dedicado para adicionar camada adicional de segurança", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "description": "Ao criar seu workspace do Azure Synapse, você pode optar por associá-lo a uma Rede Virtual do Microsoft Azure. A Rede Virtual associada ao seu workspace é gerenciada pelo Azure Synapse. Essa Rede Virtual é chamada de Rede Virtual de workspace gerenciado. Isso pode ser selecionado ao implantar um workspace", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "id": "B01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Usar o espaço de trabalho vnet gerenciado para restringir o acesso pela Internet pública", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "description": "Para proteger dados confidenciais, é recomendável desabilitar totalmente o acesso público aos pontos de extremidade do workspace. Ao fazer isso, ele garante que todos os pontos de extremidade do workspace só possam ser acessados usando pontos de extremidade privados.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "id": "B01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Configure pontos de extremidade privados para se conectar aos serviços externos e desabilitar o acesso público", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "description": "Se o acesso público precisar ser habilitado, é altamente recomendável configurar as regras de firewall IP para permitir conexões de entrada somente da lista especificada de endereços IP públicos.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "id": "B01.03", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "subcategory": "", + "text": "Se habilitar o acesso público, é altamente recomendável configurar regras de firewall IP", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "id": "B01.04", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Implante VMs SHIR em sua rede virtual se você estiver trabalhando com dados confidenciais que não devem sair da rede corporativa", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "description": "Isso só pode ser feito ao implantar o workspace, mas não há suporte para bibliotecas Python instaladas de repositórios públicos como o PyPI. (Pense na limitação antes de habilitá-la)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "id": "B01.05", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Habilitar DEP (Proteção contra Exfiltração de Dados)", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "A primeira camada de criptografia é feita por chaves gerenciadas pela Microsoft, você pode adicionar uma segunda camada de criptografia usando chaves gerenciadas pelo cliente", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "id": "C01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Criptografia de dados em repouso usando chaves gerenciadas pelo cliente para workspace", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "O Azure Synapse aproveita o TLS para garantir que os dados sejam criptografados em movimento. Os pools dedicados do SQL dão suporte às versões TLS 1.0, TLS 1.1 e TLS 1.2 para criptografia em que os drivers fornecidos pela Microsoft usam o TLS 1.2 por padrão. O pool de SQL sem servidor e o pool do Apache Spark usam o TLS 1.2 para todas as conexões de saída.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "id": "C01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "severity": "Média", + "subcategory": "", + "text": "Criptografia de dados em trânsito ", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "Usar Keyvaults para armazenar seus segredos e credenciais", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "id": "C01.03", + "service": "Azure Synapse Analytics", + "severity": "Alto", + "subcategory": "", + "text": "Armazenar senhas, certificados e chaves no cofre de chaves do Azure", + "waf": "Segurança" + }, + { + "category": "", + "description": "Você pode armazenar credenciais ou valores secretos em um Azure Key Vault e usá-los durante a execução do pipeline para passar para suas atividades.", + "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", + "id": "D01.01", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "severity": "Média", + "subcategory": "", + "text": "Usar segredos do Azure Key Vault em atividades de pipeline" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Restrinja o uso de métodos de autenticação local para acesso ao plano de dados. Em vez disso, use a ID do Microsoft Entra como o método de autenticação padrão para controlar o acesso ao plano de dados.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "id": "E01.01", + "service": "Azure Data Factory", + "severity": "Alto", + "subcategory": "", + "text": "Restrinja o uso de usuários locais sempre que necessário", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "As identidades gerenciadas eliminam a necessidade de gerenciar credenciais. As identidades gerenciadas fornecem uma identidade para a instância de serviço ao se conectar a recursos que dão suporte à autenticação do Microsoft Entra.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "id": "E01.02", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Usar identidade gerenciada para autenticar nos serviços", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Se não for necessário para operações administrativas de rotina, desabilite ou restrinja todas as contas de administrador local apenas para uso emergencial.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "id": "E01.03", + "service": "Azure Data Factory", + "severity": "Alto", + "subcategory": "", + "text": "Separe e limite usuários altamente privilegiados/administrativos e habilite políticas condicionais e de MFA", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", + "id": "F01.01", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Desabilitar o acesso pela Internet pública e configurar regras de firewall ou regras de serviços confiáveis" + }, + { + "category": "Segurança de rede", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "id": "F01.02", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Implante VMs SHIR em sua rede virtual se você estiver trabalhando com dados confidenciais que não devem sair da rede corporativa", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "description": "Quando você cria um runtime de integração do Azure em uma rede virtual gerenciada do Data Factory, o runtime de integração é provisionado com a rede virtual gerenciada. Ele usa pontos de extremidade privados para se conectar com segurança a armazenamentos de dados com suporte.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "id": "F01.03", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Usar o IR de vnet gerenciado para restringir o acesso pela Internet pública para o Azure Integration Runtime", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "description": "Os pontos de extremidade privados gerenciados são pontos de extremidade privados criados na rede virtual gerenciada do Data Factory que estabelece um link privado para os recursos do Azure. O Data Factory gerencia esses pontos de extremidade privados em seu nome.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "id": "F01.04", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Configurar pontos de extremidade privados gerenciados para se conectar a recursos usando o Azure IR gerenciado", + "waf": "Segurança" + }, + { + "category": "", + "description": "Usando o Link Privado do Azure, você pode se conectar a várias implantações de PaaS (plataforma como serviço) no Azure por meio de um ponto de extremidade privado. Um ponto de extremidade privado é um endereço IP privado em uma rede virtual e sub-rede específicas", + "guid": "b47a393a-0804-4272-a479-8b1578b219a4", + "id": "G01.01", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link", + "severity": "Média", + "subcategory": "", + "text": "Configurar Links Privados para se conectar a fontes na Vnet do cliente e no data factory" + }, + { + "category": "Proteção de dados", + "description": "Esta é uma configuração padrão", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "id": "H01.01", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Criptografia de dados em repouso por chaves gerenciadas da Microsoft", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "Esta é uma configuração padrão", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "id": "H01.02", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Criptografia de dados em trânsito por chaves gerenciadas pela Microsoft", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "Quando você especifica uma chave gerenciada pelo cliente, o Data Factory usa a chave do sistema de fábrica e a CMK para criptografar os dados do cliente. A falta de qualquer um resultaria em Negação de acesso aos dados e à fábrica.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "id": "H01.03", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Criptografia de dados em trânsito por BYOK (chaves gerenciadas pelo cliente)", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "id": "H01.04", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "Alto", + "subcategory": "", + "text": "Armazenar senhas e segredos no Azure Key Vault", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "Você pode armazenar credenciais ou valores secretos em um Azure Key Vault e usá-los durante a execução do pipeline para passar para suas atividades.", + "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", + "id": "H01.05", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Usar segredos do Azure Key Vault em atividades de pipeline" + }, + { + "category": "Proteção de dados", + "description": "Você pode criptografar e armazenar credenciais para qualquer um dos seus armazenamentos de dados locais (serviços vinculados com informações confidenciais) em um computador com runtime de integração auto-hospedada.", + "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", + "id": "H01.06", + "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime", + "service": "Azure Data Factory", + "severity": "Média", + "subcategory": "", + "text": "Criptografar credenciais para locais usando armazenamentos de dados SHIR no Azure Data Factory" + }, + { + "category": "Gerenciamento de identidade e acesso", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "I01.01", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Definir funções e responsabilidades para gerenciar o Microsoft Purview no painel de controle e no plano de dados", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Use RBACs do Azure para isso", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "id": "I01.02", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Definir funções e tarefas necessárias para implantar e gerenciar o Microsoft Purview dentro de uma assinatura do Azure (painel de controle)", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Use funções do Microsoft Purview para isso.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "id": "I01.03", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Defina as funções e tarefas necessárias para executar o gerenciamento e a governança de dados usando o Microsoft Purview. (Plano de dados para Mapa de Dados e Catálogo de Dados.)", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "id": "I01.04", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Atribua funções a grupos do Microsoft Entra em vez de atribuir funções a usuários individuais.", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "id": "I01.05", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Use o Gerenciamento de Direitos do Azure Active Directory para mapear o acesso do usuário a grupos do Microsoft Entra usando Pacotes de Acesso.", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "id": "I01.06", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Imponha a autenticação multifator para usuários do Microsoft Purview, especialmente para usuários com funções privilegiadas, como administradores de coleção, administradores de fonte de dados ou curadores de dados.", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "id": "I01.07", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Use a ID do Microsoft Entra para fornecer autenticação e autorização a todos os usuários, grupos de segurança registrados no Entra, entidade de serviço e identidades gerenciadas dentro de coleções no Microsoft Purview", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "id": "I01.08", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Definir o modelo de privilégios mínimos e menor exposição de contas privilegiadas", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "id": "J01.01", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Habilite o isolamento de rede de ponta a ponta usando o Serviço de Link Privado. (Mapa de Dados do Microsoft Purview)", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "id": "J01.02", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Use o Firewall do Microsoft Purview para desabilitar o acesso público. (Mapa de Dados do Microsoft Purview)", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "id": "J01.03", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Implante regras de NSG (Grupo de Segurança de Rede) para sub-redes em que os pontos de extremidade privados das fontes de dados do Azure, os pontos de extremidade privados do Microsoft Purview e as VMs de runtime auto-hospedadas são implantados. (Mapa de Dados do Microsoft Purview)", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "id": "J01.04", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Implemente o Microsoft Purview com pontos de extremidade privados gerenciados por uma Solução de Virtualização de Rede, como o Firewall do Azure para inspeção de rede e filtragem de rede. (Mapa de Dados do Microsoft Purview)", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "description": "Esse ponto de extremidade privado também é um pré-requisito para o ponto de extremidade privado do portal. O ponto de extremidade privado do portal do Microsoft Purview é necessário para habilitar a conectividade com o portal de governança do Microsoft Purview usando uma rede privada. O Microsoft Purview pode verificar fontes de dados no Azure ou em um ambiente local usando pontos de extremidade privados de ingestão. Limitações no uso de pontos de extremidade privados https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "id": "J01.05", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Implante pontos de extremidade privados para contas do Microsoft Purview para adicionar outra camada de segurança, portanto, somente as chamadas de cliente originadas de dentro da rede virtual têm permissão para acessar a conta do Microsoft Purview", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitação a ser revisada: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "id": "J01.06", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Bloquear o acesso público usando o firewall do Microsoft Purview", + "waf": "Segurança" + }, + { + "category": "Segurança de rede", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "id": "J01.07", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Usar Grupos de Segurança de Rede para filtrar o tráfego de rede de e para recursos do Azure em uma rede virtual do Azure", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "id": "K01.01", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Se você tiver dados confidenciais que não podem sair do limite da sua rede virtual local, é altamente recomendável usar VMs SHIR dentro da rede virtual para extrair seus metadados ", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "Os metadados são extraídos e armazenados no Mapa de Dados do Microsoft Purview, se você não estiver usando uma conta de armazenamento gerenciada para sua conta do Purview, eles estarão abertos para serem acessados por todos, portanto, implemente RBACs adequados e restrinja o acesso aos Dados apenas para os usuários pretendidos. Aplicável a contas implantadas após 15 de dezembro de 2023 (ou implantadas usando a versão 2023-05-01-preview da API em diante", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "id": "K01.02", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Use RBACs do Azure para restringir o acesso de sua conta de armazenamento (não gerenciada pela MS) apenas aos usuários pretendidos.", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "id": "K01.03", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Os dados em repouso são criptografados por chaves gerenciadas pela Microsoft", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "id": "K01.04", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Os dados em trânsito são criptografados pelo TLS 1.3", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "id": "K01.05", + "service": "Microsoft Purview", + "severity": "Alto", + "subcategory": "", + "text": "Sempre use os cofres de chaves do Azure para armazenar todas as credenciais se não estiver usando identidades gerenciadas ou sem métodos de necessidade de senha", + "waf": "Segurança" + }, + { + "category": "Proteção contra exclusão acidental", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "id": "L01.01", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Impedir a exclusão acidental de contas do Microsoft Purview aplicando bloqueios de recursos", + "waf": "Segurança" + }, + { + "category": "", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "id": "M01.01", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Planeje uma estratégia de emergência para seu locatário do Microsoft Entra, assinatura do Azure e contas do Microsoft Purview para evitar o bloqueio de conta em todo o locatário.", + "waf": "Segurança" + }, + { + "category": "Recomendação de segurança adicional", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "id": "N01.01", + "service": "Microsoft Purview", + "severity": "Média", + "subcategory": "", + "text": "Integrar-se ao Microsoft 365 e ao Microsoft Defender para Nuvem", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Separe as contas de administrador das contas de usuário normais.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "id": "O01.01", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Definir o modelo de privilégios mínimos e menor exposição de contas privilegiadas", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "O Azure Databricks dá suporte ao acesso condicional da ID do Microsoft Entra, que permite que os administradores controlem onde e quando os usuários têm permissão para entrar no Azure Databricks. As políticas de acesso condicional podem restringir a entrada em sua rede corporativa ou podem exigir MFA (autenticação multifator).", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "id": "O01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Configure o logon único e o login unificado. Ative a autenticação multifator.", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Os clientes podem usar a API de Gerenciamento de Token ou controles de interface do usuário para habilitar ou desabilitar tokens de acesso pessoal (PATs) para autenticação da API REST, limitar os usuários que têm permissão para usar PATs, definir o tempo de vida máximo para novos tokens e gerenciar tokens existentes. Os clientes altamente seguros normalmente provisionam um tempo de vida máximo do token para novos tokens para um workspace. Esse recurso requer o tipo de preço Premium.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "id": "O01.03", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Use o gerenciamento de tokens.", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Se você tiver administradores do Databricks que também são usuários normais da plataforma Databricks (por exemplo, há um engenheiro de dados líder que administra a plataforma e também faz o trabalho de engenharia de dados), o Databricks recomenda a criação de uma conta separada para tarefas administrativas. É importante observar que, como parte do modelo RBAC do Azure, os usuários que recebem permissões de Colaborador ou superior para o Grupo de Recursos para um workspace do Azure Databricks implantado se tornam automaticamente administradores quando fazem logon nesse workspace. Portanto, as mesmas considerações descritas acima também devem ser aplicadas aos usuários do portal do Azure.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "id": "O01.04", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Separar contas de administrador de contas de usuário normais", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "O SCIM (System for Cross-domain Identity Management) permite sincronizar usuários e grupos da ID do Microsoft Entra com o Azure Databricks. Há três benefícios principais dessa abordagem: 1. Quando você remove um usuário, ele é removido automaticamente do Databricks. 2. Os usuários também podem ser desativados temporariamente via SCIM. Os clientes usaram esse recurso para cenários em que acreditam que uma conta pode estar comprometida e precisam investigar 3. Os grupos são sincronizados automaticamente Consulte a documentação para obter instruções detalhadas sobre como configurar o SCIM para Azure Databricks. Esse recurso requer o tipo de preço Premium", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "id": "O01.05", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Sincronização SCIM de usuários e grupos.", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Usando políticas de cluster ou ACLs de cluster mais antigas, os administradores podem definir quais usuários ou grupos dentro da organização podem criar clusters. As ACLs de cluster permitem que você especifique quais usuários podem anexar um notebook a um determinado cluster. Observe que, se um usuário compartilhar um notebook já anexado a um cluster de modo padrão, o destinatário também poderá executar código nesse cluster. Isso não se aplica a clusters que impõem o isolamento do usuário: SQL Warehouses, alta simultaneidade com clusters de ACLs de tabela e alta simultaneidade com clusters de passagem de credenciais. Os clientes que usam o Catálogo do Unity também podem habilitar clusters de usuário único para impor clusters de isolamento.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "id": "O01.06", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Limite os direitos de criação de cluster.", + "waf": "Segurança" + }, + { + "category": "", + "description": "Os administradores de conta podem definir uma configuração de workspace chamada RestrictWorkspaceAdmins para restringir os administradores de workspace a alterar apenas um proprietário de trabalho para si mesmos e a configuração de execução de trabalho para uma entidade de serviço na qual eles têm a função de Usuário de Entidade de Serviço.", + "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", + "id": "P01.01", + "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins", + "severity": "Alto", + "subcategory": "", + "text": "Restringir administradores do workspace" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "É importante observar que, mesmo que os clientes usem o Azure Key Vault para armazenar seus segredos, os controles de acesso ainda precisam ser definidos no Azure Databricks. Isso ocorre porque a mesma identidade de serviço é usada para recuperar o segredo de todos os usuários de um workspace do Azure Databricks.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "id": "Q01.01", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Armazenar senhas e segredos no Azure Key Vault", + "waf": "Segurança" + }, + { + "category": "", + "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", + "id": "R01.01", + "severity": "Alto", + "subcategory": "", + "text": "Regenerar/girar chaves se usá-las periodicamente" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "Os clusters com isolamento de usuário incluem imposição de modo que cada usuário seja executado como uma conta de usuário sem privilégios diferente no host do cluster. As linguagens também são limitadas àquelas que podem ser implementadas de maneira isolada (SQL e Python), e as APIs do Spark devem estar em uma lista de permissões daquelas que acreditamos serem seguras para isolamento.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "id": "S01.01", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Use clusters que dão suporte ao isolamento do usuário.", + "waf": "Segurança" + }, + { + "category": "Gerenciamento de identidade e acesso", + "description": "É contra as práticas recomendadas de segurança vincular cargas de trabalho de produção a contas de usuário individuais e, portanto, recomendamos configurar entidades de serviço no Databricks. Os Princípios de Serviço separam as ações do administrador e do usuário da carga de trabalho e evitam que as cargas de trabalho sejam afetadas se um usuário sair de uma organização. Com o Databricks, você pode configurar trabalhos para serem executados como entidades de serviço e gerar tokens de acesso pessoal para entidades de serviço.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "id": "S01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Use entidades de serviço para executar trabalhos de produção. Use o controle de acesso adequado para controles de segurança no nível do workspace (ACLs), no nível da conta (RBACs) e no nível dos dados (catálogo do Unity)", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "Por padrão, o DBFS é um sistema de arquivos acessível a todos os usuários do espaço de trabalho fornecido e pode ser acessado via API. Isso não é necessariamente uma grande preocupação de exfiltração de dados, pois você pode limitar o acesso ao acesso a dados por meio da API do DBFS ou da CLI do Databricks usando listas de acesso IP ou acesso à rede privada. No entanto, à medida que o uso do Azure Databricks cresce e mais usuários ingressam em um workspace, esses usuários teriam acesso a todos os dados armazenados no DBFS, criando o potencial para o compartilhamento de informações indesejadas. A Databricks recomenda que nossos clientes não armazenem dados de produção no DBFS.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "id": "T01.01", + "service": "Azure Databricks", + "severity": "Alto", + "subcategory": "", + "text": "Evite armazenar dados de produção no DBFS.", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "Para as contas de armazenamento que você gerencia, é sua responsabilidade garantir que as contas de armazenamento sejam protegidas de acordo com seus requisitos. Os exemplos podem incluir: Criptografia com sua chave gerenciada pelo cliente, Restringir o acesso a redes confiáveis com um firewall de armazenamento, Acesso público anônimo não é permitido", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "id": "T01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Criptografe o armazenamento e restrinja o acesso.", + "waf": "Segurança" + }, + { + "category": "Proteção de dados", + "description": "Adicione uma chave gerenciada pelo cliente para dados selecionados armazenados no painel de controle do Azure Databricks, como notebooks, segredos, consultas SQL do Databricks e histórico de consultas SQL do Databricks e para a conta de armazenamento raiz usada para DBFS. O Azure Databricks requer acesso a essa chave para operações contínuas. Você pode revogar o acesso à chave para impedir que o Azure Databricks acesse dados criptografados no painel de controle (ou em nossos backups). É como uma opção nuclear em que o espaço de trabalho deixa de funcionar, mas fornece um controle de emergência para situações extremas. Esse recurso requer o tipo de preço Premium.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "id": "T01.03", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Adicionar uma chave gerenciada pelo cliente para serviços gerenciados e armazenamento de workspace", + "waf": "Segurança" + }, + { + "category": "Rede", + "description": "Configure listas de acesso IP que restringem os endereços IP que podem ser autenticados no Databricks no console da conta e no nível do workspace, verificando se o usuário ou o cliente de API é proveniente de um intervalo de endereços IP válido, como uma VPN ou uma rede de escritório. As sessões de usuário estabelecidas não funcionam se o usuário mudar para um endereço IP incorreto, como ao se desconectar da VPN. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "id": "U01.01", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Ative as listas de acesso IP para restringir o acesso a determinados endereços IP.", + "waf": "Segurança" + }, + { + "category": "Rede", + "description": "O Link Privado do Azure fornece uma rota de rede privada de um ambiente do Azure para outro. O Link Privado pode ser configurado entre os usuários do Azure Databricks e o painel de controle e também entre o painel de controle e o plano de dados. Entre os usuários do Databricks e o painel de controle, o Link Privado fornece controles fortes que limitam a origem das solicitações de entrada. Se uma empresa já roteia o tráfego por meio de um ambiente do Azure, ela pode usar o Link Privado para que a comunicação entre os usuários e o painel de controle do Azure Databricks não atravesse endereços IP públicos. Esse recurso requer o tipo de preço Premium. Use o Link Privado do Azure para se conectar do Azure Databricks aos recursos do Azure. O Link Privado não apenas garante", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "id": "U01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", + "severity": "Média", + "subcategory": "", + "text": "Configure e use o Link Privado do Azure para acessar os recursos do Azure.", + "waf": "Segurança" + } + ], + "metadata": { + "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "state": "Preview", + "timestamp": "October 21, 2024", + "waf": "Security" + }, + "severities": [ + { + "name": "Alto" + }, + { + "name": "Média" + }, + { + "name": "Baixo" + } + ], + "status": [ + { + "description": "Esta verificação ainda não foi analisada", + "name": "Não verificado" + }, + { + "description": "Há um item de ação associado a essa verificação", + "name": "Abrir" + }, + { + "description": "Essa verificação foi verificada e não há mais itens de ação associados a ela", + "name": "Cumprido" + }, + { + "description": "Recomendação compreendida, mas não necessária pelos requisitos atuais", + "name": "Não é necessário" + }, + { + "description": "Não aplicável para o projeto atual", + "name": "N/A" + } + ], + "waf": [ + { + "name": "Fiabilidade" + }, + { + "name": "Segurança" + }, + { + "name": "Custar" + }, + { + "name": "Operações" + }, + { + "name": "Desempenho" + } + ], + "yesno": [ + { + "name": "Sim" + }, + { + "name": "Não" + } + ] +} \ No newline at end of file diff --git a/checklists/datasecurity_checklist.zh-Hant.json b/checklists/datasecurity_checklist.zh-Hant.json new file mode 100644 index 000000000..d4e33ea0d --- /dev/null +++ b/checklists/datasecurity_checklist.zh-Hant.json @@ -0,0 +1,809 @@ +{ + "categories": [], + "items": [ + { + "category": "身份和訪問管理", + "description": "限制使用本地身份驗證方法進行數據平面訪問。相反,請使用 Microsoft Entra ID 作為預設身份驗證方法來控制數據平面訪問。", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "id": "A01.01", + "service": "Azure Synapse Analytics", + "severity": "高", + "subcategory": "", + "text": "限制本地使用者對 Synapse 上的 sql 工作負載使用", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "使用 Microsoft Entra ID 作為預設身份驗證方法來控制數據平面訪問。", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "id": "A01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "使用託管標識對服務進行身份驗證", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "如果日常管理操作不需要,請禁用或限制任何本地管理員帳戶,以供緊急使用。", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "id": "A01.03", + "service": "Azure Synapse Analytics", + "severity": "高", + "subcategory": "", + "text": "分離和限制高許可權/管理使用者,並啟用 MFA 和條件策略", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "Azure Synapse 還包括 Synapse 基於角色的訪問控制 (RBAC) 角色,用於管理 Synapse Studio 的不同方面。利用這些內置角色為使用者、組或其他安全主體分配許可權,以管理誰可以發佈代碼構件並列出或訪問已發佈的代碼構件、在 Apache Spark 池和集成運行時上執行代碼、訪問受憑據保護的連結(數據)服務、監控或取消作業執行、查看作業輸出和執行日誌。", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "id": "A01.04", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "使用 Azure RBAC 控制對存儲的訪問,使用 Synapse RBAC 控制工作區級別的訪問,具體取決於團隊的角色,以精細化對數據和計算的訪問", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "id": "A01.05", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "在專用 SQL 池中的 SQL 工作負載上實施 RLS、CLS 和數據掩碼,以增加額外的安全層", + "waf": "安全" + }, + { + "category": "網路安全", + "description": "創建 Azure Synapse 工作區時,可以選擇將其關聯到 Microsoft Azure 虛擬網路。與工作區關聯的虛擬網路由 Azure Synapse 管理。此虛擬網路稱為託管工作區虛擬網路。可以在部署工作區時選擇此項", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "id": "B01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "使用託管 vnet 工作區限制通過公共 Internet 的訪問", + "waf": "安全" + }, + { + "category": "網路安全", + "description": "為了保護任何敏感數據,建議完全禁用對 Workspace 終端節點的公共訪問。通過這樣做,它可以確保所有工作區端點只能使用私有端點訪問。", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "id": "B01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "配置專用終結點以連接到外部服務並禁用公有訪問", + "waf": "安全" + }, + { + "category": "網路安全", + "description": "如果需要啟用公有訪問,強烈建議將IP防火牆規則配置為僅允許來自指定公有IP位址清單的入站連接。", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "id": "B01.03", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "subcategory": "", + "text": "如果啟用公網訪問,強烈建議配置 IP 防火牆規則", + "waf": "安全" + }, + { + "category": "網路安全", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "id": "B01.04", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "如果正在處理不應離開公司網路的敏感數據,請在 vnet 中部署 SHIR VM", + "waf": "安全" + }, + { + "category": "網路安全", + "description": "這隻能在部署工作區時完成,但不支援從 PyPI 等公共存儲庫安裝的 Python 庫。( 在啟用之前考慮限制 )", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "id": "B01.05", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "開啟資料洩露保護 (DEP)", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "第一層加密由 Microsoft 託管金鑰完成,您可以使用客戶託管金鑰添加第二層加密", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "id": "C01.01", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "使用客戶管理的 Workspace 金鑰進行靜態數據加密", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "Azure Synapse 利用 TLS 來確保數據在動態中加密。SQL 專用池支援 TLS 1.0、TLS 1.1 和 TLS 1.2 版本進行加密,其中 Microsoft 提供的驅動程式預設使用 TLS 1.2。無伺服器 SQL 池和 Apache Spark 池對所有出站連接使用 TLS 1.2。", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "id": "C01.02", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "severity": "中等", + "subcategory": "", + "text": "傳輸中的數據加密", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "使用 Keyvaults 儲存機密和憑據", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "id": "C01.03", + "service": "Azure Synapse Analytics", + "severity": "高", + "subcategory": "", + "text": "將密碼、secert 和密鑰存儲在 Azure Key Vault 中", + "waf": "安全" + }, + { + "category": "", + "description": "您可以將憑據或機密值存儲在 Azure Key Vault 中,並在管道執行期間使用它們以傳遞給您的活動。", + "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", + "id": "D01.01", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "severity": "中等", + "subcategory": "", + "text": "在管道活動中使用 Azure Key Vault 機密" + }, + { + "category": "身份和訪問管理", + "description": "限制使用本地身份驗證方法進行數據平面訪問。相反,請使用 Microsoft Entra ID 作為預設身份驗證方法來控制數據平面訪問。", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "id": "E01.01", + "service": "Azure Data Factory", + "severity": "高", + "subcategory": "", + "text": "在必要時限制使用本地使用者", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "託管身份消除了管理憑證的需要。託管標識在連接到支援 Microsoft Entra 身份驗證的資源時為服務實例提供標識。", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "id": "E01.02", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "使用託管標識對服務進行身份驗證", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "如果日常管理操作不需要,請禁用或限制任何本地管理員帳戶,以供緊急使用。", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "id": "E01.03", + "service": "Azure Data Factory", + "severity": "高", + "subcategory": "", + "text": "分離和限制高許可權/管理使用者,並啟用 MFA 和條件策略", + "waf": "安全" + }, + { + "category": "網路安全", + "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", + "id": "F01.01", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "禁用通過公共 Internet 的訪問,並配置防火牆規則或受信任的服務規則" + }, + { + "category": "網路安全", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "id": "F01.02", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "如果正在處理不應離開公司網路的敏感數據,請在 vnet 中部署 SHIR VM", + "waf": "安全" + }, + { + "category": "網路安全", + "description": "在數據工廠託管的虛擬網路中創建 Azure 集成運行時時,集成運行時將預配託管的虛擬網路。它使用私有終端節點安全地連接到支援的數據存儲。", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "id": "F01.03", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "使用託管 vnet IR 限制 Azure Integration Runtime 通過公共 Internet 的訪問", + "waf": "安全" + }, + { + "category": "網路安全", + "description": "託管專用終結點是在數據工廠託管虛擬網路中創建的專用終結點,用於建立指向 Azure 資源的專用連結。數據工廠代表你管理這些專用終結點。", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "id": "F01.04", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "配置託管專用終結點以使用託管 Azure IR 連接到資源", + "waf": "安全" + }, + { + "category": "", + "description": "通過使用 Azure 專用連結,可以通過專用終結點連接到 Azure 中的各種平臺即服務 (PaaS) 部署。專用終結點是特定虛擬網路和子網中的專用IP位址", + "guid": "b47a393a-0804-4272-a479-8b1578b219a4", + "id": "G01.01", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link", + "severity": "中等", + "subcategory": "", + "text": "配置專用連結以連接到客戶 Vnet 和數據工廠中的源" + }, + { + "category": "數據保護", + "description": "這是預設設置", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "id": "H01.01", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "由 Microsoft 託管金鑰進行的靜態數據加密", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "這是預設設置", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "id": "H01.02", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "由 Microsoft 託管金鑰進行傳輸中的數據加密", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "指定客戶管理的金鑰時,數據工廠會同時使用工廠系統金鑰和 CMK 來加密客戶數據。缺少其中任何一個都會導致 Deny of Access to data 和 factory。", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "id": "H01.03", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "BYOK 傳輸中的數據加密(客戶管理的金鑰 )", + "waf": "安全" + }, + { + "category": "數據保護", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "id": "H01.04", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "高", + "subcategory": "", + "text": "在 Azure Key Vault 中存儲密碼和機密", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "您可以將憑據或機密值存儲在 Azure Key Vault 中,並在管道執行期間使用它們以傳遞給您的活動。", + "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", + "id": "H01.05", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "在管道活動中使用 Azure Key Vault 機密" + }, + { + "category": "數據保護", + "description": "您可以在具有自承載整合運行時的電腦上加密和儲存任何本地數據存儲(包含敏感資訊的連結服務)的憑據。", + "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", + "id": "H01.06", + "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime", + "service": "Azure Data Factory", + "severity": "中等", + "subcategory": "", + "text": "使用 Azure 數據工廠中的 SHIR 數據儲存加密本地憑據" + }, + { + "category": "身份和訪問管理", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "I01.01", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "定義在控制平面和數據平面中管理 Microsoft Purview 的角色和職責", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "為此,請使用 Azure RBAC", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "id": "I01.02", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "定義在 Azure 訂閱(控制平面)中部署和管理 Microsoft Purview 所需的角色和任務", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "為此,請使用 Microsoft Purview 角色。", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "id": "I01.03", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "定義使用 Microsoft Purview 執行數據管理和治理所需的角色和任務。(Data Map 和 Data Catalog 的數據平面。", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "id": "I01.04", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "將角色分配給 Microsoft Entra 組,而不是將角色分配給單個使用者。", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "id": "I01.05", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "使用 Azure Active Directory 權利管理,通過訪問包將使用者訪問許可權映射到 Microsoft Entra 組。", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "id": "I01.06", + "service": "Microsoft Purview", + "severity": "高", + "subcategory": "", + "text": "對 Microsoft Purview 使用者強制實施多重身份驗證,尤其是對於具有特權角色的使用者,例如集合管理員、數據源管理員或數據管護者。", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "id": "I01.07", + "service": "Microsoft Purview", + "severity": "高", + "subcategory": "", + "text": "使用 Microsoft Entra ID 向所有使用者、在 Entra 中註冊的安全組、服務主體和 Microsoft Purview 中集合內的託管標識提供身份驗證和授權", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "id": "I01.08", + "service": "Microsoft Purview", + "severity": "高", + "subcategory": "", + "text": "定義最低許可權模型和降低特權帳戶的暴露", + "waf": "安全" + }, + { + "category": "網路安全", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "id": "J01.01", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "使用專用連結服務啟用端到端網路隔離。(Microsoft Purview 數據映射)", + "waf": "安全" + }, + { + "category": "網路安全", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "id": "J01.02", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "使用 Microsoft Purview Firewall 禁用公共訪問。(Microsoft Purview 數據映射)", + "waf": "安全" + }, + { + "category": "網路安全", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "id": "J01.03", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "為部署了 Azure 數據源專用終結點、Microsoft Purview 專用終結點和自承載運行時 VM 的子網部署網路安全組 (NSG) 規則。(Microsoft Purview 數據映射)", + "waf": "安全" + }, + { + "category": "網路安全", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "id": "J01.04", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "使用網路虛擬設備管理的專用終結點(例如用於網路檢查和網路篩選的 Azure 防火牆)實現 Microsoft Purview。(Microsoft Purview 數據映射)", + "waf": "安全" + }, + { + "category": "網路安全", + "description": "此專用終結點也是門戶專用終結點的先決條件。需要 Microsoft Purview 門戶專用終結點才能使用專用網路啟用與 Microsoft Purview 治理門戶的連接。Microsoft Purview 可以使用引入專用終結點掃描 Azure 或本地環境中的數據源。使用私有終端節點的限制 https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "id": "J01.05", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "為 Microsoft Purview 帳戶部署專用終結點以添加另一層安全性,以便僅允許源自虛擬網路中的用戶端調用訪問 Microsoft Purview 帳戶", + "waf": "安全" + }, + { + "category": "網路安全", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access。審查限制:https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "id": "J01.06", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "使用 Microsoft Purview 防火牆阻止公共訪問", + "waf": "安全" + }, + { + "category": "網路安全", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "id": "J01.07", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "使用網路安全組篩選進出 Azure 虛擬網路中 Azure 資源的網路流量", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "id": "K01.01", + "service": "Microsoft Purview", + "severity": "高", + "subcategory": "", + "text": "如果您的敏感數據無法離開本地 VNet 的邊界,強烈建議在企業 VNet 中使用 SHIR VM 來提取元數據", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "元數據被提取並存儲在 Microsoft Purview 數據映射中,如果您沒有將託管存儲帳戶用於 Purview 帳戶,則所有人都可以訪問元數據,因此請實施適當的 RBAC 並將數據存取許可權限限為僅預期使用者。適用於 2023 年 12 月 15 日之後部署的帳戶(或使用 API 版本 2023-05-01-preview 及更高版本部署的帳戶)", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "id": "K01.02", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "使用 Azure RBAC 將儲存帳戶(不受 MS 管理)的訪問許可權限限為僅目標使用者。", + "waf": "安全" + }, + { + "category": "數據保護", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "id": "K01.03", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "靜態數據由 Microsoft 託管金鑰加密", + "waf": "安全" + }, + { + "category": "數據保護", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "id": "K01.04", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "傳輸中的數據由TLS 1.3 加密", + "waf": "安全" + }, + { + "category": "數據保護", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "id": "K01.05", + "service": "Microsoft Purview", + "severity": "高", + "subcategory": "", + "text": "如果不使用託管標識或沒有需要密碼的方法,請始終使用 Azure Key Vault 來存儲所有憑據", + "waf": "安全" + }, + { + "category": "防止意外刪除", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "id": "L01.01", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "通過應用資源鎖來防止意外刪除 Microsoft Purview 帳戶", + "waf": "安全" + }, + { + "category": "", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "id": "M01.01", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "為 Microsoft Entra 租戶、Azure 訂閱和 Microsoft Purview 帳戶規劃不受限策略,以防止租戶範圍的帳戶鎖定。", + "waf": "安全" + }, + { + "category": "其他安全建議", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "id": "N01.01", + "service": "Microsoft Purview", + "severity": "中等", + "subcategory": "", + "text": "與 Microsoft 365 和 Microsoft Defender for Cloud 集成", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "將管理員帳戶與普通用戶帳戶分開。", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "id": "O01.01", + "service": "Azure Databricks", + "severity": "高", + "subcategory": "", + "text": "定義最低許可權模型和降低特權帳戶的暴露", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "Azure Databricks 支援 Microsoft Entra ID 條件訪問,它允許管理員控制允許使用者登錄 Azure Databricks 的位置和時間。條件訪問策略可以限制登錄到您的公司網路,或者可以要求多重身份驗證 (MFA)。", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "id": "O01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "高", + "subcategory": "", + "text": "配置單點登錄和統一登錄。啟用多重身份驗證。", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "客戶可以使用令牌管理 API 或 UI 控制件來啟用或禁用用於 REST API 身份驗證的個人存取權杖 (PAT)、限制允許使用 PAT 的使用者、設置新令牌的最長生命週期以及管理現有令牌。高度安全的客戶通常會為工作區的新令牌預置最長令牌生命週期。此功能需要 Premium 定價層。", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "id": "O01.03", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "使用 Token 管理。", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "如果你的 Databricks 管理員也是 Databricks 平臺的普通使用者(例如,有一名首席數據工程師管理平臺並執行數據工程工作),Databricks 建議為管理任務創建一個單獨的帳戶。請務必注意,作為 Azure RBAC 模型的一部分,被授予對已部署的 Azure Databricks 工作區的資源組的參與者或更高許可權的使用者在登錄到該工作區時會自動成為管理員。因此,上述相同注意事項也應適用於 Azure 門戶使用者。", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "id": "O01.04", + "service": "Azure Databricks", + "severity": "高", + "subcategory": "", + "text": "將管理員帳戶與普通用戶帳戶分開", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "SCIM(跨域身份管理系統)允許您將使用者和組從 Microsoft Entra ID 同步到 Azure Databricks。此方法有三個主要好處:1. 刪除使用者時,該用戶會自動從 Databricks 中刪除。2. 使用者也可以通過 SCIM 暫時禁用。客戶已將此功能用於客戶認為帳戶可能已洩露並需要調查 3.組會自動同步 有關如何為 Azure Databricks 配置 SCIM 的詳細說明,請參閱文檔。此功能需要 Premium 定價層", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "id": "O01.05", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "使用者和組的 SCIM 同步。", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "使用集群策略或較舊的集群 ACL,管理員可以定義組織內的哪些使用者或組能夠創建集群。集群 ACL 允許您指定哪些使用者可以將筆記本附加到給定集群。請注意,如果用戶共用已附加到標準模式集群的筆記本,則接收者也將能夠在該集群上執行代碼。這不適用於強制實施用戶隔離的群集:SQL 倉庫、與表 ACL 的高併發性群集以及與憑據直通群集的高併發性。使用 Unity Catalog 的客戶還可以啟用單使用者集群來強制實施隔離集群。", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "id": "O01.06", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "限制集群創建許可權。", + "waf": "安全" + }, + { + "category": "", + "description": "帳戶管理員可以配置名為 RestrictWorkspaceAdmins 的工作區設置,以限制工作區管理員僅將作業擁有者更改為自己,並將作業運行方式設置更改為他們具有服務主體使用者角色的服務主體。", + "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", + "id": "P01.01", + "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins", + "severity": "高", + "subcategory": "", + "text": "限制工作區管理員" + }, + { + "category": "身份和訪問管理", + "description": "請務必注意,即使客戶使用 Azure Key Vault 儲存其機密,仍需要在 Azure Databricks 中定義訪問控制。這是因為使用相同的服務標識來檢索 Azure Databricks 工作區的所有用戶的機密。", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "id": "Q01.01", + "service": "Azure Databricks", + "severity": "高", + "subcategory": "", + "text": "在 Azure Key Vault 中存儲密碼和機密", + "waf": "安全" + }, + { + "category": "", + "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", + "id": "R01.01", + "severity": "高", + "subcategory": "", + "text": "如果定期使用金鑰,請重新生成/輪換金鑰" + }, + { + "category": "身份和訪問管理", + "description": "具有用戶隔離的集群包括強制執行,以便每個使用者在集群主機上以不同的非特權用戶帳戶運行。語言也僅限於可以以隔離方式實現的語言(SQL 和 Python),並且 Spark API 必須位於我們認為隔離安全的允許清單中。", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "id": "S01.01", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "使用支援用戶隔離的集群。", + "waf": "安全" + }, + { + "category": "身份和訪問管理", + "description": "將生產工作負載綁定到單個用戶帳戶違反了安全最佳實踐,因此我們建議在 Databricks 中配置服務主體。服務原則將管理員和使用者操作與工作負載分開,並防止工作負載在使用者離開組織時受到影響。使用 Databricks,可以將作業配置為作為服務主體運行,併為服務主體生成個人訪問令牌。", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "id": "S01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "使用服務主體運行生產作業。對工作區級別 (ACL)、帳戶級別 (RBAC) 和數據級別 (Unity catalog) 安全控制使用適當的存取控制", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "默認情況下,DBFS 是一個文件系統,可供給定工作區的所有使用者訪問,並且可以通過 API 訪問。這不一定是一個主要的數據洩露問題,因為您可以使用IP訪問清單或專用網路訪問來限制通過 DBFS API 或 Databricks cli 訪問資料的訪問。但是,隨著 Azure Databricks 使用量的增長和更多使用者加入工作區,這些使用者將有權訪問存儲在 DBFS 中的任何數據,從而產生不需要的信息共用的可能性。Databricks 建議我們的客戶不要將生產數據存儲在 DBFS 中。", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "id": "T01.01", + "service": "Azure Databricks", + "severity": "高", + "subcategory": "", + "text": "避免將生產數據存儲在 DBFS 中。", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "對於你管理的存儲帳戶,你有責任確保根據你的要求保護存儲帳戶。範例可能包括:使用客戶管理的密鑰進行加密、使用存儲防火牆限制對受信任網路的訪問、不允許匿名公共訪問", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "id": "T01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "加密存儲並限制訪問。", + "waf": "安全" + }, + { + "category": "數據保護", + "description": "為存儲在 Azure Databricks 控制平面中的選定數據(例如筆記本、機密、Databricks SQL 查詢和 Databricks SQL 查詢歷史記錄)以及用於 DBFS 的根存儲帳戶添加客戶管理的密鑰。Azure Databricks 需要訪問此密鑰才能進行持續操作。可以撤銷對金鑰的訪問許可權,以防止 Azure Databricks 存取控制平面(或我們的備份)中的加密數據。這就像一個核選項,工作區停止運行,但它為極端情況提供了緊急控制。此功能需要 Premium 定價層。", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "id": "T01.03", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "為託管服務和工作區存儲添加客戶管理的金鑰", + "waf": "安全" + }, + { + "category": "聯網", + "description": "配置IP訪問清單,通過檢查使用者或API用戶端是否來自已知的良好IP位址範圍(如 VPN 或辦公網路),來限制可在帳戶控制台和工作區級別向 Databricks 進行身份驗證的IP位址。如果使用者移動到錯誤的IP位址(例如,從 VPN 斷開連接時),已建立的使用者會話將不起作用。", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "id": "U01.01", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "啟用IP存取清單以限制對某些IP位址的訪問。", + "waf": "安全" + }, + { + "category": "聯網", + "description": "Azure 專用連結提供從一個 Azure 環境到另一個 Azure 環境的專用網路路由。專用連結既可以在 Azure Databricks 使用者和控制平面之間配置,也可以在控制平面和數據平面之間配置。在 Databricks 使用者和控制平面之間,專用連結提供了強大的控制措施來限制入站請求的來源。如果公司已通過 Azure 環境路由流量,則可以使用專用連結,以便使用者與 Azure Databricks 控制平面之間的通信不會遍歷公共 IP 位址。此功能需要 Premium 定價層。使用 Azure 專用連結從 Azure Databricks 連接到 Azure 資源。專用鏈接不僅確保", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "id": "U01.02", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", + "severity": "中等", + "subcategory": "", + "text": "配置和使用 Azure 專用連結訪問 Azure 資源。", + "waf": "安全" + } + ], + "metadata": { + "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "state": "Preview", + "timestamp": "October 21, 2024", + "waf": "Security" + }, + "severities": [ + { + "name": "高" + }, + { + "name": "中等" + }, + { + "name": "低" + } + ], + "status": [ + { + "description": "尚未查看此檢查", + "name": "未驗證" + }, + { + "description": "存在與此檢查關聯的操作項", + "name": "打開" + }, + { + "description": "此檢查已經過驗證,沒有與之關聯的其他操作項", + "name": "實現" + }, + { + "description": "建議已理解,但當前要求不需要", + "name": "不需要" + }, + { + "description": "不適用於當前設計", + "name": "不適用" + } + ], + "waf": [ + { + "name": "可靠性" + }, + { + "name": "安全" + }, + { + "name": "成本" + }, + { + "name": "操作" + }, + { + "name": "性能" + } + ], + "yesno": [ + { + "name": "是的" + }, + { + "name": "不" + } + ] +} \ No newline at end of file diff --git a/checklists/waf_checklist.en.json b/checklists/waf_checklist.en.json index b8f933d83..096f1a7d4 100644 --- a/checklists/waf_checklist.en.json +++ b/checklists/waf_checklist.en.json @@ -1,7158 +1,7532 @@ { "items": [ { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", - "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", - "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", - "query": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend exportPolicyStatus = properties.policies.exportPolicy.status | extend compliant = iif(exportPolicyStatus =~ 'Disabled', true, false) | project acrName, acrId, exportPolicyStatus, compliant", - "service": "ACR", + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "af416482-663c-4ed6-b195-b44c7068e09c", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", + "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", + "service": "Container Apps", "severity": "High", - "text": "Disable Azure Container Registry image export", - "waf": "Security" + "text": "Leverage Availability Zones if regionally applicable", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", - "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", - "service": "ACR", + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", + "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", + "service": "Container Apps", "severity": "High", - "text": "Enable Azure Policies for Azure Container Registry", - "waf": "Security" + "text": "Use more than one replica and enable Zone Redundancy.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", - "guid": "d345293c-7639-4637-a551-c5c04e401955", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", - "service": "ACR", + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", "severity": "High", - "text": "Sign and Verify containers with notation (Notary v2)", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", - "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend encryptionStatus = properties.encryption.status | extend compliant = iif(encryptionStatus == 'disabled', false, true) | project acrName, acrId, encryptionStatus, compliant", - "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", - "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", - "service": "ACR", - "severity": "Medium", - "text": "Encrypt registry with a customer managed key", - "waf": "Security" + "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", - "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", - "service": "ACR", + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", "severity": "High", - "text": "Use Managed Identities to connect instead of Service Principals", - "waf": "Security" + "text": "Use Front Door or Traffic Manager to route traffic to the closest region", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", - "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", - "guid": "be0e38ce-e297-411b-b363-caaab79b198d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", - "service": "ACR", - "severity": "High", - "text": "Disable local authentication for management plane access", - "waf": "Security" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", + "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", + "service": "Purview", + "severity": "Medium", + "text": "Leverage FTA Resillency Handbook", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", - "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", - "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "High", - "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", - "waf": "Security" + "text": "Plan for Data Center level outage", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Disable anonymous pull/push access", - "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend compliant = iif(properties.anonymousPullEnabled == false, true, false) | project compliant, name, id, tags | distinct id, compliant", - "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", - "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", + "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "Medium", - "text": "Disable Anonymous pull access", - "waf": "Security" + "text": "Practice Failover for BCDR", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", - "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "97b15b8a-219a-44ab-bb57-879024d22678", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "High", - "text": "Disable repository-scoped access tokens", - "waf": "Security" + "text": "Plan a backup strategy and take regular backups", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", - "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", - "service": "ACR", - "severity": "High", - "text": "Deploy images from a trusted environment", - "waf": "Security" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", + "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", + "service": "Purview", + "severity": "Low", + "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", - "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", + "link": "https://learn.microsoft.com/purview/deployment-best-practices", + "service": "Purview", "severity": "Medium", - "text": "Disable Azure ARM audience tokens for authentication", - "waf": "Security" + "text": "Follow Purview accounts architectures and deployment best practices", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", - "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", - "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", + "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", + "service": "Purview", "severity": "Medium", - "text": "Enable diagnostics logging", - "waf": "Security" + "text": "Follow Collection Architectures and best practices", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", - "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", + "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", + "service": "Purview", "severity": "Medium", - "text": "Control inbound network access with Private Link", - "waf": "Security" + "text": "Follow Assest lifecycle best practices", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Disable public network access if inbound network access is secured using Private Link", - "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | where sku.name =~ 'Premium' // Check for Premium SKU | extend publicAccessEnabled = properties.publicNetworkAccess | extend defaultAction = tostring(properties.networkRuleSet.defaultAction) // Extract defaultAction | extend compliant = iif(publicAccessEnabled != 'Enabled' or defaultAction == 'Deny', true, false) | project name, id, publicAccessEnabled, defaultAction, compliant", - "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", + "service": "Purview", "severity": "Medium", - "text": "Disable Public Network access", - "waf": "Security" + "text": "Follow automation best practices", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Only the ACR Premium SKU supports Private Link access", - "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend skuName = sku.name // Extract the SKU name | extend compliant = iif(skuName == 'Premium', true, false) // Check if SKU is Premium | project name, id, skuName, compliant", - "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", - "service": "ACR", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "Medium", - "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", - "waf": "Security" + "text": "Follow Backup and Migration Best practices", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", - "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", - "service": "ACR", - "severity": "Low", - "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", - "waf": "Security" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", + "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview Glossary Best Practices", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", - "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", - "service": "ACR", - "severity": "Medium", - "text": "Deploy validated container images", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure Container Registry Security Review", - "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", - "guid": "4e401955-387e-45ce-b126-cd132af5b20c", - "service": "ACR", - "severity": "High", - "text": "Use up-to-date platforms, languages, protocols and frameworks", - "waf": "Security" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", + "link": "https://learn.microsoft.com/purview/concept-workflow", + "service": "Purview", + "severity": "Low", + "text": "Leverage Workflows ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security", + "service": "Purview", "severity": "Medium", - "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", + "text": "Follow Purview Security Best Practices", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", - "severity": "High", - "text": "Use zone redundant pipelines in regions that support Availability Zones", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", + "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview Data Lineage Best Practices", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", + "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", + "service": "Purview", "severity": "Medium", - "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", + "text": "Follow Best Practices for Scanning Registered Sources", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", + "service": "Purview", "severity": "Medium", - "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", + "text": "Follow Classification Best Practices in Governance Portal", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", + "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", + "service": "Purview", "severity": "Medium", - "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", + "text": "Perform Sensitivity Labelling in the Purview Data Map", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", + "link": "https://learn.microsoft.com/purview/concept-data-share", + "service": "Purview", "severity": "Low", - "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", + "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", - "guid": "ba7da7be-9951-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", - "service": "Azure Data Explorer", - "text": "Leverage External Tables and Continuous data export overview to reduce costs", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "severity": "Low", + "text": "Leverage Data Estate Insights", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", - "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", - "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", - "service": "Azure Data Explorer", - "text": "To share data, explore Leader-follower cluster configuration", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", + "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", + "service": "Purview", + "severity": "Low", + "text": "Use Data stewardship and Catalog adoption", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", - "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", - "service": "Azure Data Explorer", - "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "severity": "Low", + "text": "Use Inventory and Ownership", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "436b0635-cb45-4e57-a603-324ace8cc123", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", - "service": "Azure Data Explorer", - "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", + "link": "https://learn.microsoft.com/purview/glossary-insights", + "service": "Purview", + "severity": "Low", + "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", - "service": "Azure Data Explorer", - "text": "Ingest data into each cluster in parallel", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b130a888-9579-4e76-a896-e710a7da7be9", + "link": "https://learn.microsoft.com/purview/compliance-manager", + "service": "Purview", + "severity": "Medium", + "text": "Generate assessment scores", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", - "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", - "service": "Azure Data Explorer", - "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", + "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", + "service": "Purview", + "severity": "Medium", + "text": "Profiling- get summaries of data content", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", - "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", - "service": "Azure Data Explorer", - "text": "For critical applications, create Active-Active configuration in two paired regions", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", + "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", + "service": "Purview", + "severity": "Low", + "text": "Follow Microsoft Purview Data Owner access policies", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", - "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", - "service": "Azure Data Explorer", - "text": "For applications, which required only read during failure, create Active-Hot standby configuration", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", + "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", + "service": "Purview", + "severity": "Low", + "text": "Follow Self-service access policies", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", - "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", - "service": "Azure Data Explorer", - "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", + "link": "https://learn.microsoft.com/purview/concept-policies-devops", + "service": "Purview", + "severity": "Low", + "text": "Follow DevOps policies", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", - "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", - "text": "Wrap DevOps and source control around all your code", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "arm-service": "Microsoft.Compute/virtualMachineScaleSets", + "checklist": "Resiliency Review", + "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", + "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", + "service": "VMSS", + "severity": "Low", + "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", - "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", + "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", + "service": "VM", + "severity": "High", + "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", - "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", + "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "VM", + "severity": "High", + "text": "Use Premium or Ultra disks for production VMs", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", - "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Front Door", - "severity": "Medium", - "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", + "guid": "b31e38c3-f298-412b-8363-cffe179b599d", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", + "service": "VM", + "severity": "High", + "text": "Ensure Managed Disks are used for all VMs", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", - "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Front Door", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", + "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", + "service": "VM", "severity": "Medium", - "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "text": "Do not use the Temp disk for anything that is not acceptable to be lost", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", - "service": "Front Door", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", + "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "VM", "severity": "Medium", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "text": "Leverage Availability Zones for your VMs in regions where they are supported", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", - "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "Front Door", - "severity": "High", - "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", - "waf": "Security" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", + "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "VM", + "severity": "Medium", + "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", - "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "Front Door", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", + "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "VM", "severity": "High", - "text": "Avoid placing Traffic Manager behind Front Door.", - "waf": "Security" + "text": "Avoid running a production workload on a single VM", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", - "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "Front Door", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", + "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", "severity": "High", - "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", - "waf": "Security" + "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", - "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", + "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", + "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", + "service": "VM", "severity": "Low", - "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", - "waf": "Performance" + "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "Front Door", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", + "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", + "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", + "service": "VM", "severity": "Medium", - "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", + "text": "Increase quotas in DR region before testing failover with ASR", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", - "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "Front Door", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", + "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", + "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", + "service": "VM", "severity": "Low", - "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", - "waf": "Performance" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", - "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "Front Door", - "severity": "High", - "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", - "waf": "Operations" + "text": "Utilize Scheduled Events to prepare for VM maintenance", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", + "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", "severity": "Medium", - "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" + "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", - "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", - "service": "Front Door", - "severity": "High", - "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", - "waf": "Security" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", + "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", + "severity": "Low", + "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", - "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", - "service": "Front Door", - "severity": "Medium", - "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", - "waf": "Security" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", + "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "Low", + "text": "Enable soft delete for Storage Account Containers", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=~'Enabled') and (mode=~'Prevention')), enabledState, mode", - "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", - "service": "Front Door", - "severity": "High", - "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", - "waf": "Security" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", + "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", + "severity": "Low", + "text": "Enable soft delete for blobs", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", - "service": "Front Door", - "severity": "High", - "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", - "waf": "Security" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", + "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", + "service": "Azure Backup", + "severity": "Medium", + "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "Front Door", - "severity": "High", - "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", - "waf": "Security" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", + "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", + "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", + "service": "Azure Backup", + "severity": "Low", + "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", - "service": "Front Door", - "severity": "High", - "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", - "waf": "Security" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", + "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", + "service": "Azure Backup", + "severity": "Low", + "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", - "service": "Front Door", - "severity": "High", - "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", - "waf": "Security" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Resiliency Review", + "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", + "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", + "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", + "service": "DNS", + "severity": "Low", + "text": "Implement DNS Failover using Azure DNS Private Resolvers", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", - "service": "Front Door", + "arm-service": "Microsoft.PowerBI/gateways", + "checklist": "Resiliency Review", + "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", + "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", + "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", + "service": "Data Gateways", "severity": "Medium", - "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", - "waf": "Security" + "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", - "service": "Front Door", - "severity": "Medium", - "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", - "waf": "Security" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", + "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", + "severity": "High", + "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "severity": "Medium", - "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", + "text": "Consider the 'Azure security baseline for storage'", "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", - "service": "Front Door", - "severity": "Low", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", + "severity": "High", + "text": "Consider using private endpoints for Azure Storage", "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", "severity": "Medium", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "text": "Ensure older storage accounts are not using 'classic deployment model'", "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "Front Door", - "severity": "Medium", - "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", + "severity": "High", + "text": "Enable Microsoft Defender for all of your storage accounts", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "845f5f91-9c21-4674-a725-5ce890850e20", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "severity": "Medium", - "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", - "waf": "Operations" + "text": "Enable 'soft delete' for blobs", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "Medium", - "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", - "waf": "Reliability" + "text": "Disable 'soft delete' for blobs", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", - "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", - "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "severity": "High", - "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", - "waf": "Reliability" + "text": "Enable 'soft delete' for containers", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", - "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", "severity": "Medium", - "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", - "waf": "Reliability" + "text": "Disable 'soft delete' for containers", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", - "service": "Front Door", - "severity": "Medium", - "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", - "waf": "Reliability" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", + "severity": "High", + "text": "Enable resource locks on storage accounts", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", - "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", - "service": "Front Door", - "severity": "Medium", - "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", + "severity": "High", + "text": "Consider immutable blobs", "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", - "severity": "Medium", - "text": "Use caching for endpoints that support it.", - "waf": "Cost" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "High", + "text": "Require HTTPS, i.e. disable port 80 on the storage account", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", - "guid": "34069d73-e4de-46c5-a36f-625f87575a56", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "Low", - "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", - "waf": "Cost" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", + "severity": "High", + "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "severity": "Medium", - "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", - "waf": "Operations" + "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", - "service": "Front Door", - "severity": "Medium", - "text": "Use wildcard TLS certificates when possible.", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Azure Storage", + "severity": "High", + "text": "Enforce the latest TLS version for a storage account", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", - "severity": "Medium", - "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", - "waf": "Performance" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "High", + "text": "Use Microsoft Entra ID tokens for blob access", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "Medium", - "text": "Use file compression when you're accessing downloadable content.", - "waf": "Performance" + "text": "Least privilege in IaM permissions", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", - "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", - "link": "https://learn.microsoft.com/azure/cdn/tier-migration", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", "severity": "High", - "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", - "waf": "Operations" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", - "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", - "service": "Front Door", - "severity": "Medium", - "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", - "waf": "Reliability" + "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", - "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", - "service": "Front Door", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", "severity": "High", - "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", + "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", - "severity": "Low", - "text": "If required for AKS Windows workloads HostProcess containers can be used", - "waf": "Reliability" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "High", + "text": "Consider using Azure Monitor to audit control plane operations on the storage account", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", - "severity": "Low", - "text": "Use KEDA if running event-driven workloads", - "waf": "Performance" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", + "severity": "Medium", + "text": "When using storage account keys, consider enabling a 'key expiration policy'", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", - "severity": "Low", - "text": "Use Dapr to ease microservice development", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", + "severity": "Medium", + "text": "Consider configuring an SAS expiration policy", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", - "severity": "High", - "text": "Use the SLA-backed AKS offering", - "waf": "Reliability" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", + "severity": "Medium", + "text": "Consider linking SAS to a stored access policy", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "Low", - "text": "Use Disruption Budgets in your pod and deployment definitions", - "waf": "Reliability" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", + "severity": "Medium", + "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", + "waf": "Security" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", "severity": "High", - "text": "If using a private registry, configure region replication to store images in multiple regions", - "waf": "Reliability" + "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", - "severity": "Low", - "text": "Use an external application such as kubecost to allocate costs to different users", - "waf": "Cost" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "High", + "text": "Strive for short validity periods for ad-hoc SAS", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", - "severity": "Low", - "text": "Use scale down mode to delete/deallocate nodes", - "waf": "Cost" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "Medium", + "text": "Apply a narrow scope to a SAS", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", "severity": "Medium", - "text": "When required use multi-instance partitioning GPU on AKS Clusters", - "waf": "Cost" + "text": "Consider scoping SAS to a specific client IP address, wherever possible", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", "severity": "Low", - "text": "If running a Dev/Test cluster use NodePool Start/Stop", - "waf": "Cost" + "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", - "severity": "Medium", - "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", + "severity": "High", + "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "severity": "Medium", - "text": "Separate applications from the control plane with user/system node pools", + "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", - "severity": "Low", - "text": "Add taint to your system nodepool to make it dedicated", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", + "severity": "High", + "text": "Avoid overly broad CORS policies", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", + "severity": "High", + "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", "severity": "Medium", - "text": "Use a private registry for your images, such as ACR", + "text": "Determine which/if platform encryption should be used.", "waf": "Security" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", "severity": "Medium", - "text": "Scan your images for vulnerabilities", + "text": "Determine which/if client-side encryption should be used.", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", "severity": "High", - "text": "Define app separation requirements (namespace/nodepool/cluster)", + "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", - "severity": "Medium", - "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", - "waf": "Security" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", + "severity": "High", + "text": "Leverage a storagev2 account type for better performance and reliability", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", "severity": "High", - "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", - "waf": "Security" + "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Azure Storage", "severity": "Medium", - "text": "If required add Key Management Service etcd encryption", - "waf": "Security" + "text": "For write operation after failover, use customer-Managed Failover ", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", - "severity": "Low", - "text": "If required consider using Confidential Compute for AKS", - "waf": "Security" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Azure Storage", + "severity": "Medium", + "text": "Understand Microsoft-Managed Failover details", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Azure Storage", "severity": "Medium", - "text": "Consider using Defender for Containers", - "waf": "Security" + "text": "Enable Soft Delete", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", - "severity": "High", - "text": "Use managed identities instead of Service Principals", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", + "severity": "Medium", + "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", "severity": "Medium", - "text": "Integrate authentication with AAD (using the managed integration)", - "waf": "Security" + "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", + "training": "https://github.com/Azure/sap-automation", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", "severity": "Medium", - "text": "Limit access to admin kubeconfig (get-credentials --admin)", - "waf": "Security" + "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", "severity": "Medium", - "text": "Integrate authorization with AAD RBAC", - "waf": "Security" + "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", - "severity": "High", - "text": "Use namespaces for restricting RBAC privilege in Kubernetes", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", - "severity": "Medium", - "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", - "severity": "Medium", - "text": "For AKS non-interactive logins use kubelogin (preview)", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", + "severity": "High", + "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "severity": "Medium", - "text": "Disable AKS local accounts", - "waf": "Security" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "Low", - "text": "Configure if required Just-in-time cluster access", - "waf": "Security" + "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "Low", - "text": "Configure if required AAD conditional access for AKS", - "waf": "Security" + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", + "severity": "High", + "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", "severity": "Low", - "text": "If required for Windows AKS workloads configure gMSA ", - "waf": "Security" + "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", "severity": "Medium", - "text": "For finer control consider using a managed Kubelet Identity", - "waf": "Security" + "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", - "severity": "Medium", - "text": "If using AGIC, do not share an AppGW across clusters", + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", + "severity": "Low", + "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "severity": "High", - "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", + "text": "Native database replication technology should be used to synchronize the database in a HA pair.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", - "severity": "Medium", - "text": "For Windows workloads use Accelerated Networking", - "waf": "Performance" + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", + "severity": "High", + "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", "severity": "High", - "text": "Use the standard ALB (as opposed to the basic one)", + "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", - "severity": "Medium", - "text": "If using Azure CNI, consider using different Subnets for NodePools", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "High", + "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", - "severity": "Medium", - "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", + "severity": "High", + "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "severity": "High", - "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", + "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", "severity": "High", - "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", - "waf": "Performance" + "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", "severity": "High", - "text": "If using Azure CNI, check the maximum pods/node (default 30)", - "waf": "Performance" + "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", - "severity": "Low", - "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", - "waf": "Security" + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", + "severity": "High", + "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", "severity": "High", - "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", + "text": "Make sure the Floating IP is enabled on the Load balancer", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", - "severity": "Low", - "text": "If required add your own CNI plugin", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", + "severity": "High", + "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", - "severity": "Low", - "text": "If required configure Public IP per node in AKS", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", + "severity": "High", + "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "High", + "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", "severity": "Medium", - "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", + "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", - "severity": "Low", - "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "High", + "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", - "severity": "Medium", - "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "High", + "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "High", - "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", - "waf": "Security" + "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "High", + "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", "severity": "Medium", - "text": "If using a public API endpoint, restrict the IP addresses that can access it", - "waf": "Security" + "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", - "severity": "High", - "text": "Use private clusters if your requirements mandate it", - "waf": "Security" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "Medium", + "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", "severity": "Medium", - "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", - "waf": "Security" + "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "High", - "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", - "waf": "Security" + "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", "severity": "High", - "text": "Use Kubernetes network policies to increase intra-cluster security", - "waf": "Security" + "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", "severity": "High", - "text": "Use a WAF for web workloads (UIs or APIs)", - "waf": "Security" + "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "High", + "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", "severity": "Medium", - "text": "Use DDoS Standard in the AKS Virtual Network", - "waf": "Security" + "text": "Automate SAP System Start-Stop to manage costs.", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "severity": "Low", - "text": "If required add company HTTP Proxy", - "waf": "Security" + "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", - "severity": "Medium", - "text": "Consider using a service mesh for advanced microservice communication management", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Low", + "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", + "waf": "Cost" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", "severity": "High", - "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", - "waf": "Operations" + "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", - "severity": "Low", - "text": "Check regularly Azure Advisor for recommendations on your cluster", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "Medium", + "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", - "severity": "Low", - "text": "Enable AKS auto-certificate rotation", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", - "severity": "High", - "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", - "severity": "High", - "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", - "severity": "High", - "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", - "severity": "Low", - "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", + "severity": "Medium", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", - "severity": "Low", - "text": "Consider using AKS command invoke on private clusters", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", + "severity": "Medium", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", - "service": "AKS", - "severity": "Low", - "text": "For planned events consider using Node Auto Drain", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", - "severity": "High", - "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP HANA", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "Low", - "text": "Use custom Node RG (aka 'Infra RG') name", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", + "severity": "Medium", + "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", "severity": "Medium", - "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", - "waf": "Operations" + "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", - "severity": "Low", - "text": "Taint Windows nodes", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", - "severity": "Low", - "text": "Keep windows containers patch level in sync with host patch level", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP BTP", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "Via Diagnostic Settings at the cluster level", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", - "severity": "Low", - "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", - "severity": "Low", - "text": "If required use nodePool snapshots", - "waf": "Cost" + "checklist": "SAP Checklist", + "description": "Keep your management group hierarchy reasonably flat, no more than four.", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", + "severity": "Medium", + "text": "enforce existing Management Group policies to SAP Subscriptions", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", - "severity": "Low", - "text": "Consider spot node pools for non time-sensitive workloads", + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", + "severity": "High", + "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", "severity": "Low", - "text": "Consider AKS virtual node for quick bursting", + "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", "severity": "High", - "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", + "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", "severity": "High", - "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", + "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", "severity": "Medium", - "text": "Monitor CPU and memory utilization of the nodes", + "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "High", + "text": "Help protect your HANA database by using the Azure Backup service.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", "severity": "Medium", - "text": "If using Azure CNI, monitor % of pod IPs consumed per node", + "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "High", + "text": "Ensure time-zone matches between the operating system and the SAP system.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", "severity": "Medium", - "text": "Monitor OS disk queue depth in nodes", - "waf": "Operations" + "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", + "severity": "Low", + "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", "severity": "Medium", - "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", + "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", "severity": "Medium", - "text": "Subscribe to resource health notifications for your AKS cluster", + "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "High", - "text": "Configure requests and limits in your pod specs", + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", + "severity": "Low", + "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", "severity": "Medium", - "text": "Enforce resource quotas for namespaces", + "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", "severity": "High", - "text": "Ensure your subscription has enough quota to scale out your nodepools", + "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", - "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", - "service": "AKS", - "severity": "High", - "text": "Configure Liveness and Readiness probes for all deployments", + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", "severity": "Medium", - "text": "Use the Cluster Autoscaler", - "waf": "Performance" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", - "severity": "Low", - "text": "Customize node configuration for AKS node pools", - "waf": "Performance" + "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", "severity": "Medium", - "text": "Use the Horizontal Pod Autoscaler when required", - "waf": "Performance" + "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "severity": "High", - "text": "Consider an appropriate node size, not too large or too small", + "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", - "service": "AKS", - "severity": "Low", - "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", - "waf": "Performance" - }, + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", + "severity": "Medium", + "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "waf": "Reliability" + }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", - "service": "AKS", - "severity": "Low", - "text": "Consider subscribing to EventGrid Events for AKS automation", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", + "severity": "Medium", + "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", - "service": "AKS", - "severity": "Low", - "text": "For long running operation on an AKS cluster consider event termination", - "waf": "Performance" + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", + "severity": "Medium", + "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", "severity": "Low", - "text": "If required consider using Azure Dedicated Hosts for AKS nodes", + "text": "Use inter-VM latency monitoring for latency-sensitive applications.", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "High", - "text": "Use ephemeral OS disks", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", - "severity": "High", - "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "Medium", + "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", "severity": "Low", - "text": "For hyper performance storage option use Ultra Disks on AKS", + "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", "severity": "Medium", - "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", + "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", "severity": "Medium", - "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", + "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", - "severity": "Medium", - "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", + "severity": "High", + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", "severity": "Medium", - "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "severity": "Medium", - "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", - "severity": "Low", - "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", + "severity": "Medium", + "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", - "severity": "High", - "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", - "waf": "Operations" + "checklist": "SAP Checklist", + "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", + "severity": "Medium", + "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "severity": "High", - "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "Cost" + "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", + "training": "https://me.sap.com/notes/2731110", + "waf": "Performance" }, { - "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", - "severity": "High", - "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", + "severity": "Medium", + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", "severity": "Medium", - "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" + "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", "severity": "Medium", - "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "severity": "High", - "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "text": "Public IP assignment to VM running SAP Workload is not recommended.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", "severity": "High", - "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", - "waf": "Security" + "text": "Consider reserving IP address on DR side when configuring ASR", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "High", + "text": "Avoid using overlapping IP address ranges for production and DR sites.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", "severity": "Medium", - "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "checklist": "SAP Checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", "severity": "Medium", - "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", "severity": "Medium", - "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", - "waf": "Reliability" + "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "severity": "Medium", - "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", "waf": "Security" }, { - "ammp": true, - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", - "severity": "High", - "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", + "severity": "Medium", + "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "severity": "Medium", - "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", "severity": "Medium", - "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Security" + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", "severity": "Medium", - "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", "severity": "High", - "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Cost" + "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", - "severity": "High", - "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", + "severity": "Medium", + "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", "severity": "Medium", - "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", - "severity": "Low", - "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualHubs", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", - "severity": "Low", - "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "High", + "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "Medium", - "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", - "severity": "Medium", - "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "High", + "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", - "severity": "Medium", - "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", - "severity": "Medium", - "text": "Limit the number of routes per route table to 400.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", - "severity": "High", - "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" - }, - { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "severity": "High", - "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", - "waf": "Reliability" + "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Cost" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", "severity": "High", - "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", - "severity": "Medium", - "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Security" + "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", "severity": "Medium", - "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "severity": "High", - "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" + "text": "Review SAP HANA database backups for Azure VMs.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "Medium", - "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", - "severity": "High", - "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", - "severity": "High", - "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Reliability" + "text": "Review Site Recovery built-in monitoring, where used for SAP.", + "waf": "Cost" }, { - "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", "severity": "High", - "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", - "waf": "Reliability" + "text": "Review the Monitoring the SAP HANA System Landscape guidance.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", "severity": "Medium", - "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Review Oracle Database in Azure Linux VM backup strategies.", "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", "severity": "Medium", - "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "Security" + "text": "Review the use of Azure Blob Storage with SQL Server 2016.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", - "severity": "Low", - "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", - "training": "https://learn.microsoft.com/training/courses/az-700t00", + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", + "severity": "Medium", + "text": "Review the use of Automated Backup v2 for Azure VMs.", "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", "severity": "High", - "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Enabling Write accelerator for M series when using premium disks(V1)", "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", "severity": "Medium", - "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Reliability" + "text": "Test availability zone latency.", + "waf": "Performance" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", "severity": "Medium", - "text": "Use Azure Bastion to securely connect to your network.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Security" + "text": "Activate SAP EarlyWatch Alert for all SAP components.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "waf": "Performance" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", "severity": "Medium", - "text": "Use Azure Bastion in a subnet /26 or larger.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Security" + "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", + "training": "https://me.sap.com/notes/0002879613", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", "severity": "Medium", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "text": "Review SQL Server performance monitoring using CCMS.", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "Low", - "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", + "severity": "Medium", + "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", + "severity": "Medium", + "text": "Review SAP HANA studio alerts.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", + "severity": "Medium", + "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", + "waf": "Performance" + }, + { + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "Medium", + "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "High", - "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "Medium", + "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "High", - "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "Low", + "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "severity": "High", - "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", - "waf": "Reliability" + "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", + "training": "https://me.sap.com/notes/3019299/E", + "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "severity": "High", - "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", + "severity": "Medium", + "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "Security" + }, + { + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", "severity": "High", - "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "Use Azure Key Vault to store your secrets and credentials", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "severity": "Medium", - "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", "severity": "Medium", - "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", + "severity": "High", + "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "severity": "High", - "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", "severity": "High", - "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Low", + "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "severity": "Medium", - "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", - "severity": "Medium", - "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", + "severity": "High", + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", - "severity": "Medium", - "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", + "severity": "High", + "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", - "severity": "Medium", - "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", + "severity": "High", + "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", "severity": "High", - "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", - "severity": "Medium", - "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", + "severity": "Low", + "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", + "severity": "Low", + "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Low", + "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "waf": "Security" + }, + { + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "severity": "Medium", - "text": "Use ExpressRoute circuits from different peering locations for redundancy.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Security" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", + "severity": "Low", + "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", + "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", "severity": "Medium", - "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", + "service": "App Services", "severity": "High", - "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", + "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Medium", + "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/azure/app-service/manage-backup", + "service": "App Services", "severity": "High", - "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", + "severity": "High", + "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", + "severity": "Low", + "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", + "service": "App Services", "severity": "High", - "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", "severity": "Medium", - "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" - }, + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Medium", + "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", + "waf": "Reliability" + }, { - "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", + "service": "App Services", + "severity": "Medium", + "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", "severity": "Low", - "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", - "waf": "Performance" + "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "severity": "High", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", - "severity": "Medium", - "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "High", + "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", - "severity": "Low", - "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", + "severity": "High", + "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", - "severity": "High", - "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "Medium", + "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", - "severity": "High", - "text": "Use Azure Firewall Premium to enable additional security features.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", + "severity": "Medium", + "text": "Do not store sensitive data on local disk", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", - "severity": "High", - "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", + "severity": "Medium", + "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", "severity": "High", - "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "Deploy code to App Service from a trusted and secure environment.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", "severity": "High", - "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", + "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", - "severity": "Medium", - "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", "severity": "High", - "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" + "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", + "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", "severity": "High", - "text": "Use a /26 prefix for your Azure Firewall subnets.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "Pull container images from Azure Container Registry using a Managed Identity.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", "severity": "Medium", - "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "Performance" + "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", + "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", "severity": "Medium", - "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", - "waf": "Performance" + "text": "Send App Service activity logs to Log Analytics", + "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", "severity": "Medium", - "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", + "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", - "severity": "Medium", - "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", - "severity": "High", - "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", "severity": "Low", - "text": "Use web categories to allow or deny outbound access to specific topics.", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", - "severity": "Medium", - "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", - "severity": "Medium", - "text": "Enable Azure Firewall DNS proxy configuration.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", - "severity": "High", - "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", - "severity": "Low", - "text": "Implement backups for your firewall rules", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "severity": "High", - "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Reliability" + "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", + "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", "severity": "High", - "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", - "waf": "Reliability" + "text": "Use a Web Application Firewall (WAF) in front of App Service.", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "severity": "High", - "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", "severity": "Medium", - "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", "severity": "High", - "text": "Don't enable virtual network service endpoints by default on all subnets.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", "waf": "Security" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", - "severity": "Medium", - "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", + "severity": "High", + "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", "severity": "High", - "text": "Use at least a /27 prefix for your Gateway subnets.", + "text": "Turn off remote debugging in production environments.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", - "severity": "High", - "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", + "severity": "Medium", + "text": "Enable Defender for Cloud - Defender for App Service", "waf": "Security" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", "severity": "Medium", - "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "Enable DDOS Protection Standard on the WAF VNet", "waf": "Security" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", "severity": "Medium", - "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "Pull container images over a Virtual Network from Azure Container Registry.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", "severity": "Medium", - "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "text": "Conduct a penetration test on the web application.", "waf": "Security" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", "severity": "Medium", - "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "waf": "Reliability" + "text": "Deploy validated and vulnerability-scanned code.", + "waf": "Security" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", - "severity": "Medium", - "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", + "severity": "High", + "text": "Use up-to-date platforms, languages, protocols and frameworks", + "waf": "Security" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", + "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", + "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", + "service": "App Services", "severity": "Medium", - "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Performance" + "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", + "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", + "service": "App Services", "severity": "Medium", - "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", - "severity": "Medium", - "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", + "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "App Services", + "severity": "High", + "text": "Apply Azure Policy to enforce compliance across App Service configurations.", + "waf": "Governance" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", - "severity": "Medium", - "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", + "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", + "link": "https://learn.microsoft.com/azure/cost-management-billing/", + "service": "App Services", + "severity": "Low", + "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", + "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", + "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", + "service": "App Services", "severity": "Medium", - "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", - "severity": "Medium", - "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", + "severity": "High", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", - "severity": "Medium", - "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", "severity": "High", - "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "Consider a Cross-Region DR strategy for critical workloads", "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", "severity": "High", - "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", "severity": "Medium", - "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", - "training": "https://learn.microsoft.com/training/modules/governance-security/", - "waf": "Security" + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "severity": "Medium", - "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", "severity": "High", - "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", - "severity": "Low", - "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "severity": "High", + "text": "Learn how to trigger a manual failover.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", "severity": "High", - "text": "Use built-in policies where possible to minimize operational overhead.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "text": "Learn how to fail back after a failover.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", - "severity": "Medium", - "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "severity": "High", + "text": "Enable 2 replicas to have 99.9% availability for read operations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "Medium", - "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "text": "Enable 3 replicas to have 99.9% availability for read/write operations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", + "severity": "High", + "text": "Leverage Availability Zones by enabling read and/or write replicas", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "severity": "Medium", - "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "Security" + "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", "severity": "Medium", - "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", - "waf": "Security" + "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", "severity": "Medium", - "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", - "waf": "Security" + "text": "Use Azure Traffic Manager to coordinate requests", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", + "severity": "High", + "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", "severity": "Medium", - "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", - "waf": "Security" + "text": "Follow reliability support recommendations in Azure Bot Service", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", "severity": "Medium", - "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Operations" + "text": "Deploying bots with local data residency and regional compliance", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", "severity": "Medium", - "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", "waf": "Reliability" }, { "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", - "severity": "High", - "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", + "severity": "Medium", + "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", "severity": "Medium", - "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "text": "check backup instances with the underlying datasource not found", + "waf": "Cost" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", "service": "VM", "severity": "Medium", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operations" + "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", "severity": "Medium", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operations" + "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", + "waf": "Cost" }, { - "arm-service": "microsoft.network/networkWatchers", - "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", "severity": "Medium", - "text": "Use Network Watcher to proactively monitor traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Operations" + "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "Cost" }, { "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", "severity": "Medium", - "text": "Use Azure Monitor Logs for insights and reporting.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "Operations" + "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "Cost" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", "severity": "Medium", - "text": "Use Azure Monitor alerts for the generation of operational alerts.", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "Operations" + "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "Cost" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", "severity": "Medium", - "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", - "waf": "Operations" + "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "Cost" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", - "severity": "Low", - "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Reliability" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", + "severity": "Medium", + "text": "Make sure advisor is configured for VM right sizing ", + "waf": "Cost" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "checklist": "Cost Optimization Checklist", + "description": "check by searching the Meter Category Licenses in the Cost analysys", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", "service": "VM", "severity": "Medium", - "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", - "waf": "Security" + "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", + "waf": "Cost" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "service": "VM", "severity": "Medium", - "text": "Monitor VM security configuration drift via Azure Policy.", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "Cost" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", "service": "VM", "severity": "Medium", - "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", - "waf": "Operations" + "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "Cost" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", "severity": "Medium", - "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Operations" + "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", + "waf": "Cost" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", - "severity": "High", - "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", + "severity": "Medium", + "text": "Only larger disks can be reserved => 1 TiB -", + "waf": "Cost" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", "severity": "Medium", - "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", - "waf": "Operations" + "text": "After the right-sizing optimization", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", - "severity": "High", - "text": "Use Azure Key Vault to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Security" + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", + "severity": "Medium", + "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", "severity": "Medium", - "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", "severity": "Medium", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Security" + "text": "Consider using a VMSS to match demand rather than flat sizing", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", "severity": "Medium", - "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Security" + "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", "severity": "Medium", - "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "Move recovery points to vault-archive where applicable (Validate)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", "severity": "Medium", - "text": "Establish an automated process for key and certificate rotation.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", "severity": "Medium", - "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", - "waf": "Security" + "text": "Functions - Reuse connections", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", "severity": "Medium", - "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "Security" + "text": "Functions - Cache data locally", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", "severity": "Medium", - "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", - "waf": "Security" + "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", "severity": "Medium", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Security" + "text": "Functions - Keep your functions warm", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", "severity": "Medium", - "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", "severity": "Medium", - "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", + "waf": "Cost" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", "severity": "Medium", - "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", - "waf": "Security" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", - "severity": "High", - "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", - "waf": "Security" + "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "Cost" }, { - "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", - "severity": "High", - "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "Security" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", + "severity": "Medium", + "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", + "waf": "Cost" }, { - "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", - "severity": "High", - "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "Security" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", + "severity": "Medium", + "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", - "severity": "High", - "text": "Enable Endpoint Protection on IaaS Servers.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", - "waf": "Security" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", + "severity": "Medium", + "text": "Consider archiving tiers for less used data", + "waf": "Cost" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", "service": "VM", "severity": "Medium", - "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", - "waf": "Security" + "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", + "waf": "Cost" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", "severity": "Medium", - "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "Security" - }, - { - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", - "severity": "High", - "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", - "waf": "Security" + "text": "Consider using standard SSD rather than Premium or Ultra where possible", + "waf": "Cost" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", "severity": "Medium", - "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", - "waf": "Security" + "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", + "waf": "Cost" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", "severity": "Medium", - "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", - "waf": "Security" + "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", + "waf": "Cost" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", "service": "Storage", - "severity": "High", - "text": "Enable secure transfer to storage accounts.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", - "waf": "Security" + "severity": "Medium", + "text": "Storage accounts: check hot tier and/or GRS necessary", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", - "severity": "High", - "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", - "waf": "Security" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", + "severity": "Medium", + "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", + "waf": "Cost" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", - "severity": "High", - "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", - "waf": "Operations" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", + "severity": "Medium", + "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "Azure OpenAI", - "severity": "High", - "text": "Follow Metaprompting guardrails for resonsible AI", - "waf": "Operational Excellence" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", + "severity": "Medium", + "text": "Export cost data to a storage account for additional data analysis.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "Azure OpenAI", - "severity": "High", - "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", - "waf": "Operational Excellence" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", + "severity": "Medium", + "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "Azure OpenAI", - "severity": "High", - "text": "Enable monitoring for your AOAI instances", - "waf": "Operational Excellence" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", + "severity": "Medium", + "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type == 'microsoft.insights/metricalerts' | extend compliant = (properties.targetResourceType =~ 'Microsoft.CognitiveServices/accounts') | project id, compliant", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "Azure OpenAI", - "severity": "High", - "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", - "waf": "Operational Excellence" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", + "severity": "Medium", + "text": "Create multiple Apache Spark pool definitions of various sizes.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", - "severity": "High", - "text": "Monitor token usage to prevent service disruptions due to capacity", - "waf": "Operational Excellence" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", + "severity": "Medium", + "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", "severity": "Medium", - "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", - "waf": "Operational Excellence" + "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "Azure OpenAI", - "severity": "Low", - "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", - "waf": "Operational Excellence" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", + "severity": "Medium", + "text": "Right-sizing all VMs", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "Azure OpenAI", - "severity": "High", - "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", - "waf": "Operational Excellence" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", + "severity": "Medium", + "text": "Swap VM sized with normalized and most recent sizes", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "High", - "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", - "waf": "Security" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "severity": "Medium", + "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "High", - "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", - "waf": "Operational Excellence" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "severity": "Medium", + "text": "Containerizing an application can improve VM density and save money on scaling it", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "Azure OpenAI", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", "severity": "High", - "text": "Evaluate usage of Provisioned throughput model ", - "waf": "Performance" + "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "Azure OpenAI", - "severity": "High", - "text": "Review and implement Azure AI content safety", - "waf": "Operational Excellence" + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", + "severity": "Medium", + "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "Azure OpenAI", - "severity": "High", - "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", - "waf": "Performance" + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", + "severity": "Medium", + "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "Azure OpenAI", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "severity": "Medium", - "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", - "waf": "Performance" + "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", "severity": "Medium", - "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", - "waf": "Performance" + "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", - "severity": "High", - "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", - "waf": "Performance" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", + "severity": "Medium", + "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", + "service": "Front Door", "severity": "Medium", - "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", - "waf": "Performance" + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", "severity": "High", - "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", - "waf": "Performance" + "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", - "waf": "Performance" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", + "severity": "High", + "text": "Avoid placing Traffic Manager behind Front Door.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", - "severity": "Low", - "text": "Deploy multiple OAI instances across regions", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", + "severity": "High", + "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", - "severity": "High", - "text": "Implement retry & healthchecks with Gateway pattern like APIM", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "Low", + "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", "severity": "Medium", - "text": "Ensure having adequate quotas of TPM & RPM for the workload", + "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", - "waf": "Operational Excellence" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", + "severity": "Low", + "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Deploy separate fine tuned models across regions if finetuning is employed", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "Front Door", + "severity": "High", + "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", "severity": "Medium", - "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", - "waf": "Reliability" + "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type == 'microsoft.search/searchservices' | extend compliant = (sku.name != 'free' and properties.replicaCount >= 3) | project id, compliant", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", "severity": "High", - "text": "Azure AI search service tiers should be choosen to have a SLA ", - "waf": "Reliability" + "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "Azure OpenAI", - "severity": "Low", - "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", + "severity": "Medium", + "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=~'Enabled') and (mode=~'Prevention')), enabledState, mode", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", "severity": "High", - "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", + "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", "severity": "High", - "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", + "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", "severity": "High", - "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", + "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", + "severity": "High", + "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/ai-onboarding", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", "severity": "High", - "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", + "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", "severity": "Medium", - "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", + "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", - "severity": "High", - "text": "Implement Prompt shields and groundedness detection using Content Safety ", - "waf": "Operational Excellence" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", + "severity": "Medium", + "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "Azure OpenAI", - "severity": "High", - "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", + "severity": "Medium", + "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", + "severity": "Low", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "Azure OpenAI", - "severity": "High", - "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", + "severity": "Medium", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", "severity": "Medium", - "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", - "waf": "Security" + "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", "severity": "Medium", - "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", - "waf": "Security" + "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "Azure OpenAI", - "severity": "High", - "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", - "waf": "Security" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", + "service": "Front Door", + "severity": "Medium", + "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", + "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", + "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", + "service": "Front Door", "severity": "High", - "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", - "waf": "Security" + "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.privateEndpointConnections != '[]' and properties.publicNetworkAccess !~ 'enabled')", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "Azure OpenAI", - "severity": "High", - "text": "Configure private endpoint for AI services to restrict service access within your network", - "waf": "Security" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", + "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", + "service": "Front Door", + "severity": "Medium", + "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "Azure OpenAI", - "severity": "High", - "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", - "waf": "Security" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", + "service": "Front Door", + "severity": "Medium", + "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "Azure OpenAI", - "severity": "High", - "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", + "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", + "service": "Front Door", + "severity": "Medium", + "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "Medium", - "text": "Use prompt compression tools like LLMLingua or gprtrim", - "waf": "Cost Optimization" + "text": "Use caching for endpoints that support it.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (isnotnull(identity))", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "High", - "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", - "waf": "Security" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", + "guid": "34069d73-e4de-46c5-a36f-625f87575a56", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "Low", + "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", + "service": "Front Door", "severity": "Medium", - "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", - "waf": "Security" + "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", + "service": "Front Door", "severity": "Medium", - "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", - "waf": "Security" + "text": "Use wildcard TLS certificates when possible.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "Medium", - "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", - "waf": "Security" + "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (tags != '{}')", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "Azure OpenAI", - "severity": "Low", - "text": "Azure AI Services are properly tagged for better management", - "waf": "Operational Excellence" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", + "service": "Front Door", + "severity": "Medium", + "text": "Use file compression when you're accessing downloadable content.", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "Azure OpenAI", - "severity": "Low", - "text": "Azure AI Service accounts follows organizational naming conventions", - "waf": "Operational Excellence" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", + "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", + "link": "https://learn.microsoft.com/azure/cdn/tier-migration", + "service": "Front Door", + "severity": "High", + "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "Azure OpenAI", - "severity": "High", - "text": "Diagnostic logs in Azure AI services resources should be enabled", - "waf": "Operational Excellence" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", + "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", + "service": "Front Door", + "severity": "Medium", + "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.disableLocalAuth == true)", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", + "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", + "service": "Front Door", "severity": "High", - "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", + "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", - "severity": "High", - "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", + "severity": "Low", + "text": "If required for AKS Windows workloads HostProcess containers can be used", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", - "severity": "High", - "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", + "severity": "Low", + "text": "Use KEDA if running event-driven workloads", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "Azure OpenAI", - "severity": "High", - "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", - "waf": "Cost Optimization" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", + "severity": "Low", + "text": "Use Dapr to ease microservice development", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", "severity": "High", - "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", - "waf": "Security" + "text": "Use the SLA-backed AKS offering", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "Azure OpenAI", - "severity": "High", - "text": "Setup a process to regularly update and patch the LLM libraries and other system components", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "Low", + "text": "Use Disruption Budgets in your pod and deployment definitions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", "severity": "High", - "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", - "waf": "Operational Excellence" + "text": "If using a private registry, configure region replication to store images in multiple regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Understand difference in cost of base models and fine tuned models and token step sizes", - "waf": "Cost Optimization" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", + "severity": "Low", + "text": "Use an external application such as kubecost to allocate costs to different users", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", - "severity": "High", - "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", - "waf": "Cost Optimization" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", + "severity": "Low", + "text": "Use scale down mode to delete/deallocate nodes", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", "severity": "Medium", - "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", - "waf": "Cost Optimization" + "text": "When required use multi-instance partitioning GPU on AKS Clusters", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", - "waf": "Cost Optimization" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", + "severity": "Low", + "text": "If running a Dev/Test cluster use NodePool Start/Stop", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", "severity": "Medium", - "text": "Plan and manage AI Search Vector storage", - "waf": "Operational Excellence" + "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "severity": "Medium", - "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", - "waf": "Operational Excellence" + "text": "Separate applications from the control plane with user/system node pools", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "Azure OpenAI", - "severity": "High", - "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", - "waf": "Cost Optimization" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "Low", + "text": "Add taint to your system nodepool to make it dedicated", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", "severity": "Medium", - "text": "Evaluate the quality of prompts and applications when switching between model versions", - "waf": "Operational Excellence" + "text": "Use a private registry for your images, such as ACR", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", "severity": "Medium", - "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", - "waf": "Operational Excellence" + "text": "Scan your images for vulnerabilities", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Evaluate your Azure AI Search results based on different search parameters", - "waf": "Operational Excellence" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", + "severity": "High", + "text": "Define app separation requirements (namespace/nodepool/cluster)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", "severity": "Medium", - "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", - "waf": "Operational Excellence" + "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", - "waf": "Operational Excellence" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", + "severity": "High", + "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", "severity": "Medium", - "text": "Red team your GenAI applications", + "text": "If required add Key Management Service etcd encryption", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", + "severity": "Low", + "text": "If required consider using Confidential Compute for AKS", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", "severity": "Medium", - "text": "Provide end users with scoring options for LLM responses and track these scores. ", - "waf": "Operational Excellence" + "text": "Consider using Defender for Containers", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", "severity": "High", - "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", - "waf": "Cost Optimization" + "text": "Use managed identities instead of Service Principals", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", "severity": "Medium", - "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", - "waf": "Operational Excellence" + "text": "Integrate authentication with AAD (using the managed integration)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", "severity": "Medium", - "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", - "waf": "Reliability" + "text": "Limit access to admin kubeconfig (get-credentials --admin)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", "severity": "Medium", - "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", - "waf": "Reliability" + "text": "Integrate authorization with AAD RBAC", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", + "severity": "High", + "text": "Use namespaces for restricting RBAC privilege in Kubernetes", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", "severity": "Medium", - "text": "Tune content filters to minimize false positives from overly aggressive filters", - "waf": "Reliability" + "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", - "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", "severity": "Medium", - "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", + "text": "For AKS non-interactive logins use kubelogin (preview)", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' and kind =~ 'contentsafety' | project id, compliant = 1", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", "severity": "Medium", - "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", + "text": "Disable AKS local accounts", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Low", + "text": "Configure if required Just-in-time cluster access", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", - "severity": "Medium", - "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", - "waf": "Cost Optimization" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Low", + "text": "Configure if required AAD conditional access for AKS", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", - "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", + "severity": "Low", + "text": "If required for Windows AKS workloads configure gMSA ", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", "severity": "Medium", - "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", - "waf": "Cost Optimization" + "text": "For finer control consider using a managed Kubelet Identity", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", "severity": "Medium", - "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", - "waf": "Cost Optimization" + "text": "If using AGIC, do not share an AppGW across clusters", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", + "severity": "High", + "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", "severity": "Medium", - "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", - "waf": "Cost Optimization" + "text": "For Windows workloads use Accelerated Networking", + "waf": "Performance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "severity": "High", + "text": "Use the standard ALB (as opposed to the basic one)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", + "severity": "Medium", + "text": "If using Azure CNI, consider using different Subnets for NodePools", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", + "severity": "Medium", + "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "High", + "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "If using Azure CNI, check the maximum pods/node (default 30)", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "severity": "Low", + "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "High", + "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", + "severity": "Low", + "text": "If required add your own CNI plugin", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", + "severity": "Low", + "text": "If required configure Public IP per node in AKS", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", + "severity": "Medium", + "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", + "severity": "Low", + "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", + "severity": "Medium", + "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", + "severity": "High", + "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", + "severity": "Medium", + "text": "If using a public API endpoint, restrict the IP addresses that can access it", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", + "severity": "High", + "text": "Use private clusters if your requirements mandate it", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", + "severity": "Medium", + "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", + "severity": "High", + "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "High", + "text": "Use Kubernetes network policies to increase intra-cluster security", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "High", + "text": "Use a WAF for web workloads (UIs or APIs)", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", + "severity": "Medium", + "text": "Use DDoS Standard in the AKS Virtual Network", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", + "severity": "Low", + "text": "If required add company HTTP Proxy", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", + "severity": "Medium", + "text": "Consider using a service mesh for advanced microservice communication management", + "waf": "Security" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", + "severity": "High", + "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", + "severity": "Low", + "text": "Check regularly Azure Advisor for recommendations on your cluster", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", + "severity": "Low", + "text": "Enable AKS auto-certificate rotation", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", + "severity": "High", + "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", + "severity": "High", + "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", + "severity": "High", + "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", + "severity": "Low", + "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", + "severity": "Low", + "text": "Consider using AKS command invoke on private clusters", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", + "severity": "Low", + "text": "For planned events consider using Node Auto Drain", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", + "severity": "High", + "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "Low", + "text": "Use custom Node RG (aka 'Infra RG') name", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", + "severity": "Medium", + "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", + "severity": "Low", + "text": "Taint Windows nodes", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", + "severity": "Low", + "text": "Keep windows containers patch level in sync with host patch level", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Via Diagnostic Settings at the cluster level", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", + "severity": "Low", + "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", + "severity": "Low", + "text": "If required use nodePool snapshots", + "waf": "Cost" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", + "severity": "Low", + "text": "Consider spot node pools for non time-sensitive workloads", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "Low", + "text": "Consider AKS virtual node for quick bursting", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "High", + "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "High", + "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", + "severity": "Medium", + "text": "Monitor CPU and memory utilization of the nodes", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "Medium", - "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", - "waf": "Cost Optimization" + "text": "If using Azure CNI, monitor % of pod IPs consumed per node", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", - "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", "severity": "Medium", - "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", - "waf": "Operational Excellence" + "text": "Monitor OS disk queue depth in nodes", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5855", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "severity": "Medium", - "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", - "waf": "Operational Excellence" + "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", "severity": "Medium", - "text": "Implement an error handling policy at the global level", + "text": "Subscribe to resource health notifications for your AKS cluster", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", - "service": "APIM", - "severity": "Medium", - "text": "Ensure all APIs policies include a element.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "High", + "text": "Configure requests and limits in your pod specs", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "Medium", - "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", + "text": "Enforce resource quotas for namespaces", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", - "service": "APIM", - "severity": "Medium", - "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", + "severity": "High", + "text": "Ensure your subscription has enough quota to scale out your nodepools", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", + "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "service": "AKS", "severity": "High", - "text": "Enable Diagnostics Settings to export logs to Azure Monitor", + "text": "Configure Liveness and Readiness probes for all deployments", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "Medium", - "text": "Enable Application Insights for more detailed telemetry", - "waf": "Operations" + "text": "Use the Cluster Autoscaler", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", + "severity": "Low", + "text": "Customize node configuration for AKS node pools", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "Medium", + "text": "Use the Horizontal Pod Autoscaler when required", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", "severity": "High", - "text": "Configure alerts on the most critical metrics", - "waf": "Operations" + "text": "Consider an appropriate node size, not too large or too small", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", + "severity": "Low", + "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", + "severity": "Low", + "text": "Consider subscribing to EventGrid Events for AKS automation", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", + "severity": "Low", + "text": "For long running operation on an AKS cluster consider event termination", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", + "severity": "Low", + "text": "If required consider using Azure Dedicated Hosts for AKS nodes", + "waf": "Performance" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", "severity": "High", - "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", - "waf": "Security" + "text": "Use ephemeral OS disks", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", "severity": "High", - "text": "Protect incoming requests to APIs (data plane) with Azure AD", - "waf": "Security" + "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", - "service": "APIM", - "severity": "Medium", - "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", + "severity": "Low", + "text": "For hyper performance storage option use Ultra Disks on AKS", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", "severity": "Medium", - "text": "Create appropriate groups to control the visibility of the products", - "waf": "Security" + "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", "severity": "Medium", - "text": "Use Backends feature to eliminate redundant API backend configurations", - "waf": "Operations" + "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", - "service": "APIM", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", "severity": "Medium", - "text": "Use Named Values to store common values that can be used in policies", - "waf": "Operations" + "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", - "service": "APIM", - "severity": "Medium", - "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "Azure OpenAI", + "severity": "High", + "text": "Follow Metaprompting guardrails for resonsible AI", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", - "service": "APIM", - "severity": "Medium", - "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "Azure OpenAI", + "severity": "High", + "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "Azure OpenAI", "severity": "High", - "text": "Ensure there is an automated backup routine", - "waf": "Reliability" + "text": "Enable monitoring for your AOAI instances", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", - "severity": "Medium", - "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.insights/metricalerts' | extend compliant = (properties.targetResourceType =~ 'Microsoft.CognitiveServices/accounts') | project id, compliant", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "Azure OpenAI", + "severity": "High", + "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", - "severity": "Low", - "text": "If you need to log at high performance levels, consider Event Hubs policy", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", + "severity": "High", + "text": "Monitor token usage to prevent service disruptions due to capacity", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Apply throttling policies to control the number of requests per second", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", - "waf": "Performance" + "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", - "severity": "Medium", - "text": "Configure autoscaling to scale out the number of instances when the load increases", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "Azure OpenAI", + "severity": "Low", + "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", - "severity": "Medium", - "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "Azure OpenAI", + "severity": "High", + "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", - "severity": "Medium", - "text": "Use the premium tier for production workloads.", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", + "severity": "High", + "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", - "severity": "Medium", - "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "High", + "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "Azure OpenAI", "severity": "High", - "text": "Be aware of APIM's limits", - "waf": "Reliability" + "text": "Evaluate usage of Provisioned throughput model ", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "Azure OpenAI", "severity": "High", - "text": "Ensure that the self-hosted gateway deployments are resilient.", - "waf": "Reliability" + "text": "Review and implement Azure AI content safety", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", - "severity": "Medium", - "text": "Use Azure Front Door in front of APIM for multi-region deployment", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "Azure OpenAI", + "severity": "High", + "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Deploy the service within a Virtual Network (VNet)", - "waf": "Security" + "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", - "waf": "Security" + "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", + "severity": "High", + "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", - "waf": "Security" + "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "Azure OpenAI", "severity": "High", - "text": "Disable Public Network Access", - "waf": "Security" + "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", - "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Simplify management with PowerShell automation scripts", - "waf": "Operations" + "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", - "service": "APIM", - "severity": "Medium", - "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", + "severity": "Low", + "text": "Deploy multiple OAI instances across regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", - "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", - "service": "APIM", - "severity": "Medium", - "text": "Promote usage of Visual Studio Code APIM extension for faster API development", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", + "severity": "High", + "text": "Implement retry & healthchecks with Gateway pattern like APIM", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "354f1c03-8112-4965-85ad-c0074bddf231", - "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Implement DevOps and CI/CD in your workflow", - "waf": "Operations" + "text": "Ensure having adequate quotas of TPM & RPM for the workload", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "b6439493-426a-45f3-9697-cf65baee208d", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Secure APIs using client certificate authentication", - "waf": "Security" + "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2a67d143-1033-4c0a-8732-680896478f08", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Secure backend services using client certificate authentication", - "waf": "Security" + "text": "Deploy separate fine tuned models across regions if finetuning is employed", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", - "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", - "waf": "Security" + "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", - "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", - "severity": "Medium", - "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.search/searchservices' | extend compliant = (sku.name != 'free' and properties.replicaCount >= 3) | project id, compliant", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "Azure OpenAI", + "severity": "High", + "text": "Azure AI search service tiers should be choosen to have a SLA ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", - "severity": "High", - "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "Azure OpenAI", + "severity": "Low", + "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "Azure OpenAI", "severity": "High", - "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", + "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", - "severity": "Medium", - "text": "Use managed identities to authenticate to other Azure resources whenever possible", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "Azure OpenAI", + "severity": "High", + "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", "severity": "High", - "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", + "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", - "severity": "Low", - "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", - "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", - "waf": "Reliability" + "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/ai-onboarding", + "service": "Azure OpenAI", "severity": "High", - "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", - "waf": "Reliability" + "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", - "waf": "Reliability" + "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/azure/app-service/manage-backup", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", "severity": "High", - "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", - "waf": "Reliability" + "text": "Implement Prompt shields and groundedness detection using Content Safety ", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "Azure OpenAI", "severity": "High", - "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", - "waf": "Reliability" + "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", - "severity": "Low", - "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "Azure OpenAI", "severity": "High", - "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", - "waf": "Reliability" + "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", - "waf": "Reliability" + "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", - "waf": "Reliability" + "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", - "service": "App Services", - "severity": "Medium", - "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "Azure OpenAI", + "severity": "High", + "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", - "severity": "Low", - "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "High", + "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.privateEndpointConnections != '[]' and properties.publicNetworkAccess !~ 'enabled')", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "Azure OpenAI", "severity": "High", - "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", + "text": "Configure private endpoint for AI services to restrict service access within your network", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "Azure OpenAI", "severity": "High", - "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", + "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "Azure OpenAI", "severity": "High", - "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", + "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", + "text": "Use prompt compression tools like LLMLingua or gprtrim", + "waf": "Cost Optimization" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (isnotnull(identity))", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", + "severity": "High", + "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Do not store sensitive data on local disk", + "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", + "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", + "waf": "Security" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (tags != '{}')", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "Azure OpenAI", + "severity": "Low", + "text": "Azure AI Services are properly tagged for better management", + "waf": "Operational Excellence" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "Azure OpenAI", + "severity": "Low", + "text": "Azure AI Service accounts follows organizational naming conventions", + "waf": "Operational Excellence" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "Azure OpenAI", + "severity": "High", + "text": "Diagnostic logs in Azure AI services resources should be enabled", + "waf": "Operational Excellence" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.disableLocalAuth == true)", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "Azure OpenAI", "severity": "High", - "text": "Deploy code to App Service from a trusted and secure environment.", + "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "severity": "High", - "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", + "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "severity": "High", - "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", + "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "Azure OpenAI", "severity": "High", - "text": "Pull container images from Azure Container Registry using a Managed Identity.", - "waf": "Security" + "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", - "severity": "Medium", - "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "Azure OpenAI", + "severity": "High", + "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", - "severity": "Medium", - "text": "Send App Service activity logs to Log Analytics", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "Azure OpenAI", + "severity": "High", + "text": "Setup a process to regularly update and patch the LLM libraries and other system components", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", - "severity": "Medium", - "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "Azure OpenAI", + "severity": "High", + "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", - "severity": "Low", - "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Understand difference in cost of base models and fine tuned models and token step sizes", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "severity": "High", - "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", - "waf": "Security" + "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", - "severity": "High", - "text": "Use a Web Application Firewall (WAF) in front of App Service.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "High", - "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", - "waf": "Security" + "text": "Plan and manage AI Search Vector storage", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", - "severity": "High", - "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "Azure OpenAI", "severity": "High", - "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", - "waf": "Security" + "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", - "severity": "High", - "text": "Turn off remote debugging in production environments.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Evaluate the quality of prompts and applications when switching between model versions", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Enable Defender for Cloud - Defender for App Service", - "waf": "Security" + "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Evaluate your Azure AI Search results based on different search parameters", + "waf": "Operational Excellence" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Enable DDOS Protection Standard on the WAF VNet", - "waf": "Security" + "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Pull container images over a Virtual Network from Azure Container Registry.", - "waf": "Security" + "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Conduct a penetration test on the web application.", + "text": "Red team your GenAI applications", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Deploy validated and vulnerability-scanned code.", - "waf": "Security" + "text": "Provide end users with scoring options for LLM responses and track these scores. ", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "High", - "text": "Use up-to-date platforms, languages, protocols and frameworks", - "waf": "Security" + "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", - "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", - "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", - "waf": "Reliability" + "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", - "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", + "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", - "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "App Services", - "severity": "High", - "text": "Apply Azure Policy to enforce compliance across App Service configurations.", - "waf": "Governance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", + "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", - "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", - "link": "https://learn.microsoft.com/azure/cost-management-billing/", - "service": "App Services", - "severity": "Low", - "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", - "waf": "Cost" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", + "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", - "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", - "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", - "service": "App Services", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", - "waf": "Cost" + "text": "Tune content filters to minimize false positives from overly aggressive filters", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", - "service": "AVS", - "severity": "High", - "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", + "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "75089c20-990d-4927-b105-885576f76fc2", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' and kind =~ 'contentsafety' | project id, compliant = 1", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", + "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", - "service": "AVS", - "severity": "High", - "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", - "waf": "Security" + "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", + "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", + "service": "Azure OpenAI", "severity": "Medium", - "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", - "waf": "Security" + "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", - "service": "AVS", - "severity": "High", - "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", + "waf": "Cost Optimization" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "severity": "Medium", - "text": "Has an RBAC model been created for use within VMware vSphere", - "waf": "Security" + "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", + "waf": "Cost Optimization" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", + "waf": "Cost Optimization" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", + "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", + "service": "Azure OpenAI", + "severity": "Medium", + "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5855", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", + "service": "Azure OpenAI", "severity": "Medium", - "text": "RBAC permissions should be granted on ADDS groups and not on specific users", - "waf": "Security" + "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", + "waf": "Operational Excellence" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.", + "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e", + "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention", + "query": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend exportPolicyStatus = properties.policies.exportPolicy.status | extend compliant = iif(exportPolicyStatus =~ 'Disabled', true, false) | project acrName, acrId, exportPolicyStatus, compliant", + "service": "ACR", "severity": "High", - "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "text": "Disable Azure Container Registry image export", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry", + "guid": "d503547c-d447-4e82-9128-a7100f1cac6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", + "service": "ACR", "severity": "High", - "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", + "text": "Enable Azure Policies for Azure Container Registry", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", - "service": "AVS", - "severity": "High", - "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.", + "guid": "d345293c-7639-4637-a551-c5c04e401955", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push", + "service": "ACR", "severity": "High", - "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", - "service": "AVS", - "severity": "Medium", - "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", - "waf": "Operations" + "text": "Sign and Verify containers with notation (Notary v2)", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend encryptionStatus = properties.encryption.status | extend compliant = iif(encryptionStatus == 'disabled', false, true) | project acrName, acrId, encryptionStatus, compliant", + "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49", + "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys", + "service": "ACR", "severity": "Medium", - "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", - "waf": "Operations" + "text": "Encrypt registry with a customer managed key", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications", + "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", "severity": "High", - "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", - "waf": "Operations" + "text": "Use Managed Identities to connect instead of Service Principals", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", + "guid": "be0e38ce-e297-411b-b363-caaab79b198d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", + "service": "ACR", "severity": "High", - "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "text": "Disable local authentication for management plane access", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant", + "guid": "387e5ced-126c-4d13-8af5-b20c6998a646", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", + "service": "ACR", "severity": "High", - "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", + "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable anonymous pull/push access", + "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend compliant = iif(properties.anonymousPullEnabled == false, true, false) | project compliant, name, id, tags | distinct id, compliant", + "guid": "e338997e-41c7-47d7-acf6-a62a1194956d", + "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access", + "service": "ACR", "severity": "Medium", - "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", + "text": "Disable Anonymous pull access", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token", + "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli", + "service": "ACR", "severity": "High", - "text": "Limit use of CloudAdmin account to emergency access only", + "text": "Disable repository-scoped access tokens", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", - "service": "AVS", - "severity": "Medium", - "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network", + "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", + "service": "ACR", + "severity": "High", + "text": "Deploy images from a trusted environment", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR", + "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", + "service": "ACR", "severity": "Medium", - "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "text": "Disable Azure ARM audience tokens for authentication", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", - "service": "AVS", - "severity": "High", - "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.", + "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6", + "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", + "service": "ACR", + "severity": "Medium", + "text": "Enable diagnostics logging", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch", + "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", + "service": "ACR", "severity": "Medium", - "text": "Is East-West traffic filtering implemented within NSX-T", + "text": "Control inbound network access with Private Link", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", - "service": "AVS", - "severity": "High", - "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Disable public network access if inbound network access is secured using Private Link", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | where sku.name =~ 'Premium' // Check for Premium SKU | extend publicAccessEnabled = properties.publicNetworkAccess | extend defaultAction = tostring(properties.networkRuleSet.defaultAction) // Extract defaultAction | extend compliant = iif(publicAccessEnabled != 'Enabled' or defaultAction == 'Deny', true, false) | project name, id, publicAccessEnabled, defaultAction, compliant", + "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access", + "service": "ACR", + "severity": "Medium", + "text": "Disable Public Network access", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", - "service": "AVS", - "severity": "High", - "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Only the ACR Premium SKU supports Private Link access", + "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend skuName = sku.name // Extract the SKU name | extend compliant = iif(skuName == 'Premium', true, false) // Check if SKU is Premium | project name, id, skuName, compliant", + "guid": "fc833934-8b26-42d6-ac5f-512925498f6d", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus", + "service": "ACR", + "severity": "Medium", + "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", - "service": "AVS", - "severity": "Medium", - "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities", + "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", + "service": "ACR", + "severity": "Low", + "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", - "guid": "334fdf91-c234-4182-a652-75269440b4be", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.", + "guid": "4451e1a2-d345-4293-a763-9637a551c5c0", + "service": "ACR", "severity": "Medium", - "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", + "text": "Deploy validated container images", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", - "service": "AVS", - "severity": "Medium", - "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure Container Registry Security Review", + "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.", + "guid": "4e401955-387e-45ce-b126-cd132af5b20c", + "service": "ACR", + "severity": "High", + "text": "Use up-to-date platforms, languages, protocols and frameworks", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", - "service": "AVS", - "severity": "Medium", - "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", - "waf": "Security" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", + "guid": "ba7da7be-9951-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", + "service": "Azure Data Explorer", + "text": "Leverage External Tables and Continuous data export overview to reduce costs", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", - "service": "AVS", - "severity": "Medium", - "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", - "waf": "Security" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", + "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", + "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", + "service": "Azure Data Explorer", + "text": "To share data, explore Leader-follower cluster configuration", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", - "service": "AVS", - "severity": "Low", - "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", - "waf": "Security" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", + "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", + "service": "Azure Data Explorer", + "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", - "service": "AVS", - "severity": "Low", - "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", - "waf": "Security" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "436b0635-cb45-4e57-a603-324ace8cc123", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", + "service": "Azure Data Explorer", + "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5ac94222-3e13-4810-9230-81a941741583", - "service": "AVS", - "severity": "Medium", - "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", - "waf": "Security" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", + "service": "Azure Data Explorer", + "text": "Ingest data into each cluster in parallel", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", - "service": "AVS", - "severity": "High", - "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", + "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", + "service": "Azure Data Explorer", + "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "service": "AVS", - "severity": "High", - "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", + "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", + "service": "Azure Data Explorer", + "text": "For critical applications, create Active-Active configuration in two paired regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "service": "AVS", - "severity": "High", - "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", + "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", + "service": "Azure Data Explorer", + "text": "For applications, which required only read during failure, create Active-Hot standby configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "service": "AVS", - "severity": "Medium", - "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", - "waf": "Operations" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", + "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", + "service": "Azure Data Explorer", + "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "service": "AVS", - "severity": "Medium", - "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", - "waf": "Operations" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", + "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Wrap DevOps and source control around all your code", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "service": "AVS", - "severity": "Medium", - "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", - "waf": "Cost" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "service": "AVS", - "severity": "Low", - "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", - "waf": "Cost" + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Consider the use of Azure Private-Link when using other Azure Native Services", - "waf": "Security" + "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "High", - "text": "Ensure all required resource reside within the same Azure availability zone(s)", - "waf": "Performance" + "text": "Use zone redundant pipelines in regions that support Availability Zones", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", - "waf": "Security" + "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", - "waf": "Security" + "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "Medium", + "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", + "severity": "Low", + "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", "service": "AVS", "severity": "High", - "text": "Enable Diagnostic and metric logging on Azure VMware Solution", - "waf": "Operations" + "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "guid": "75089c20-990d-4927-b105-885576f76fc2", "service": "AVS", "severity": "Medium", - "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", - "waf": "Operations" + "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", "service": "AVS", - "severity": "Medium", - "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", - "waf": "Operations" + "severity": "High", + "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", "service": "AVS", "severity": "Medium", - "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", + "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", "service": "AVS", "severity": "Medium", - "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", "service": "AVS", "severity": "High", - "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", "service": "AVS", - "severity": "High", - "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "severity": "Medium", + "text": "Has an RBAC model been created for use within VMware vSphere", "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", "service": "AVS", "severity": "Medium", - "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", + "text": "RBAC permissions should be granted on ADDS groups and not on specific users", "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", "service": "AVS", "severity": "High", - "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", - "waf": "Operations" + "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", "service": "AVS", "severity": "High", - "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "waf": "Operations" + "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", "service": "AVS", "severity": "High", - "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", - "waf": "Operations" + "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "waf": "Performance" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", "service": "AVS", "severity": "High", - "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", "service": "AVS", "severity": "Medium", - "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", - "severity": "Low", - "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", - "severity": "High", - "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", "service": "AVS", "severity": "Medium", - "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", "service": "AVS", - "severity": "Medium", - "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "severity": "High", + "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", "service": "AVS", - "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", - "waf": "Operations" + "severity": "High", + "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", "service": "AVS", - "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", - "waf": "Operations" + "severity": "High", + "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", "service": "AVS", "severity": "Medium", - "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", - "waf": "Operations" + "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", "service": "AVS", - "severity": "Medium", - "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", - "waf": "Operations" + "severity": "High", + "text": "Limit use of CloudAdmin account to emergency access only", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", "service": "AVS", "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", "service": "AVS", "severity": "Medium", - "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", - "waf": "Reliability" + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", "service": "AVS", - "severity": "Medium", - "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", - "waf": "Reliability" + "severity": "High", + "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", "service": "AVS", "severity": "Medium", - "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", - "waf": "Reliability" + "text": "Is East-West traffic filtering implemented within NSX-T", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", "service": "AVS", "severity": "High", - "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", - "severity": "Medium", - "text": "Use the geopolitical region pair as the secondary disaster recovery environment", - "waf": "Reliability" + "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", "service": "AVS", "severity": "High", - "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", - "waf": "Reliability" + "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", "service": "AVS", "severity": "Medium", - "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", - "waf": "Reliability" + "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", + "guid": "334fdf91-c234-4182-a652-75269440b4be", "service": "AVS", "severity": "Medium", - "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", - "waf": "Reliability" + "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", "service": "AVS", "severity": "Medium", - "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", - "waf": "Reliability" + "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", "service": "AVS", "severity": "Medium", - "text": "Deploy your backup solution outside of vSan, on Azure native components", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", - "severity": "Low", - "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", - "waf": "Reliability" + "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", "service": "AVS", - "severity": "Low", - "text": "For manual deployments, all configuration and deployments must be documented", - "waf": "Operations" + "severity": "Medium", + "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", "service": "AVS", "severity": "Low", - "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", - "waf": "Operations" + "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", "service": "AVS", "severity": "Low", - "text": "For automated deployments, deploy a minimal private cloud and scale as needed", - "waf": "Operations" + "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "guid": "5ac94222-3e13-4810-9230-81a941741583", "service": "AVS", - "severity": "Low", - "text": "For automated deployments, request or reserve quota prior to starting the deployment", - "waf": "Operations" + "severity": "Medium", + "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", "service": "AVS", - "severity": "Low", - "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", - "waf": "Operations" + "severity": "High", + "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "guid": "d88408f3-7273-44c8-96ba-280214590146", "service": "AVS", - "severity": "Low", - "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", - "waf": "Operations" + "severity": "High", + "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", "service": "AVS", - "severity": "Low", - "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", - "waf": "Operations" + "severity": "High", + "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", "service": "AVS", - "severity": "Low", - "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", + "severity": "Medium", + "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", "service": "AVS", - "severity": "Low", - "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "severity": "Medium", + "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", "service": "AVS", "severity": "Medium", - "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", - "waf": "Performance" + "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", + "waf": "Cost" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", "service": "AVS", - "severity": "Medium", - "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", - "waf": "Performance" + "severity": "Low", + "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", + "waf": "Cost" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", "service": "AVS", "severity": "Medium", - "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", - "waf": "Performance" + "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", "service": "AVS", - "severity": "Medium", - "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "severity": "High", + "text": "Ensure all required resource reside within the same Azure availability zone(s)", "waf": "Performance" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", "service": "AVS", "severity": "Medium", - "text": "Define and enforce scale in/out maximum limits for your environment in the automations", - "waf": "Performance" + "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", "service": "AVS", "severity": "Medium", - "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", - "waf": "Operations" + "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", "service": "AVS", "severity": "High", - "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "Reliability" + "text": "Enable Diagnostic and metric logging on Azure VMware Solution", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", "service": "AVS", - "severity": "High", - "text": "When using MON, you cannot enable MON on more than 100 Network extensions", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Reliability" + "severity": "Medium", + "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", "service": "AVS", "severity": "Medium", - "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", - "waf": "Performance" + "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", "service": "AVS", "severity": "Medium", - "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", - "waf": "Performance" + "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", "service": "AVS", "severity": "Medium", - "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", - "waf": "Reliability" + "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", "service": "AVS", - "severity": "Medium", - "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", - "waf": "Reliability" + "severity": "High", + "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", "service": "AVS", - "severity": "Medium", - "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", - "waf": "Reliability" + "severity": "High", + "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", "service": "AVS", "severity": "Medium", - "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", - "waf": "Reliability" + "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", + "waf": "Security" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", "service": "AVS", "severity": "High", - "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", - "waf": "Reliability" + "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", "service": "AVS", "severity": "High", - "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", - "waf": "Reliability" + "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", "service": "AVS", "severity": "High", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", - "waf": "Reliability" + "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", "service": "AVS", "severity": "High", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", - "waf": "Reliability" + "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", "service": "AVS", - "severity": "High", - "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", - "waf": "Reliability" + "severity": "Medium", + "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", - "severity": "High", - "text": "Select the right Function hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", + "severity": "Low", + "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", - "service": "Azure Functions", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", "severity": "High", - "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", - "waf": "Reliability" + "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", "severity": "Medium", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", + "severity": "Medium", + "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", - "service": "Azure Functions", - "severity": "High", - "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", "severity": "Medium", - "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", - "waf": "Reliability" + "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", + "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", "waf": "Operations" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", "severity": "Medium", - "text": "Follow reliability support recommendations in Azure Bot Service", - "waf": "Reliability" + "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "waf": "Operations" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", "severity": "Medium", - "text": "Deploying bots with local data residency and regional compliance", - "waf": "Reliability" + "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "waf": "Security" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", "severity": "Medium", - "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", "severity": "Medium", - "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", + "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", "severity": "Medium", - "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", - "severity": "Medium", - "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", + "severity": "High", + "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", "severity": "Medium", - "text": "Use more than 1 app instance for your apps", + "text": "Use the geopolitical region pair as the secondary disaster recovery environment", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", - "severity": "Medium", - "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "service": "AVS", + "severity": "High", + "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "service": "AVS", "severity": "Medium", - "text": "Set up autoscaling in Spring Cloud Gateway", + "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", - "severity": "Low", - "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "service": "AVS", + "severity": "Medium", + "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "service": "AVS", "severity": "Medium", - "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "service": "AVS", "severity": "Medium", - "text": "Consider the 'Azure security baseline for storage'", - "waf": "Security" + "text": "Deploy your backup solution outside of vSan, on Azure native components", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", - "severity": "High", - "text": "Consider using private endpoints for Azure Storage", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "service": "AVS", + "severity": "Low", + "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", - "severity": "Medium", - "text": "Ensure older storage accounts are not using 'classic deployment model'", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "service": "AVS", + "severity": "Low", + "text": "For manual deployments, all configuration and deployments must be documented", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", - "severity": "High", - "text": "Enable Microsoft Defender for all of your storage accounts", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "service": "AVS", + "severity": "Low", + "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", - "severity": "Medium", - "text": "Enable 'soft delete' for blobs", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "service": "AVS", + "severity": "Low", + "text": "For automated deployments, deploy a minimal private cloud and scale as needed", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", - "severity": "Medium", - "text": "Disable 'soft delete' for blobs", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "service": "AVS", + "severity": "Low", + "text": "For automated deployments, request or reserve quota prior to starting the deployment", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", - "severity": "High", - "text": "Enable 'soft delete' for containers", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "service": "AVS", + "severity": "Low", + "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", - "severity": "Medium", - "text": "Disable 'soft delete' for containers", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "service": "AVS", + "severity": "Low", + "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", - "severity": "High", - "text": "Enable resource locks on storage accounts", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "service": "AVS", + "severity": "Low", + "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", - "severity": "High", - "text": "Consider immutable blobs", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "service": "AVS", + "severity": "Low", + "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", - "severity": "High", - "text": "Require HTTPS, i.e. disable port 80 on the storage account", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "service": "AVS", + "severity": "Low", + "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", - "severity": "High", - "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "service": "AVS", + "severity": "Medium", + "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "service": "AVS", "severity": "Medium", - "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", - "waf": "Security" + "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Azure Storage", - "severity": "High", - "text": "Enforce the latest TLS version for a storage account", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "service": "AVS", + "severity": "Medium", + "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", - "severity": "High", - "text": "Use Microsoft Entra ID tokens for blob access", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "service": "AVS", + "severity": "Medium", + "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "service": "AVS", "severity": "Medium", - "text": "Least privilege in IaM permissions", - "waf": "Security" + "text": "Define and enforce scale in/out maximum limits for your environment in the automations", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "High", - "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "service": "AVS", + "severity": "Medium", + "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "severity": "High", - "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", - "waf": "Security" + "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "severity": "High", - "text": "Consider using Azure Monitor to audit control plane operations on the storage account", - "waf": "Security" + "text": "When using MON, you cannot enable MON on more than 100 Network extensions", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", + "service": "AVS", "severity": "Medium", - "text": "When using storage account keys, consider enabling a 'key expiration policy'", - "waf": "Security" + "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", + "service": "AVS", "severity": "Medium", - "text": "Consider configuring an SAS expiration policy", - "waf": "Security" + "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", + "service": "AVS", "severity": "Medium", - "text": "Consider linking SAS to a stored access policy", - "waf": "Security" + "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "AVS", "severity": "Medium", - "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", - "severity": "High", - "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", - "severity": "High", - "text": "Strive for short validity periods for ad-hoc SAS", - "waf": "Security" + "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "AVS", "severity": "Medium", - "text": "Apply a narrow scope to a SAS", - "waf": "Security" + "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "AVS", "severity": "Medium", - "text": "Consider scoping SAS to a specific client IP address, wherever possible", - "waf": "Security" + "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "Low", - "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "AVS", + "severity": "High", + "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "AVS", "severity": "High", - "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", - "waf": "Security" + "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", - "severity": "Medium", - "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", - "waf": "Security" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "AVS", + "severity": "High", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "AVS", "severity": "High", - "text": "Avoid overly broad CORS policies", - "waf": "Security" + "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "AVS", "severity": "High", - "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", - "waf": "Security" + "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", - "severity": "Medium", - "text": "Determine which/if platform encryption should be used.", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", "severity": "Medium", - "text": "Determine which/if client-side encryption should be used.", + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", - "severity": "High", - "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", + "severity": "Medium", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Azure Storage", - "severity": "High", - "text": "Leverage a storagev2 account type for better performance and reliability", - "waf": "Reliability" + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", + "severity": "Medium", + "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", "severity": "High", - "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", - "waf": "Reliability" + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Azure Storage", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", "severity": "Medium", - "text": "For write operation after failover, use customer-Managed Failover ", - "waf": "Reliability" + "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Azure Storage", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", "severity": "Medium", - "text": "Understand Microsoft-Managed Failover details", - "waf": "Reliability" + "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Azure Storage", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", "severity": "Medium", - "text": "Enable Soft Delete", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "severity": "High", - "text": "Enable 2 replicas to have 99.9% availability for read operations", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", "severity": "Medium", - "text": "Enable 3 replicas to have 99.9% availability for read/write operations", + "text": "Leverage FTA Resillency HandBook", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", "severity": "High", - "text": "Leverage Availability Zones by enabling read and/or write replicas", + "text": "Leverage Availability Zones if regionally applicable", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", "severity": "Medium", - "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", + "text": "Use the Premium or Dedicated SKUs for predicable performance", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", - "severity": "Medium", - "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", + "severity": "High", + "text": "Plan for Geo Disaster Recovery using Active Passive configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", "severity": "Medium", - "text": "Use Azure Traffic Manager to coordinate requests", + "text": "For Business Critical Applications, use Active Active configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", - "severity": "High", - "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", + "severity": "Medium", + "text": "Design Resilient Event Hubs", "waf": "Reliability" }, { @@ -7216,3942 +7590,4167 @@ "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "af416482-663c-4ed6-b195-b44c7068e09c", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", - "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", - "service": "Container Apps", - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Use Standard SKU for production scenarios.", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", - "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", - "service": "Container Apps", - "severity": "High", - "text": "Use more than one replica and enable Zone Redundancy.", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Use durability level Silver (5 VMs) or greater for production scenarios", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", - "severity": "High", - "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", + "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", - "severity": "High", - "text": "Use Front Door or Traffic Manager to route traffic to the closest region", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", - "service": "CosmosDB", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "FTA Resiliency Playbook", + "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", - "severity": "High", - "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", - "waf": "Reliability" + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", + "guid": "4da21268-f775-4c89-a271-eb80543c8df7", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", - "service": "CosmosDB", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Run multiple replicas of the database (>1 ) in Prod", - "waf": "Reliability" + "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", + "waf": "Cost" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", - "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", - "service": "CosmosDB", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Leverage Multi-Region Writes", - "waf": "Reliability" + "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Span Cosmos account across two or more regions with multi-region writes", - "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Distribute your data globally", - "waf": "Reliability" + "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", - "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", - "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", - "service": "CosmosDB", - "severity": "High", - "text": "Choose from several well-defined consistency models", - "waf": "Reliability" + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", + "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", - "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", - "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", - "service": "CosmosDB", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "001cbb6f-d88d-4431-8434-d01333397776", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", + "waf": "Security" + }, + { + "checklist": "Azure Service Fabric Review Checklist", + "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", + "waf": "Security" + }, + { + "checklist": "Azure Service Fabric Review Checklist", + "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", + "link": "", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", + "waf": "Security" + }, + { + "checklist": "Azure Service Fabric Review Checklist", + "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", + "link": "", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", + "waf": "Security" + }, + { + "checklist": "Azure Service Fabric Review Checklist", + "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Enable Service managed failover", - "waf": "Reliability" + "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", - "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", - "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", - "service": "CosmosDB", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Enable Automatic Backups", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Reliability" + "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", - "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", - "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", - "service": "CosmosDB", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", "severity": "Medium", - "text": "Perform Periodic Backups", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", "waf": "Reliability" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", - "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", - "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", - "service": "CosmosDB", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", "severity": "Medium", - "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", - "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", + "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Azure Monitor", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", "severity": "Medium", - "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Azure Backup", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", "severity": "Medium", - "text": "check backup instances with the underlying datasource not found", - "waf": "Cost" + "text": "Use more than 1 app instance for your apps", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", "severity": "Medium", - "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", - "waf": "Cost" + "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Azure Backup", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", "severity": "Medium", - "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", - "waf": "Cost" + "text": "Set up autoscaling in Spring Cloud Gateway", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Azure Monitor", - "severity": "Medium", - "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "Cost" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", + "severity": "Low", + "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Azure Monitor", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", "severity": "Medium", - "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "Cost" + "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", - "severity": "Medium", - "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "Cost" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", "severity": "Medium", - "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "Cost" + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", "severity": "Medium", - "text": "Make sure advisor is configured for VM right sizing ", - "waf": "Cost" + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "description": "check by searching the Meter Category Licenses in the Cost analysys", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", - "service": "VM", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", + "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", + "service": "Service Bus", "severity": "Medium", - "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", - "waf": "Cost" + "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "VM", - "severity": "Medium", - "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "Cost" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", + "severity": "High", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", "severity": "Medium", - "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "Cost" + "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", "severity": "Medium", - "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", - "waf": "Cost" + "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", "severity": "Medium", - "text": "Only larger disks can be reserved => 1 TiB -", - "waf": "Cost" + "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", - "severity": "Medium", - "text": "After the right-sizing optimization", - "waf": "Cost" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "service": "Azure Synapse Analytics", + "severity": "High", + "text": "Restrict use of local users on sql workloads on Synapse", + "waf": "Security" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", - "waf": "Cost" + "text": "Use managed identity to authenticate to the services", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", - "severity": "Medium", - "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", - "waf": "Cost" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "service": "Azure Synapse Analytics", + "severity": "High", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse also includes Synapse role-based access control (RBAC) roles to manage different aspects of Synapse Studio. Leverage these built-in roles to assign permissions to users, groups, or other security principals to manage who can Publish code artifacts and list or access published code artifacts,Execute code on Apache Spark pools and integration runtimes,Access linked (data) services that are protected by credentials,Monitor or cancel job executions, review job output and execution logs.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "Consider using a VMSS to match demand rather than flat sizing", - "waf": "Cost" + "text": "Use Azure RBAC to control access on storage and Synapse RBAC to control access on workspace level depending on the personas of the team to fine grain the access on data and compute", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", - "waf": "Cost" + "text": "Implement RLS, CLS and data masking on sql workloads in dedicated sql pool to add additional layer of security", + "waf": "Security" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Azure Backup", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network. This can be selected when deploying a workspace", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "Move recovery points to vault-archive where applicable (Validate)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "text": "Use managed vnet workspace to restrict the access over public internet", + "waf": "Security" }, { - "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "To protect any sensitive data, it's recommended to disable public access to the workspace endpoints entirely. By doing so, it ensures all workspace endpoints can only be accessed using�private endpoints.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", - "waf": "Cost" + "text": "Configure private endpoints to connect to the external services and disable public access", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Azure Functions", - "severity": "Medium", - "text": "Functions - Reuse connections", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "Cost" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If public access needs to be enabled, it's highly recommended to configure the IP firewall rules to allow inbound connections only from the specified list of public IP addresses.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "text": "If enabling public access highly recommended to configure IP firewall rules", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Azure Functions", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "Functions - Cache data locally", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "Cost" + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Azure Functions", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This can be done only when deploying the workspace, but Python libraries installed from public repositories like PyPI are not supported. (Think about the limitation before enabling it)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Cost" + "text": "Enable Data Exfiltration Protection (DEP)", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Azure Functions", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "First layer of encryption is done by Microsoft managed keys, you can add a second layer of encryption using Customer managed Keys", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "Functions - Keep your functions warm", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Cost" + "text": "Data Encryption at rest using Customer managed Keys for workspace", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Azure Functions", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse leverages TLS to ensure data is encrypted in motion. SQL dedicated pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", "severity": "Medium", - "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", - "waf": "Cost" + "text": "Data Encryption in transit ", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Azure Functions", - "severity": "Medium", - "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", - "waf": "Cost" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Keyvaults to store your secrets and credentials", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "service": "Azure Synapse Analytics", + "severity": "High", + "text": "Store passwords, secerts and keys in Azure key vault", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Azure Functions", - "severity": "Medium", - "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "Cost" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "service": "Azure Data Factory", + "severity": "High", + "text": "Restrict use of local users whereever necessary", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", - "waf": "Cost" + "text": "Use managed identity to authenticate to the services", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", - "severity": "Medium", - "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", - "waf": "Cost" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "service": "Azure Data Factory", + "severity": "High", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Consider archiving tiers for less used data", - "waf": "Cost" + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you create an Azure integration runtime within a Data Factory managed virtual network, the integration runtime is provisioned with the managed virtual network. It uses private endpoints to securely connect to supported data stores.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", - "waf": "Cost" + "text": "Use managed vnet IR to restrict the access over public internet for Azure Integration Runtime", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Managed private endpoints are private endpoints created in the Data Factory managed virtual network that establishes a private link to Azure resources. Data Factory manages these private endpoints on your behalf.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Consider using standard SSD rather than Premium or Ultra where possible", - "waf": "Cost" + "text": "Configure managed private endpoints to connect to resources using managed azure IR", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This is a default setting", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "service": "Azure Data Factory", "severity": "Medium", - "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", - "waf": "Cost" + "text": "Data Encryption at rest by Microsoft managed keys", + "waf": "Security" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This is a default setting", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "service": "Azure Data Factory", "severity": "Medium", - "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", - "waf": "Cost" + "text": "Data Encryption in transit by Microsoft managed keys", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "When you specify a customer-managed key, Data Factory uses�both�the factory system key and the CMK to encrypt customer data. Missing either would result in Deny of Access to data and factory.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Storage accounts: check hot tier and/or GRS necessary", - "waf": "Cost" + "text": "Data Encryption in transit by BYOK (Customer managed keys)", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "severity": "Medium", - "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", - "waf": "Cost" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "High", + "text": "Store passwords, secrets in Azure Key Vault", + "waf": "Security" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", - "waf": "Cost" + "text": "Define roles and responsibilities to manage Microsoft Purview in control plane and data plane", + "waf": "Security" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Azure RBACs for this", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Export cost data to a storage account for additional data analysis.", - "waf": "Cost" + "text": "Define roles and tasks required to deploy and manage Microsoft Purview inside an Azure subscription (control plane)", + "waf": "Security" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use Microsoft Purview roles for this.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", - "waf": "Cost" + "text": "Define roles and task needed to perform data management and governance using Microsoft Purview. (Data plane for Data Map and Data Catalog.)", + "waf": "Security" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", - "waf": "Cost" + "text": "Assign roles to Microsoft Entra groups instead of assigning roles to individual users.", + "waf": "Security" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Create multiple Apache Spark pool definitions of various sizes.", - "waf": "Cost" + "text": "Use Azure�Active Directory Entitlement Management�to map user access to Microsoft Entra groups using Access Packages.", + "waf": "Security" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", - "severity": "Medium", - "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "service": "Microsoft Purview", + "severity": "High", + "text": "Enforce multifactor authentication for Microsoft Purview users, especially, for users with privileged roles such as collection admins, data source admins or data curators.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", - "severity": "Medium", - "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "service": "Microsoft Purview", + "severity": "High", + "text": "Use Microsoft Entra ID to provide authentication and authorization to all users, security groups registered in Entra, service principal and managed identities inside collections in Microsoft Purview", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "service": "Microsoft Purview", + "severity": "High", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", + "waf": "Security" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Right-sizing all VMs", - "waf": "Cost" + "text": "Enable�end-to-end network isolation�using Private Link Service. (Microsoft Purview Data Map)", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Swap VM sized with normalized and most recent sizes", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "text": "Use�Microsoft Purview Firewall�to disable Public access. (Microsoft Purview Data Map)", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "severity": "Medium", - "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "text": "Deploy�Network Security Group (NSG) rules�for subnets where Azure data sources private endpoints, Microsoft Purview private endpoints and self-hosted runtime VMs are deployed. (Microsoft Purview Data Map)", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Containerizing an application can improve VM density and save money on scaling it", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Cost" + "text": "Implement Microsoft Purview with private endpoints managed by a Network Virtual Appliance, such as�Azure Firewall�for network inspection and network filtering. (Microsoft Purview Data Map)", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", - "severity": "High", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "This private endpoint is also a prerequisite for the portal private endpoint. The Microsoft Purview�portal�private endpoint is required to enable connectivity to Microsoft Purview governance portal using a private network. Microsoft Purview can scan data sources in Azure or an on-premises environment by using ingestion private endpoints. Limitations on using private endpoints https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Deploy private endpoints for Microsoft Purview accounts to add another layer of security, so only client calls that are originated from within the virtual network are allowed to access the Microsoft Purview account", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", - "severity": "High", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "Reliability" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitation to be reviewed: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Block public access using Microsoft Purview firewall", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Use Network Security Groups to filter network traffic to and from Azure resources in an Azure virtual network", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "service": "Microsoft Purview", "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "text": "If you have sensitive data that cannot leave the boundary of your on-prem vnet it is highly recommended to use SHIR VMs inside your corporate vnet to extract your metadata ", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Metadata is extracted and stored in Microsoft Purview Data Map, if you are not using managed storage account for your Purview account they are open to be accessed by all so implement proper RBACs and retrict the access of Data to only intended users. Applicable to Accounts deployed after December 15, 2023 (or deployed using API version 2023-05-01-preview onwards", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", - "waf": "Reliability" + "text": "Use Azure RBACs to restrict the access of your storage account (not managed by MS) only to intended users.", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", - "waf": "Reliability" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Data in rest is encrypted by microsoft managed keys", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Data in transit is encrypted by TLS 1.3", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Device Update for IoT Hub", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "service": "Microsoft Purview", "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "text": "Always use Azure key vaults to store all credentials if not using managed identities or without password need methods", + "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", - "severity": "Low", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "service": "Microsoft Purview", + "severity": "Medium", + "text": "Prevent accidental deletion of Microsoft Purview accounts by applying resource Locks", "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "text": "Plan for a break glass strategy for your Microsoft Entra tenant, Azure subscription and Microsoft Purview accounts to prevent tenant-wide account lockout.", "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "service": "Microsoft Purview", "severity": "Medium", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "text": "Integrate with Microsoft 365 and Microsoft Defender for Cloud", "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", - "severity": "Medium", - "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Separate admin accounts from normal user accounts.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "service": "Azure Databricks", + "severity": "High", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Databricks supports Microsoft Entra ID conditional access, which allows administrators to control where and when users are permitted to sign in to Azure Databricks. Conditional access policies can restrict sign-in to your corporate network or can require multi-factor authentication (MFA).", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", "severity": "High", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Configure single sign-on and unified login. Enable multi-factor authentication.", "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Customers can use the Token Management API or UI controls to enable or disable personal access tokens (PATs) for REST API authentication, limit the users who are allowed to use PATs, set the maximum lifetime for new tokens, and manage existing tokens. Highly-secure customers typically provision a maximum token lifetime for new tokens for a workspace. This feature requires the Premium pricing tier.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", "severity": "Medium", - "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "Use token management.", "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", - "severity": "Medium", - "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "If you have Databricks administrators who are also normal users of the Databricks platform (for example, there�s a lead data engineer who administers the platform and also does data engineering work), Databricks recommends creating a separate account for administrative tasks. It�s important to note that as part of the Azure RBAC model, users that are given Contributor or above permissions to the Resource Group for a deployed Azure Databricks workspace automatically become administrators when they login to that workspace. Therefore, the same considerations outlined above should be applied to Azure portal users too.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "service": "Azure Databricks", + "severity": "High", + "text": "Separate admin accounts from normal user accounts", "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "SCIM (System for Cross-domain Identity Management) allows you to sync users and groups from Microsoft Entra ID to Azure Databricks. There are three major benefits of this approach: 1. When you remove a user, the user is automatically removed from Databricks. 2. Users can also be disabled temporarily via SCIM. Customers have used this capability for scenarios where customers believe that an account may be compromised and need to investigate 3. Groups are automatically synchronized Please refer to the documentation for detailed instructions on how to configure SCIM for Azure Databricks. This feature requires the Premium pricing tier", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", "severity": "Medium", - "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "text": "SCIM synchronization of users and groups.", "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Using either cluster policies or the older cluster ACLs, admins can define what users or groups within the organization are able to create clusters. Cluster ACLs allow you to specify which users can attach a notebook to a given cluster. Note that if a user shares a notebook already attached to a standard mode cluster, the recipient will also be able to execute code on that cluster. This does not apply to clusters that enforce user isolation: SQL Warehouses, high concurrency with table ACLs clusters, and high concurrency with credential passthrough clusters. Customers who use Unity Catalog can also enable single-user clusters to enforce isolation clusters.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "service": "Azure Databricks", "severity": "Medium", - "text": "Leverage FTA Resillency HandBook", - "waf": "Reliability" + "text": "Limit cluster creation rights.", + "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "It�s important to note that even if customers use Azure Key Vault to store their secrets, access controls still need to be defined within Azure Databricks. This is because the same service identity is used to retrieve the secret for all users of an Azure Databricks workspace.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "service": "Azure Databricks", "severity": "High", - "text": "Leverage Availability Zones if regionally applicable", - "waf": "Reliability" + "text": "Store passwords, secrets in Azure Key Vault", + "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Clusters with user isolation include enforcement such that each user runs as a different non-privileged user account on the cluster host. Languages are also limited to those that can be implemented in an isolated manner (SQL and Python), and Spark APIs must be on an allowlist of those we believe to be isolation-safe.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "service": "Azure Databricks", "severity": "Medium", - "text": "Use the Premium or Dedicated SKUs for predicable performance", - "waf": "Reliability" + "text": "Use clusters that support user isolation.", + "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", - "severity": "High", - "text": "Plan for Geo Disaster Recovery using Active Passive configuration", - "waf": "Reliability" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "It is against security best practices to tie production workloads to individual user accounts, and so we recommend configuring Service Principals within Databricks. Service Principles separate administrator and user actions from the workload and prevent workloads from being impacted if a user leaves an organization. With Databricks, you can configure jobs to run as service principals and generate Personal Access Tokens for Service Principals.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "Medium", + "text": "Use service principals to run production jobs. Use proper access control for workspace level (ACLs), account level (RBACs) and data level (Unity catalog) security controls", + "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", - "severity": "Medium", - "text": "For Business Critical Applications, use Active Active configuration", - "waf": "Reliability" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "By default, DBFS is a filesystem that is accessible to all users of the given workspace and can be accessed via API. This is not necessarily a major data exfiltration concern as you can limit access to accessing data via the DBFS API or Databricks cli using IP access lists or private network access. However, as use of Azure Databricks grows and more users join a workspace, those users would have access to any data stored in DBFS, creating the potential for undesired information sharing. Databricks recommends that our customers do not store production data in DBFS.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "service": "Azure Databricks", + "severity": "High", + "text": "Avoid storing production data in DBFS.", + "waf": "Security" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "For the storage accounts that you manage, it is your responsibility to ensure that the storage accounts are protected according to your requirements. Examples might include: Encryption with your customer-managed key, Restrict access to trusted networks with a storage firewall, Anonymous public access is not allowed", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", "severity": "Medium", - "text": "Design Resilient Event Hubs", - "waf": "Reliability" + "text": "Encrypt storage and restrict access.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Add a customer-managed key for select data stored within the Azure Databricks control plane, such as notebooks, secrets, Databricks SQL queries, and Databricks SQL query history and for the root storage account used for DBFS. Azure Databricks requires access to this key for ongoing operations. You can revoke access to the key to prevent Azure Databricks from accessing encrypted data within the control plane (or in our backups). This is like a �nuclear option� where the workspace ceases to function, but it provides an emergency control for extreme situations. This feature requires the Premium pricing tier.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", "severity": "Medium", - "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", - "waf": "Reliability" + "text": "Add a customer-managed key for managed services and workspace storage", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Configure IP access lists that restrict the IP addresses that can authenticate to Databricks at account console and workspace level by checking if the user or API client is coming from a known good IP address range such as a VPN or office network. Established user sessions do not work if the user moves to a bad IP address, such as when disconnecting from the VPN. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", "severity": "Medium", - "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", - "waf": "Reliability" + "text": "Enable IP access lists to restrict access to certain IP addresses.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Private Link provides a private network route from one Azure environment to another. Private Link can be configured both between Azure Databricks users and the control plane, and also between the control plane and the data plane. Between Databricks users and the control plane, Private Link provides strong controls that limit the source for inbound requests. If a company already routes traffic through an Azure environment, they can use Private Link so that the communication between users and the Azure Databricks control plane does not traverse public IP addresses. This feature requires the Premium pricing tier. Use Azure Private Link to connect from Azure Databricks to your Azure resources. Not only does Private Link ensure", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", "severity": "Medium", - "text": "Custom brand assets should be hosted on a CDN", - "waf": "Performance" + "text": "Configure and use Azure Private Link to access Azure resources.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", - "severity": "Low", - "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", + "severity": "Medium", + "text": "Leverage Flexible Server", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "Medium", - "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", "severity": "Medium", - "text": "Don't replicate! Replication can create issues with directory synchronization", + "text": "Leverage Data-in replication for cross-region DR scenarios", "waf": "Reliability" }, { - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", "severity": "Medium", - "text": "Have active-active for multi-regions", - "waf": "Reliability" + "text": "Ensure you are using Application Gateway v2 SKU", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", "severity": "Medium", - "text": "Add Azure AD Domain service stamps to additional regions and locations", - "waf": "Reliability" + "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", "severity": "Medium", - "text": "Use Replica Sets for DR", - "waf": "Reliability" + "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", - "waf": "Reliability" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", + "severity": "Medium", + "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", "severity": "Medium", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", - "waf": "Reliability" + "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/application-gateway/tutorial-protect-application-gateway-ddos", + "service": "App Gateway", + "severity": "Medium", + "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "High", - "text": "Learn how to trigger a manual failover.", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", + "severity": "Medium", + "text": "Configure autoscaling with a minimum amount of instances of two.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", - "severity": "High", - "text": "Learn how to fail back after a failover.", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", + "severity": "Medium", + "text": "Deploy Application Gateway across Availability Zones", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", + "severity": "Medium", + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", "severity": "High", - "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", + "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Key Vault", - "severity": "Medium", - "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", - "waf": "Reliability" + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "Low", + "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", - "service": "Key Vault", + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "severity": "Medium", - "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", - "waf": "Reliability" + "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", - "service": "Key Vault", - "severity": "Medium", - "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", + "severity": "High", + "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", - "service": "Key Vault", - "severity": "Medium", - "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", - "waf": "Reliability" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", + "severity": "High", + "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", "severity": "High", - "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", - "waf": "Reliability" + "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", - "severity": "Low", - "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", - "waf": "Reliability" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", + "severity": "High", + "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "Low", - "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", - "waf": "Reliability" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "App Gateway", + "severity": "High", + "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "Low", - "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", - "waf": "Reliability" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", - "service": "Key Vault", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", "severity": "Medium", - "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", - "waf": "Reliability" + "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", + "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", - "guid": "d0642c1c-312b-4116-94ab-439e1c836819", - "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", - "service": "Key Vault", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", + "severity": "Low", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", "severity": "Medium", - "text": "RBAC is recommended to control access to your key vault. Familiarize yourself with the Key Vault's access control guidance.", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", - "severity": "High", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", + "severity": "Medium", + "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", - "severity": "High", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "Reliability" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", + "severity": "Medium", + "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", + "severity": "Medium", + "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", + "severity": "Medium", + "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "text": "Use WAF Policies instead of the legacy WAF configuration.", "waf": "Operations" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", "severity": "Medium", - "text": "Leverage Flexible Server", - "waf": "Reliability" + "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", "severity": "High", - "text": "Leverage Availability Zones where regionally applicable", - "waf": "Reliability" + "text": "You should encrypt traffic to the backend servers.", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", - "severity": "Medium", - "text": "Leverage Data-in replication for cross-region DR scenarios", - "waf": "Reliability" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", + "severity": "High", + "text": "You should use a Web Application Firewall.", + "waf": "Security" }, { "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", "service": "App Gateway", "severity": "Medium", - "text": "Ensure you are using Application Gateway v2 SKU", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "Redirect HTTP to HTTPS", "waf": "Security" }, { - "arm-service": "Microsoft.Network/loadBalancers", + "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", "severity": "Medium", - "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", - "waf": "Security" + "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/loadBalancers", + "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", - "severity": "Medium", - "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", + "severity": "High", + "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", "waf": "Security" }, { "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", "service": "App Gateway", - "severity": "Medium", - "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "severity": "Low", + "text": "Create custom error pages to display a personalized user experience", + "waf": "Operations" }, { "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", "service": "App Gateway", "severity": "Medium", - "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", "waf": "Security" }, { "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/application-gateway/tutorial-protect-application-gateway-ddos", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", "service": "App Gateway", "severity": "Medium", - "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", + "waf": "Performance" }, { "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", "service": "App Gateway", "severity": "Medium", - "text": "Configure autoscaling with a minimum amount of instances of two.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" + "text": "Use transport layer load balancing", + "waf": "Performance" }, { "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", "service": "App Gateway", "severity": "Medium", - "text": "Deploy Application Gateway across Availability Zones", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" + "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", + "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", "severity": "Medium", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", "waf": "Security" }, { - "ammp": true, - "arm-service": "microsoft.network/trafficManagerProfiles", + "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", + "severity": "Low", + "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", "severity": "High", - "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", "waf": "Reliability" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", - "severity": "Low", - "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "Security" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", "severity": "Medium", - "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Security" + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" }, { - "ammp": true, - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "High", - "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", + "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", + "severity": "Medium", + "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", + "severity": "Medium", + "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.", "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "App Gateway", - "severity": "High", - "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", - "waf": "Security" - }, - { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "App Gateway", - "severity": "High", - "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", - "waf": "Security" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", + "severity": "Medium", + "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.", + "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "App Gateway", - "severity": "High", - "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", - "waf": "Security" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", + "severity": "Medium", + "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "App Gateway", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", "severity": "High", - "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", - "waf": "Security" + "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "App Gateway", - "severity": "Medium", - "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", - "waf": "Security" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "Low", + "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "App Gateway", - "severity": "Medium", - "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", - "waf": "Security" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Low", + "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "App Gateway", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", "severity": "Low", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", - "waf": "Security" + "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "App Gateway", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", "severity": "Medium", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", - "waf": "Security" + "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "App Gateway", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", + "guid": "d0642c1c-312b-4116-94ab-439e1c836819", + "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", + "service": "Key Vault", "severity": "Medium", - "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "text": "RBAC is recommended to control access to your key vault. Familiarize yourself with the Key Vault's access control guidance.", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "App Gateway", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", "severity": "Medium", - "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", - "waf": "Operations" + "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", "severity": "Medium", - "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", + "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "App Gateway", - "severity": "Medium", - "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", + "severity": "Low", + "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "App Gateway", - "severity": "Medium", - "text": "Use WAF Policies instead of the legacy WAF configuration.", + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", + "severity": "High", + "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", "waf": "Operations" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "App Gateway", - "severity": "Medium", - "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", - "waf": "Security" + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", + "severity": "High", + "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "Cost" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", "severity": "High", - "text": "You should encrypt traffic to the backend servers.", + "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "App Gateway", - "severity": "High", - "text": "You should use a Web Application Firewall.", + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", + "severity": "Medium", + "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", "severity": "Medium", - "text": "Redirect HTTP to HTTPS", + "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "App Gateway", - "severity": "Medium", - "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", - "waf": "Operations" + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", + "severity": "High", + "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", "severity": "High", - "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", + "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "App Gateway", - "severity": "Low", - "text": "Create custom error pages to display a personalized user experience", - "waf": "Operations" + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", + "severity": "Medium", + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "Medium", - "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", + "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "Medium", - "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", - "waf": "Performance" + "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "severity": "Medium", - "text": "Use transport layer load balancing", - "waf": "Performance" + "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", - "severity": "Medium", - "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", + "severity": "High", + "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", "severity": "Medium", - "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", + "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", - "severity": "Low", - "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", + "severity": "Medium", + "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "Security" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", - "service": "PostgreSQL", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", "severity": "Medium", - "text": "Leverage Flexible Server", - "waf": "Reliability" + "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", - "service": "PostgreSQL", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", "severity": "High", - "text": "Leverage Availability Zones where regionally applicable", - "waf": "Reliability" + "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Cost" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "31b67c67-be59-4519-8083-845d587cb391", - "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", - "service": "PostgreSQL", - "severity": "Medium", - "text": "Leverage cross-region read replicas for BCDR", - "waf": "Reliability" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "VNet", + "severity": "High", + "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", - "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", - "service": "Purview", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "severity": "Medium", - "text": "Leverage FTA Resillency Handbook", + "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "High", - "text": "Plan for Data Center level outage", - "waf": "Reliability" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", + "severity": "Low", + "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", - "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "Medium", - "text": "Practice Failover for BCDR", - "waf": "Reliability" + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "Low", + "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "97b15b8a-219a-44ab-bb57-879024d22678", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "High", - "text": "Plan a backup strategy and take regular backups", - "waf": "Reliability" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", + "severity": "Medium", + "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "waf": "Performance" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", - "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", - "service": "Purview", - "severity": "Low", - "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", - "waf": "Reliability" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", + "severity": "Medium", + "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", - "link": "https://learn.microsoft.com/purview/deployment-best-practices", - "service": "Purview", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "Medium", - "text": "Follow Purview accounts architectures and deployment best practices", + "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", - "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", - "service": "Purview", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "Medium", - "text": "Follow Collection Architectures and best practices", + "text": "Limit the number of routes per route table to 400.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", - "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", - "service": "Purview", - "severity": "Medium", - "text": "Follow Assest lifecycle best practices", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", + "severity": "High", + "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", - "service": "Purview", - "severity": "Medium", - "text": "Follow automation best practices", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "severity": "High", + "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "Medium", - "text": "Follow Backup and Migration Best practices", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "severity": "High", + "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", - "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", - "service": "Purview", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", "severity": "Medium", - "text": "Follow Purview Glossary Best Practices", - "waf": "Reliability" + "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", - "link": "https://learn.microsoft.com/purview/concept-workflow", - "service": "Purview", - "severity": "Low", - "text": "Leverage Workflows ", - "waf": "Reliability" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", + "severity": "Medium", + "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", - "link": "https://learn.microsoft.com/purview/concept-best-practices-security", - "service": "Purview", - "severity": "Medium", - "text": "Follow Purview Security Best Practices", - "waf": "Reliability" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", + "severity": "High", + "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", - "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", - "service": "Purview", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "severity": "Medium", - "text": "Follow Purview Data Lineage Best Practices", - "waf": "Reliability" + "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", - "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", - "service": "Purview", - "severity": "Medium", - "text": "Follow Best Practices for Scanning Registered Sources", - "waf": "Reliability" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "High", + "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Performance" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", - "service": "Purview", - "severity": "Medium", - "text": "Follow Classification Best Practices in Governance Portal", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", + "severity": "High", + "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", - "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", - "service": "Purview", - "severity": "Medium", - "text": "Perform Sensitivity Labelling in the Purview Data Map", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", + "severity": "High", + "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", - "link": "https://learn.microsoft.com/purview/concept-data-share", - "service": "Purview", - "severity": "Low", - "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", - "waf": "Reliability" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", + "severity": "Medium", + "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", - "severity": "Low", - "text": "Leverage Data Estate Insights", - "waf": "Reliability" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", + "severity": "Medium", + "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", - "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", - "service": "Purview", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", "severity": "Low", - "text": "Use Data stewardship and Catalog adoption", - "waf": "Reliability" + "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", + "training": "https://learn.microsoft.com/training/courses/az-700t00", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", - "severity": "Low", - "text": "Use Inventory and Ownership", - "waf": "Reliability" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", + "severity": "High", + "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", - "link": "https://learn.microsoft.com/purview/glossary-insights", - "service": "Purview", - "severity": "Low", - "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", + "severity": "Medium", + "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b130a888-9579-4e76-a896-e710a7da7be9", - "link": "https://learn.microsoft.com/purview/compliance-manager", - "service": "Purview", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", + "severity": "Medium", + "text": "Use Azure Bastion to securely connect to your network.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", "severity": "Medium", - "text": "Generate assessment scores", - "waf": "Reliability" + "text": "Use Azure Bastion in a subnet /26 or larger.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", - "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", - "service": "Purview", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", "severity": "Medium", - "text": "Profiling- get summaries of data content", - "waf": "Reliability" + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", - "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", - "service": "Purview", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "severity": "Low", - "text": "Follow Microsoft Purview Data Owner access policies", - "waf": "Reliability" + "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", - "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", - "service": "Purview", - "severity": "Low", - "text": "Follow Self-service access policies", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "High", + "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", - "link": "https://learn.microsoft.com/purview/concept-policies-devops", - "service": "Purview", - "severity": "Low", - "text": "Follow DevOps policies", - "waf": "Reliability" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "High", + "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", "severity": "High", - "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", + "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", "waf": "Reliability" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", - "severity": "Medium", - "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", - "waf": "Reliability" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "High", + "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", + "severity": "High", + "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "Medium", - "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", - "waf": "Reliability" + "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", "severity": "Medium", - "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", + "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachineScaleSets", - "checklist": "Resiliency Review", - "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", - "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", - "service": "VMSS", - "severity": "Low", - "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", - "waf": "Reliability" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", - "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", "severity": "High", - "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", - "waf": "Reliability" + "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", - "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", "severity": "High", - "text": "Use Premium or Ultra disks for production VMs", - "waf": "Reliability" + "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", - "guid": "b31e38c3-f298-412b-8363-cffe179b599d", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", - "service": "VM", - "severity": "High", - "text": "Ensure Managed Disks are used for all VMs", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", - "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "Medium", - "text": "Do not use the Temp disk for anything that is not acceptable to be lost", - "waf": "Reliability" + "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", - "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "VM", + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", "severity": "Medium", - "text": "Leverage Availability Zones for your VMs in regions where they are supported", + "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", - "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "VM", + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", "severity": "Medium", - "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", + "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", - "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", "severity": "High", - "text": "Avoid running a production workload on a single VM", - "waf": "Reliability" + "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Cost" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", - "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", - "severity": "High", - "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", - "waf": "Reliability" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", - "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", - "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", - "service": "VM", - "severity": "Low", - "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", - "waf": "Reliability" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", - "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", - "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", - "service": "VM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", "severity": "Medium", - "text": "Increase quotas in DR region before testing failover with ASR", - "waf": "Reliability" + "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", - "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", - "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", - "service": "VM", - "severity": "Low", - "text": "Utilize Scheduled Events to prepare for VM maintenance", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Use ExpressRoute circuits from different peering locations for redundancy.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", - "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", "severity": "Medium", - "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", + "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", - "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", - "severity": "Low", - "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", + "severity": "High", + "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", - "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", - "severity": "Low", - "text": "Enable soft delete for Storage Account Containers", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", + "severity": "High", + "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", - "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", - "severity": "Low", - "text": "Enable soft delete for blobs", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", - "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", - "service": "Azure Backup", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", "severity": "Medium", - "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", + "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", - "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", - "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", - "service": "Azure Backup", - "severity": "Low", - "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", + "severity": "High", + "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", - "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", - "service": "Azure Backup", - "severity": "Low", - "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", - "waf": "Reliability" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Resiliency Review", - "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", - "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", - "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", - "service": "DNS", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", "severity": "Low", - "text": "Implement DNS Failover using Azure DNS Private Resolvers", - "waf": "Reliability" + "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", + "severity": "High", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.PowerBI/gateways", - "checklist": "Resiliency Review", - "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", - "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", - "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", - "service": "Data Gateways", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", "severity": "Medium", - "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", - "waf": "Reliability" + "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", - "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", - "severity": "High", - "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", + "severity": "Low", + "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", - "severity": "Medium", - "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", + "severity": "High", + "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", - "severity": "Medium", - "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", - "training": "https://github.com/Azure/sap-automation", - "waf": "Operations" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "severity": "High", + "text": "Use Azure Firewall Premium to enable additional security features.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", - "severity": "Medium", - "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", + "severity": "High", + "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", - "severity": "Medium", - "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", + "severity": "High", + "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", "severity": "High", - "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Reliability" + "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", "severity": "Medium", - "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", "severity": "High", - "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "Reliability" + "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", - "severity": "Low", - "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", + "severity": "High", + "text": "Use a /26 prefix for your Azure Firewall subnets.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", "severity": "Medium", - "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", - "waf": "Reliability" - }, - { - "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", - "severity": "Low", - "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "Reliability" + "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "High", - "text": "Native database replication technology should be used to synchronize the database in a HA pair.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", + "severity": "Medium", + "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", - "severity": "High", - "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", + "severity": "Medium", + "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", - "severity": "High", - "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", + "severity": "Medium", + "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", "severity": "High", - "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "Reliability" + "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", - "severity": "High", - "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", + "severity": "Low", + "text": "Use web categories to allow or deny outbound access to specific topics.", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "High", - "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", + "severity": "Medium", + "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", - "severity": "High", - "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", + "severity": "Medium", + "text": "Enable Azure Firewall DNS proxy configuration.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "severity": "High", - "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", - "severity": "High", - "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "Low", + "text": "Implement backups for your firewall rules", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "severity": "High", - "text": "Make sure the Floating IP is enabled on the Load balancer", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", "severity": "High", - "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", "severity": "High", - "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", - "waf": "Reliability" + "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", "severity": "High", - "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "text": "Don't enable virtual network service endpoints by default on all subnets.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "severity": "Medium", - "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "Reliability" + "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", "severity": "High", - "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "text": "Use at least a /27 prefix for your Gateway subnets.", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", "severity": "High", - "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", - "waf": "Reliability" + "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", - "severity": "High", - "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", - "waf": "Reliability" + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", + "severity": "Medium", + "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "High", - "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", + "severity": "Medium", + "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", "severity": "Medium", - "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", + "severity": "Medium", + "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", "severity": "Medium", - "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", - "waf": "Reliability" + "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", "severity": "Medium", - "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", - "severity": "High", - "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Reliability" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", + "severity": "Medium", + "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", - "severity": "High", - "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", + "severity": "Medium", + "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", - "severity": "High", - "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", - "waf": "Reliability" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", + "severity": "Medium", + "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", - "severity": "High", - "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", + "severity": "Medium", + "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", "severity": "Medium", - "text": "Automate SAP System Start-Stop to manage costs.", - "waf": "Cost" - }, - { - "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "Low", - "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", - "waf": "Cost" + "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "Low", - "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", - "waf": "Cost" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", + "severity": "Medium", + "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", "severity": "High", - "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", - "severity": "Medium", - "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", - "waf": "Security" + "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", - "severity": "Medium", - "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "High", + "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medium", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", + "training": "https://learn.microsoft.com/training/modules/governance-security/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medium", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", - "severity": "Medium", - "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "High", + "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", - "severity": "Medium", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "Low", + "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", - "severity": "Medium", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "High", + "text": "Use built-in policies where possible to minimize operational overhead.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "severity": "Medium", - "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", + "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medium", - "text": "Implement SSO to SAP HANA", + "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", "severity": "Medium", - "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", + "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", "severity": "Medium", - "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", + "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", "severity": "Medium", - "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", + "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", "severity": "Medium", - "text": "Implement SSO to SAP BTP", + "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "severity": "Medium", - "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", - "waf": "Security" + "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "description": "Keep your management group hierarchy reasonably flat, no more than four.", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "Medium", - "text": "enforce existing Management Group policies to SAP Subscriptions", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", - "waf": "Operations" + "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "severity": "High", - "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "High", - "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", + "severity": "Medium", + "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", - "severity": "High", - "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "service": "VM", + "severity": "Medium", + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", - "severity": "Low", - "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", + "severity": "Medium", + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", - "severity": "High", - "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", + "arm-service": "microsoft.network/networkWatchers", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", + "severity": "Medium", + "text": "Use Network Watcher to proactively monitor traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", - "severity": "High", - "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", + "severity": "Medium", + "text": "Use Azure Monitor Logs for insights and reporting.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", "severity": "Medium", - "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "Use Azure Monitor alerts for the generation of operational alerts.", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "High", - "text": "Help protect your HANA database by using the Azure Backup service.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Reliability" - }, - { - "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", "severity": "Medium", - "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", - "waf": "Reliability" + "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", - "severity": "High", - "text": "Ensure time-zone matches between the operating system and the SAP system.", - "waf": "Operations" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "severity": "Low", + "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", "severity": "Medium", - "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", - "severity": "Low", - "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", - "waf": "Cost" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", + "severity": "Medium", + "text": "Monitor VM security configuration drift via Azure Policy.", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", "severity": "Medium", - "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", + "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", "severity": "Medium", - "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", - "severity": "Low", - "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", + "severity": "High", + "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", "severity": "Medium", - "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "severity": "High", - "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", - "waf": "Operations" + "text": "Use Azure Key Vault to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", "severity": "Medium", - "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" + "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", - "waf": "Operations" + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", - "waf": "Operations" + "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", - "severity": "High", - "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "waf": "Performance" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", - "waf": "Reliability" + "text": "Establish an automated process for key and certificate rotation.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", "severity": "Medium", - "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", - "waf": "Operations" + "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", - "severity": "Low", - "text": "Use inter-VM latency monitoring for latency-sensitive applications.", - "waf": "Performance" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medium", + "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Reliability" + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", - "waf": "Performance" + "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", - "severity": "Low", - "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", - "waf": "Performance" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", + "severity": "Medium", + "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", - "severity": "Medium", - "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", - "waf": "Performance" + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", + "severity": "Medium", + "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", - "severity": "Medium", - "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", - "waf": "Performance" + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", + "severity": "High", + "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", "severity": "High", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "waf": "Operations" + "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", - "severity": "Medium", - "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", + "severity": "High", + "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", - "severity": "Medium", - "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operations" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", + "severity": "High", + "text": "Enable Endpoint Protection on IaaS Servers.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", "severity": "Medium", - "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operations" + "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "Medium", - "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "Reliability" + "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", "severity": "High", - "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", - "training": "https://me.sap.com/notes/2731110", - "waf": "Performance" + "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "severity": "Medium", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "waf": "Operations" + "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", "severity": "Medium", - "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "Operations" + "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", - "severity": "Medium", - "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "High", + "text": "Enable secure transfer to storage accounts.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", "severity": "High", - "text": "Public IP assignment to VM running SAP Workload is not recommended.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", "severity": "High", - "text": "Consider reserving IP address on DR side when configuring ASR", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", "severity": "High", - "text": "Avoid using overlapping IP address ranges for production and DR sites.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "Operations" + "text": "Select the right Function hosting plan based on your business & SLO requirements", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", - "severity": "Medium", - "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "Operations" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", + "service": "Azure Functions", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", "severity": "Medium", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", - "waf": "Security" + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", - "severity": "Medium", - "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", - "waf": "Security" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", - "severity": "Medium", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", - "waf": "Security" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", + "service": "Azure Functions", + "severity": "High", + "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", "severity": "Medium", - "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", - "waf": "Security" + "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", "severity": "Medium", - "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", - "waf": "Security" + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", "severity": "Medium", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "Performance" + "text": "Implement an error handling policy at the global level", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", "severity": "Medium", - "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", - "severity": "High", - "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Performance" + "text": "Ensure all APIs policies include a element.", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", "severity": "Medium", - "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "Security" + "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", "severity": "Medium", - "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", - "waf": "Security" + "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", "severity": "High", - "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Performance" + "text": "Enable Diagnostics Settings to export logs to Azure Monitor", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "severity": "Medium", - "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "Performance" + "text": "Enable Application Insights for more detailed telemetry", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", "severity": "High", - "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Performance" + "text": "Configure alerts on the most critical metrics", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", "severity": "High", - "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Cost" + "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", "severity": "High", - "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Performance" + "text": "Protect incoming requests to APIs (data plane) with Azure AD", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", "severity": "Medium", - "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", + "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "High", - "text": "Review SAP HANA database backups for Azure VMs.", - "waf": "Cost" - }, - { - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", "severity": "Medium", - "text": "Review Site Recovery built-in monitoring, where used for SAP.", - "waf": "Cost" - }, - { - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", - "severity": "High", - "text": "Review the Monitoring the SAP HANA System Landscape guidance.", - "waf": "Operations" + "text": "Create appropriate groups to control the visibility of the products", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", "severity": "Medium", - "text": "Review Oracle Database in Azure Linux VM backup strategies.", + "text": "Use Backends feature to eliminate redundant API backend configurations", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", "severity": "Medium", - "text": "Review the use of Azure Blob Storage with SQL Server 2016.", + "text": "Use Named Values to store common values that can be used in policies", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", "severity": "Medium", - "text": "Review the use of Automated Backup v2 for Azure VMs.", - "waf": "Operations" - }, - { - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", - "severity": "High", - "text": "Enabling Write accelerator for M series when using premium disks(V1)", - "waf": "Operations" + "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", "severity": "Medium", - "text": "Test availability zone latency.", - "waf": "Performance" + "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", - "severity": "Medium", - "text": "Activate SAP EarlyWatch Alert for all SAP components.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "Performance" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", + "severity": "High", + "text": "Ensure there is an automated backup routine", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", "severity": "Medium", - "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", - "training": "https://me.sap.com/notes/0002879613", - "waf": "Performance" + "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", - "severity": "Medium", - "text": "Review SQL Server performance monitoring using CCMS.", - "waf": "Performance" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", + "severity": "Low", + "text": "If you need to log at high performance levels, consider Event Hubs policy", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", "severity": "Medium", - "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", - "training": "https://me.sap.com/notes/1100926/E", + "text": "Apply throttling policies to control the number of requests per second", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", "severity": "Medium", - "text": "Review SAP HANA studio alerts.", + "text": "Configure autoscaling to scale out the number of instances when the load increases", "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", "severity": "Medium", - "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", + "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", "severity": "Medium", - "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", - "waf": "Security" + "text": "Use the premium tier for production workloads.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", "severity": "Medium", - "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", - "waf": "Security" + "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", - "severity": "Low", - "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", - "waf": "Security" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", + "severity": "High", + "text": "Be aware of APIM's limits", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type =~ 'microsoft.apimanagement/service' | extend compliant = (properties.platformVersion != 'stv1') | project id, compliant", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8ce", + "link": "https://learn.microsoft.com/en-us/azure/api-management/migrate-stv1-to-stv2", + "service": "APIM", "severity": "High", - "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", - "training": "https://me.sap.com/notes/3019299/E", - "waf": "Security" + "text": "Upgrade the platform version and follow lifecyle. stv1 is retirng on 31 August 2024", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", "severity": "High", - "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "waf": "Security" + "text": "Ensure that the self-hosted gateway deployments are resilient.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", + "service": "APIM", "severity": "Medium", - "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", - "waf": "Security" + "text": "Use Azure Front Door in front of APIM for multi-region deployment", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", - "severity": "High", - "text": "Use Azure Key Vault to store your secrets and credentials", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", + "service": "APIM", + "severity": "Medium", + "text": "Deploy the service within a Virtual Network (VNet)", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", + "service": "APIM", "severity": "Medium", - "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", + "service": "APIM", "severity": "Medium", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", + "service": "APIM", "severity": "High", - "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "text": "Disable Public Network Access", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "High", - "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", - "waf": "Security" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", + "severity": "Medium", + "text": "Simplify management with PowerShell automation scripts", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", + "service": "APIM", + "severity": "Medium", + "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", + "service": "APIM", + "severity": "Medium", + "text": "Promote usage of Visual Studio Code APIM extension for faster API development", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", - "severity": "High", - "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "waf": "Security" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", + "service": "APIM", + "severity": "Medium", + "text": "Implement DevOps and CI/CD in your workflow", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Low", - "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", + "service": "APIM", + "severity": "Medium", + "text": "Secure APIs using client certificate authentication", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", + "service": "APIM", "severity": "Medium", - "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Secure backend services using client certificate authentication", "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", - "severity": "High", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", + "service": "APIM", + "severity": "Medium", + "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", - "severity": "High", - "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", + "service": "APIM", + "severity": "Medium", + "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", "severity": "High", - "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", "severity": "High", - "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "severity": "Low", - "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", - "severity": "Low", - "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", + "severity": "Medium", + "text": "Use managed identities to authenticate to other Azure resources whenever possible", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", "severity": "High", - "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Low", - "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", + "service": "CosmosDB", "severity": "Medium", - "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Security" + "text": "FTA Resiliency Playbook", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", - "severity": "Low", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Security" + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", + "severity": "High", + "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", + "service": "CosmosDB", "severity": "Medium", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Security" + "text": "Run multiple replicas of the database (>1 ) in Prod", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", + "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", + "service": "CosmosDB", "severity": "Medium", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Security" + "text": "Leverage Multi-Region Writes", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", - "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", - "service": "Service Bus", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Span Cosmos account across two or more regions with multi-region writes", + "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", "severity": "Medium", - "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "Distribute your data globally", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", + "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", + "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", + "service": "CosmosDB", "severity": "High", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" + "text": "Choose from several well-defined consistency models", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", + "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", + "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", + "service": "CosmosDB", "severity": "Medium", - "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "text": "Enable Service managed failover", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", + "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", + "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", + "service": "CosmosDB", "severity": "Medium", - "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "Enable Automatic Backups", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", + "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", + "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", + "service": "CosmosDB", "severity": "Medium", - "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": "Perform Periodic Backups", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", - "service": "Azure Service Fabric", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", + "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", + "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", + "service": "CosmosDB", "severity": "Medium", - "text": "Use Standard SKU for production scenarios.", + "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", + "service": "PostgreSQL", "severity": "Medium", - "text": "Use durability level Silver (5 VMs) or greater for production scenarios", + "text": "Leverage Flexible Server", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", - "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", + "service": "PostgreSQL", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "31b67c67-be59-4519-8083-845d587cb391", + "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", + "service": "PostgreSQL", "severity": "Medium", - "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", + "text": "Leverage cross-region read replicas for BCDR", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", - "guid": "4da21268-f775-4c89-a271-eb80543c8df7", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", - "waf": "Cost" + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", - "waf": "Cost" + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", - "service": "Azure Service Fabric", - "severity": "Medium", - "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", - "waf": "Cost" + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Device Update for IoT Hub", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", - "service": "Azure Service Fabric", + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", "severity": "Medium", - "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", - "waf": "Security" + "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", - "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", "severity": "Medium", - "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", - "waf": "Security" + "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "001cbb6f-d88d-4431-8434-d01333397776", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", - "service": "Azure Service Fabric", + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", "severity": "Medium", - "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", - "waf": "Security" + "text": "Custom brand assets should be hosted on a CDN", + "waf": "Performance" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", - "service": "Azure Service Fabric", + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", + "severity": "Low", + "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", + "waf": "Reliability" + }, + { + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "Medium", - "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", - "waf": "Security" + "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", - "link": "", - "service": "Azure Service Fabric", + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "Medium", - "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", - "waf": "Security" + "text": "Don't replicate! Replication can create issues with directory synchronization", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", - "link": "", - "service": "Azure Service Fabric", + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "Medium", - "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", - "waf": "Security" + "text": "Have active-active for multi-regions", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "Medium", - "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", - "waf": "Security" + "text": "Add Azure AD Domain service stamps to additional regions and locations", + "waf": "Reliability" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", - "service": "Azure Service Fabric", + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "Medium", - "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", - "waf": "Security" + "text": "Use Replica Sets for DR", + "waf": "Reliability" } ], "metadata": { "name": "WAF checklist", - "timestamp": "October 08, 2024" + "timestamp": "October 21, 2024" }, "severities": [ { diff --git a/checklists/waf_checklist.es.json b/checklists/waf_checklist.es.json index 8073a198a..f39a2762c 100644 --- a/checklists/waf_checklist.es.json +++ b/checklists/waf_checklist.es.json @@ -1,7530 +1,7866 @@ { "items": [ { - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", "severity": "Medio", - "text": "Use el token revocable de larga duración, almacene en caché el token y adquiera el token de forma silenciosa mediante la biblioteca de identidades de Microsoft", - "waf": "Fiabilidad" + "text": "Azure Center for SAP solutions (ACSS) es una oferta de Azure que convierte a SAP en una carga de trabajo de nivel superior en Azure. ACSS es una solución integral que permite crear y ejecutar sistemas SAP como una carga de trabajo unificada en Azure y proporciona una base más fluida para la innovación. Puede aprovechar las capacidades de administración de los sistemas SAP basados en Azure nuevos y existentes.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "Operaciones" }, { - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", "severity": "Medio", - "text": "Asegúrese de que los flujos de usuario de inicio de sesión estén respaldados y sean resistentes. Asegúrese de que se ha realizado una copia de seguridad del código que usa para iniciar sesión en los usuarios y se puede recuperar. Interfaces resilientes con procesos externos", - "waf": "Fiabilidad" + "text": "Azure admite la automatización de implementaciones de SAP en Linux y Windows. SAP Deployment Automation Framework es una herramienta de orquestación de código abierto que puede implementar, instalar y mantener entornos SAP.", + "training": "https://github.com/Azure/sap-automation", + "waf": "Operaciones" }, { - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", "severity": "Medio", - "text": "Los activos de marca personalizados deben estar alojados en una CDN", - "waf": "Rendimiento" - }, - { - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", - "severity": "Bajo", - "text": "Tener varios proveedores de identidad (es decir, iniciar sesión con sus cuentas de Microsoft, Google, Facebook)", + "text": "Realice una recuperación a un momento dado para sus bases de datos de producción en cualquier momento y en un período de tiempo que cumpla con su RTO; La recuperación a un momento dado suele incluir errores del operador que eliminan datos en la capa DBMS o a través de SAP, por cierto", "waf": "Fiabilidad" }, { - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", "severity": "Medio", - "text": "Siga las reglas de la máquina virtual para la alta disponibilidad en el nivel de máquina virtual (discos premium, dos o más en una región, en diferentes zonas de disponibilidad)", + "text": "Pruebe los tiempos de copia de seguridad y recuperación para verificar que cumplan con los requisitos de RTO para restaurar todos los sistemas simultáneamente después de un desastre.", "waf": "Fiabilidad" }, { - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "Medio", - "text": "¡No repliques! La replicación puede crear problemas con la sincronización de directorios", + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", + "severity": "Alto", + "text": "Puede replicar el almacenamiento estándar entre regiones emparejadas, pero no puede usar el almacenamiento estándar para almacenar sus bases de datos o discos duros virtuales. Solo puede replicar copias de seguridad entre las regiones emparejadas que utilice. Para todos los demás datos, ejecute la replicación mediante características nativas de DBMS, como SQL Server Always On o SAP HANA System Replication. Utilice una combinación de Site Recovery, rsync o robocopy y otro software de terceros para la capa de aplicación de SAP.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", "waf": "Fiabilidad" }, { - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "severity": "Medio", - "text": "Tener activo-activo para varias regiones", + "text": "Al usar Azure Availability Zones para lograr una alta disponibilidad, debe tener en cuenta la latencia entre los servidores de aplicaciones SAP y los servidores de bases de datos. En el caso de las zonas con latencias altas, es necesario implementar procedimientos operativos para garantizar que los servidores de aplicaciones SAP y los servidores de bases de datos se ejecuten en la misma zona en todo momento.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", "waf": "Fiabilidad" }, { - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", - "severity": "Medio", - "text": "Adición de stamps de servicio de dominio de Azure AD a regiones y ubicaciones adicionales", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", + "severity": "Alto", + "text": "Configure las conexiones de ExpressRoute desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria. Además, como alternativa al uso de ExpressRoute, considere la posibilidad de configurar conexiones VPN desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", "waf": "Fiabilidad" }, { - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", - "severity": "Medio", - "text": "Uso de conjuntos de réplicas para recuperación ante desastres", + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", + "severity": "Bajo", + "text": "Replique el contenido del almacén de claves, como certificados, secretos o claves, en todas las regiones para poder descifrar los datos de la región de recuperación ante desastres.", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", - "severity": "Alto", - "text": "Aproveche las zonas de disponibilidad si corresponden regionalmente (esto se habilita automáticamente)", + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", + "severity": "Medio", + "text": "Empareje las redes virtuales principal y de recuperación ante desastres. Por ejemplo, para la replicación del sistema HANA, una red virtual de base de datos de SAP HANA debe estar emparejada con la red virtual de base de datos de SAP HANA del sitio de recuperación ante desastres.", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "Medio", - "text": "Tenga en cuenta las conmutaciones por error iniciadas por Microsoft. Microsoft los ejerce en situaciones excepcionales para conmutar por error todos los centros de IoT de una región afectada a la región emparejada geográficamente correspondiente.", + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", + "severity": "Bajo", + "text": "Si usa el almacenamiento de Azure NetApp Files para las implementaciones de SAP, como mínimo, cree dos cuentas de Azure NetApp Files en el nivel Premium, en dos regiones.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "severity": "Alto", - "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas", + "text": "Se debe usar la tecnología de replicación de base de datos nativa para sincronizar la base de datos en un par de alta disponibilidad.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", "severity": "Alto", - "text": "Obtenga información sobre cómo desencadenar una conmutación por error manual.", + "text": "El CIDR de la red virtual (VNet) principal no debe entrar en conflicto ni superponerse con el CIDR de la red virtual del sitio de recuperación ante desastres", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", "severity": "Alto", - "text": "Obtenga información sobre cómo conmutar por recuperación después de una conmutación por error.", + "text": "Use Site Recovery para replicar un servidor de aplicaciones en un sitio de recuperación ante desastres. Site Recovery también puede ayudar a replicar máquinas virtuales de clúster de servicios centrales en el sitio de recuperación ante desastres. Al invocar la recuperación ante desastres, deberá volver a configurar el clúster de Linux Pacemaker en el sitio de recuperación ante desastres (por ejemplo, reemplazar el VIP o el SBD, ejecutar corosync.conf, etc.).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "Alto", - "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO", + "text": "Considere la disponibilidad del software de SAP frente a puntos únicos de fallo. Esto incluye puntos únicos de falla dentro de aplicaciones como DBMS utilizados en las arquitecturas SAP NetWeaver y SAP S/4HANA, SAP ABAP y ASCS + SCS. También, otras herramientas como SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", "severity": "Alto", - "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad", + "text": "En el caso de SAP y bases de datos de SAP, considere la posibilidad de implementar clústeres de conmutación por error automática. En Windows, los clústeres de conmutación por error de Windows Server admiten la conmutación por error. En Linux, Linux Pacemaker o herramientas de terceros, como SIOS Protection Suite y Veritas InfoScale, admiten la conmutación por error.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "severity": "Alto", - "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas", + "text": "Azure no admite arquitecturas en las que las máquinas virtuales principal y secundaria compartan almacenamiento para los datos de DBMS. Para la capa DBMS, el patrón de arquitectura común es replicar bases de datos al mismo tiempo y con pilas de almacenamiento diferentes a las que usan las máquinas virtuales principales y secundarias.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", "severity": "Alto", - "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3", + "text": "Los datos de DBMS y los archivos de registro de transacciones/puesta al día se almacenan en el almacenamiento en bloque compatible con Azure o en Azure NetApp Files. Azure Files o Azure Premium Files no se admiten como almacenamiento para datos de DBMS ni archivos de registro de puesta al día con la carga de trabajo de SAP.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", - "severity": "Medio", - "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica", - "waf": "Operaciones" - }, - { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", - "severity": "Medio", - "text": "Aproveche el servidor flexible", + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", + "severity": "Alto", + "text": "Puede usar discos compartidos de Azure en Windows para componentes ASCS + SCS y escenarios específicos de alta disponibilidad. Configure los clústeres de conmutación por error por separado para los componentes de la capa de aplicación de SAP y la capa de DBMS. Actualmente, Azure no admite arquitecturas de alta disponibilidad que combinen los componentes de la capa de aplicación de SAP y la capa de DBMS en un clúster de conmutación por error.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", "severity": "Alto", - "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente", + "text": "La mayoría de los clústeres de conmutación por error para los componentes de la capa de aplicación (ASCS) de SAP y la capa de DBMS requieren una dirección IP virtual para un clúster de conmutación por error. Azure Load Balancer debe controlar la dirección IP virtual para todos los demás casos. Un principio de diseño es usar un equilibrador de carga por configuración de clúster. Te recomendamos que utilices la versión estándar del equilibrador de carga (SKU de Standard Load Balancer).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", - "severity": "Medio", - "text": "Aproveche la replicación de entrada de datos para escenarios de recuperación ante desastres entre regiones", + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", + "severity": "Alto", + "text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Aplicación de las instrucciones del banco de pruebas de seguridad en la nube de Microsoft relacionadas con el almacenamiento", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", - "severity": "Medio", - "text": "Tenga en cuenta la \"Línea base de seguridad de Azure para el almacenamiento\"", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", + "severity": "Alto", + "text": "Antes de implementar la infraestructura de alta disponibilidad, y en función de la región que elija, determine si desea implementar con un conjunto de disponibilidad de Azure o con una zona de disponibilidad.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "De forma predeterminada, Azure Storage tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten exponer de forma segura Azure Storage solo a los recursos de Azure Compute que necesitan acceso, lo que elimina la exposición a la Internet pública", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", "severity": "Alto", - "text": "Considere la posibilidad de usar puntos de conexión privados para Azure Storage", - "waf": "Seguridad" + "text": "Si desea cumplir los acuerdos de nivel de servicio de infraestructura para sus aplicaciones para componentes de SAP (servicios centrales, servidores de aplicaciones y bases de datos), debe elegir las mismas opciones de alta disponibilidad (máquinas virtuales, conjuntos de disponibilidad, zonas de disponibilidad) para todos los componentes.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Las cuentas de almacenamiento recién creadas se crean mediante el modelo de implementación de ARM, de modo que RBAC, etcétera de auditoría, estén habilitados. Asegúrese de que no haya cuentas de almacenamiento antiguas con el modelo de implementación clásico en una suscripción", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "Alto", + "text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de bases de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Fiabilidad" + }, + { + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", "severity": "Medio", - "text": "Asegúrese de que las cuentas de almacenamiento más antiguas no usen el \"modelo de implementación clásica\"", - "waf": "Seguridad" + "text": "No se pueden implementar conjuntos de disponibilidad de Azure en una zona de disponibilidad de Azure a menos que se usen grupos de selección de ubicación por proximidad.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Aproveche Microsoft Defender para obtener información sobre actividades sospechosas y configuraciones incorrectas.", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "severity": "Alto", - "text": "Habilitación de Microsoft Defender para todas las cuentas de almacenamiento", - "waf": "Seguridad" + "text": "Al crear conjuntos de disponibilidad, use el número máximo de dominios de error y dominios de actualización disponibles. Por ejemplo, si implementa más de dos máquinas virtuales en un conjunto de disponibilidad, use el número máximo de dominios de error (tres) y suficientes dominios de actualización para limitar el efecto de posibles errores de hardware físico, interrupciones de red o interrupciones de energía, además del mantenimiento planeado de Azure. El número predeterminado de dominios de error es dos y no se puede cambiar en línea más adelante.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "El mecanismo de eliminación temporal permite recuperar blobs eliminados accidentalmente.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", - "severity": "Medio", - "text": "Habilitación de la \"eliminación temporal\" para blobs", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "Alto", + "text": "Cuando se usan grupos de selección de ubicación de proximidad de Azure en una implementación de conjunto de disponibilidad, los tres componentes de SAP (servicios centrales, servidor de aplicaciones y base de datos) deben estar en el mismo grupo de selección de ubicación por proximidad.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Considere la posibilidad de deshabilitar selectivamente la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimine inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", - "severity": "Medio", - "text": "Deshabilitación de la \"eliminación temporal\" para blobs", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "Alto", + "text": "Utilice un grupo de ubicación de proximidad por SID de SAP. Los grupos no se extienden entre zonas de disponibilidad ni regiones de Azure", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "La eliminación temporal de contenedores permite recuperar un contenedor después de que se haya eliminado, por ejemplo, recuperarse de una operación de eliminación accidental.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "Alto", - "text": "Habilitación de la \"eliminación temporal\" para contenedores", - "waf": "Seguridad" + "text": "Utilice uno de los siguientes servicios para ejecutar clústeres de servicios centrales de SAP, en función del sistema operativo.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Considere la posibilidad de deshabilitar selectivamente la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimine inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", "severity": "Medio", - "text": "Deshabilitar la \"eliminación temporal\" para contenedores", - "waf": "Seguridad" + "text": "Actualmente, Azure no admite la combinación de ASCS y DB HA en el mismo clúster de Linux Pacemaker; sepárelos en grupos individuales. Sin embargo, puede combinar hasta cinco clústeres de servicios centrales en un par de máquinas virtuales.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Evita la eliminación accidental de una cuenta de almacenamiento, obligando al usuario a quitar primero el bloqueo de eliminación, antes de la eliminación", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", - "severity": "Alto", - "text": "Habilitación de bloqueos de recursos en cuentas de almacenamiento", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "Medio", + "text": "Implemente ambas máquinas virtuales en el par de alta disponibilidad en un conjunto de disponibilidad o en zonas de disponibilidad. Estas máquinas virtuales deben tener el mismo tamaño y la misma configuración de almacenamiento.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Considere la posibilidad de aplicar directivas de \"retención legal\" o \"retención basada en tiempo\" para los blobs, de modo que sea imposible eliminar el blob, el contenedor o la cuenta de almacenamiento. Tenga en cuenta que 'imposible' en realidad significa 'imposible'; una vez que una cuenta de almacenamiento contiene un blob inmutable, la única manera de \"deshacerse\" de esa cuenta de almacenamiento es cancelando la suscripción de Azure.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere la posibilidad de blobs inmutables", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", + "severity": "Medio", + "text": "Azure admite la instalación y configuración de SAP HANA, ASCS/SCS e instancias de ERS en el mismo clúster de alta disponibilidad que se ejecuta en Red Hat Enterprise Linux (RHEL).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Considere la posibilidad de deshabilitar el acceso HTTP/80 no protegido a la cuenta de almacenamiento, de modo que todas las transferencias de datos estén cifradas, protegidas contra la integridad y el servidor esté autenticado. ", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "Alto", - "text": "Requerir HTTPS, es decir, deshabilitar el puerto 80 en la cuenta de almacenamiento", - "waf": "Seguridad" + "text": "Ejecute todos los sistemas de producción en SSD administradas Premium y use Azure NetApp Files o Ultra Disk Storage. Al menos el disco del sistema operativo debe estar en el nivel Premium para que pueda lograr un mejor rendimiento y el mejor Acuerdo de Nivel de Servicio.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Al configurar un dominio personalizado (nombre de host) en una cuenta de almacenamiento, compruebe si necesita TLS/HTTPS; si es así, es posible que tenga que colocar Azure CDN delante de la cuenta de almacenamiento.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", "severity": "Alto", - "text": "Al aplicar HTTPS (deshabilitar HTTP), compruebe que no usa dominios personalizados (CNAME) para la cuenta de almacenamiento.", - "waf": "Seguridad" + "text": "Debe ejecutar SAP HANA en Azure solo en los tipos de almacenamiento certificados por SAP. Tenga en cuenta que ciertos volúmenes deben ejecutarse en ciertas configuraciones de disco, cuando corresponda. Estas configuraciones incluyen la habilitación del Acelerador de escritura y el uso del almacenamiento Premium. También debe asegurarse de que el sistema de archivos que se ejecuta en el almacenamiento sea compatible con el DBMS que se ejecuta en la máquina.", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Requerir HTTPS cuando un cliente usa un token de SAS para acceder a los datos de blob ayuda a minimizar el riesgo de pérdida de credenciales.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", - "severity": "Medio", - "text": "Limitar los tokens de firma de acceso compartido (SAS) solo a las conexiones HTTPS", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", + "severity": "Alto", + "text": "Considere la posibilidad de configurar la alta disponibilidad en función del tipo de almacenamiento que utilice para las cargas de trabajo de SAP. Algunos servicios de almacenamiento disponibles en Azure no son compatibles con Azure Site Recovery, por lo que la configuración de alta disponibilidad puede diferir.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": ". Al aplicar la versión más reciente de TLS, se rechazarán las solicitudes de los clientes que utilicen la versión anterior. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", "severity": "Alto", - "text": "Aplicación de la versión más reciente de TLS para una cuenta de almacenamiento", - "waf": "Seguridad" + "text": "Es posible que los diferentes servicios de almacenamiento nativo de Azure (como Azure Files, Azure NetApp Files, Azure Shared Disk) no estén disponibles en todas las regiones. Por lo tanto, para tener una configuración de SAP similar en la región de recuperación ante desastres después de la conmutación por error, asegúrese de que el servicio de almacenamiento correspondiente se ofrezca en el sitio de recuperación ante desastres.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Los tokens de identificador de Microsoft Entra deben favorecerse sobre las firmas de acceso compartido, siempre que sea posible", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", - "severity": "Alto", - "text": "Uso de tokens de identificador de Microsoft Entra para el acceso a blobs", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", + "severity": "Medio", + "text": "Automatice SAP System Start-Stop para gestionar los costes.", + "waf": "Costar" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Al asignar un rol a un usuario, grupo o aplicación, conceda a esa entidad de seguridad solo los permisos necesarios para que pueda realizar sus tareas. Limitar el acceso a los recursos ayuda a evitar el uso indebido no intencionado y malintencionado de los datos.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", - "severity": "Medio", - "text": "Privilegio mínimo en los permisos de IaM", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Una SAS de delegación de usuarios está protegida con credenciales de Azure Active Directory (Azure AD) y también con los permisos especificados para la SAS. Una SAS de delegación de usuarios es análoga a una SAS de servicio en cuanto a su ámbito y función, pero ofrece ventajas de seguridad con respecto a la SAS de servicio. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "Alto", - "text": "Al usar SAS, prefiera \"SAS de delegación de usuarios\" en lugar de SAS basada en clave de cuenta de almacenamiento.", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Bajo", + "text": "En el caso de usar Azure Premium Storage con SAP HANA, el almacenamiento SSD estándar de Azure se puede usar para seleccionar una solución de almacenamiento económica en cuanto a costos. Sin embargo, tenga en cuenta que la elección del almacenamiento SSD estándar o HDD estándar de Azure afectará al Acuerdo de Nivel de Servicio de las máquinas virtuales individuales. Además, para sistemas con menor rendimiento de E/S y baja latencia, como entornos que no son de producción, se pueden usar máquinas virtuales de series inferiores.", + "waf": "Costar" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Las claves de la cuenta de almacenamiento ('claves compartidas') tienen muy pocas capacidades de auditoría. Si bien se puede monitorear quién o cuándo obtuvo una copia de las claves, una vez que las claves están en manos de varias personas, es imposible atribuir el uso a un usuario específico. Confiar únicamente en la autenticación de ID de Entra facilita la vinculación del acceso al almacenamiento de un usuario. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere la posibilidad de deshabilitar las claves de la cuenta de almacenamiento, de modo que solo se admita el acceso a Microsoft Entra ID (y SAS de delegación de usuarios).", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Bajo", + "text": "Como configuración alternativa de menor costo (multipropósito), puede elegir una SKU de bajo rendimiento para las máquinas virtuales de servidor de base de datos HANA que no son de producción. Sin embargo, es importante tener en cuenta que algunos tipos de máquinas virtuales, como la serie E, no están certificadas por HANA (directorio de hardware de SAP HANA) o no pueden alcanzar una latencia de almacenamiento inferior a 1 ms.", + "waf": "Costar" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Utilice los datos del registro de actividad para identificar \"cuándo\", \"quién\", \"qué\" y \"cómo\" se está viendo o cambiando la seguridad de la cuenta de almacenamiento (es decir, claves de cuenta de almacenamiento, directivas de acceso, etcétera).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", "severity": "Alto", - "text": "Considere la posibilidad de usar Azure Monitor para auditar las operaciones del plano de control en la cuenta de almacenamiento", + "text": "Aplicación de un modelo RBAC para grupos de administración, suscripciones, grupos de recursos y recursos", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Una política de caducidad de claves le permite establecer un recordatorio para la rotación de las claves de acceso de la cuenta. El recordatorio se muestra si ha transcurrido el intervalo especificado y las teclas aún no se han girado.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "severity": "Medio", - "text": "Al usar claves de cuenta de almacenamiento, considere la posibilidad de habilitar una \"directiva de expiración de claves\"", + "text": "Aplicación de la propagación de la entidad de seguridad para reenviar la identidad de la aplicación en la nube de SAP a SAP local (incluida la IaaS) a través del conector en la nube", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Una directiva de expiración de SAS especifica un intervalo recomendado durante el cual la SAS es válida. Las directivas de caducidad de SAS se aplican a una SAS de servicio o a una SAS de cuenta. Cuando un usuario genera una SAS de servicio o una SAS de cuenta con un intervalo de validez mayor que el intervalo recomendado, verá una advertencia.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "severity": "Medio", - "text": "Considere la posibilidad de configurar una directiva de expiración de SAS", + "text": "Implemente SSO en aplicaciones SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics y SAP C4C con Azure AD mediante SAML.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Las directivas de acceso almacenadas ofrecen la opción de revocar los permisos de una SAS de servicio sin tener que volver a generar las claves de la cuenta de almacenamiento. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "severity": "Medio", - "text": "Considere la posibilidad de vincular SAS a una directiva de acceso almacenada", + "text": "Implemente SSO en aplicaciones web basadas en SAP NetWeaver, como SAP Fiori y SAP Web GUI, mediante SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", "severity": "Medio", - "text": "Considere la posibilidad de configurar el repositorio de código fuente de la aplicación para detectar cadenas de conexión protegidas y claves de cuenta de almacenamiento.", + "text": "Implemente SSO en aplicaciones web basadas en SAP NetWeaver, como SAP Fiori y SAP Web GUI, mediante SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Lo ideal es que la aplicación use una identidad administrada para autenticarse en Azure Storage. Si eso no es posible, considere la posibilidad de tener la credencial de almacenamiento (cadena de conexión, clave de cuenta de almacenamiento, SAS, credencial de entidad de servicio) en Azure KeyVault o un servicio equivalente.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere la posibilidad de almacenar cadenas de conexión en Azure KeyVault (en escenarios en los que las identidades administradas no son posibles)", + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": "Medio", + "text": "Puede implementar el inicio de sesión único en la interfaz gráfica de usuario de SAP mediante el inicio de sesión único de SAP NetWeaver o una solución de socio.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Utilice los tiempos de caducidad a corto plazo en una SAS de servicio SAS ad hoc o en una SAS de cuenta. De esta manera, incluso si una SAS se ve comprometida, solo es válida durante un corto período de tiempo. Esta práctica es especialmente importante si no puede hacer referencia a una política de acceso almacenada. Los tiempos de expiración a corto plazo también limitan la cantidad de datos que se pueden escribir en un blob al limitar el tiempo disponible para cargarlos en él.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", - "severity": "Alto", - "text": "Esfuércese por períodos de validez cortos para SAS ad-hoc", + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", + "severity": "Medio", + "text": "Para SSO para SAP GUI y acceso al navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociación GSSAPI simple y protegido) debido a su facilidad de configuración y mantenimiento. Para SSO con certificados de cliente X.509, considere la posibilidad de utilizar SAP Secure Login Server, que es un componente de la solución SAP SSO.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Al crear una SAS, sea lo más específico y restrictivo posible. Prefiera una SAS para un solo recurso y operación en lugar de una SAS que proporciona un acceso mucho más amplio.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", "severity": "Medio", - "text": "Aplicación de un ámbito limitado a una SAS", + "text": "Para SSO para SAP GUI y acceso al navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociación GSSAPI simple y protegido) debido a su facilidad de configuración y mantenimiento. Para SSO con certificados de cliente X.509, considere la posibilidad de utilizar SAP Secure Login Server, que es un componente de la solución SAP SSO.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Una SAS puede incluir parámetros sobre las direcciones IP de cliente o los intervalos de direcciones que están autorizados a solicitar un recurso mediante la SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", "severity": "Medio", - "text": "Considere la posibilidad de definir el ámbito de SAS a una dirección IP de cliente específica, siempre que sea posible", + "text": "Implemente el inicio de sesión único mediante OAuth para SAP NetWeaver a fin de permitir que aplicaciones personalizadas o de terceros accedan a los servicios OData de SAP NetWeaver.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Una SAS no puede restringir la cantidad de datos que carga un cliente; Dado el modelo de precios de la cantidad de almacenamiento a lo largo del tiempo, podría tener sentido validar si los clientes cargaron contenidos malintencionados de gran tamaño.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "Bajo", - "text": "Considere la posibilidad de comprobar los datos cargados, después de que los clientes hayan utilizado una SAS para cargar un archivo. ", + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", + "severity": "Medio", + "text": "Implementación de SSO en SAP HANA", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Al acceder al almacenamiento de blobs a través de SFTP mediante una \"cuenta de usuario local\", no se aplican los controles RBAC \"habituales\". El acceso a blobs a través de NFS o REST puede ser más restrictivo que el acceso SFTP. Desafortunadamente, a partir de principios de 2023, los usuarios locales son la única forma de administración de identidades que actualmente es compatible con el punto de conexión SFTP", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", - "severity": "Alto", - "text": "SFTP: Limite la cantidad de \"usuarios locales\" para el acceso SFTP y audite si el acceso es necesario a lo largo del tiempo.", + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", + "severity": "Medio", + "text": "Considere Azure AD como un proveedor de identidades para sistemas SAP hospedados en RISE. Para obtener más información, consulte Integración del servicio con Azure AD.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", "severity": "Medio", - "text": "SFTP: El punto de conexión SFTP no admite ACL similares a POSIX.", + "text": "En el caso de las aplicaciones que acceden a SAP, es posible que desee utilizar la propagación de entidades de seguridad para establecer el inicio de sesión único.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "El almacenamiento es compatible con CORS (Cross-Origin Resource Sharing), es decir, una función HTTP que permite a las aplicaciones web de un dominio diferente aflojar la política del mismo origen. Al habilitar CORS, mantenga CorsRules con el mínimo privilegio.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", - "severity": "Alto", - "text": "Evite las políticas de CORS demasiado amplias", + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", + "severity": "Medio", + "text": "Si usa servicios BTP de SAP o soluciones SaaS que requieren SAP Identity Authentication Service (IAS), considere la posibilidad de implementar SSO entre SAP Cloud Identity Authentication Services y Azure AD para acceder a esos servicios de SAP. Esta integración permite a SAP IAS actuar como proveedor de identidades de proxy y reenvía las solicitudes de autenticación a Azure AD como almacén de usuarios central y proveedor de identidades.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Los datos en reposo siempre se cifran en el lado del servidor y, además, también pueden estar cifrados en el lado del cliente. El cifrado del lado del servidor puede producirse mediante una clave administrada por la plataforma (valor predeterminado) o una clave administrada por el cliente. El cifrado del lado cliente puede producirse haciendo que el cliente proporcione una clave de cifrado y descifrado por blob al almacenamiento de Azure o controlando completamente el cifrado en el lado cliente. por lo tanto, no depende en absoluto de Azure Storage para obtener garantías de confidencialidad.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", - "severity": "Alto", - "text": "Determine cómo se deben cifrar los datos en reposo. Comprender el modelo de subprocesos para los datos.", + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", + "severity": "Medio", + "text": "Implementación de SSO en SAP BTP", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", "severity": "Medio", - "text": "Determine cuál o si se debe utilizar el cifrado de la plataforma.", + "text": "Si usa SAP SuccessFactors, considere la posibilidad de usar el aprovisionamiento automatizado de usuarios de Azure AD. Con esta integración, a medida que agregue nuevos empleados a SAP SuccessFactors, puede crear automáticamente sus cuentas de usuario en Azure AD. Opcionalmente, puede crear cuentas de usuario en Microsoft 365 u otras aplicaciones SaaS compatibles con Azure AD. Utilice la reescritura de la dirección de correo electrónico en SAP SuccessFactors.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "description": "Mantenga la jerarquía del grupo de administración razonablemente plana, no más de cuatro.", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", "severity": "Medio", - "text": "Determine qué cifrado del lado del cliente se debe usar, si se debe usar.", - "waf": "Seguridad" + "text": "aplicar las directivas de grupo de administración existentes a las suscripciones de SAP", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Aproveche el Explorador de Resource Graph (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para buscar cuentas de almacenamiento que permitan el acceso anónimo a blobs.", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "severity": "Alto", - "text": "Considere si es necesario el acceso anónimo de blob público o si se puede deshabilitar para determinadas cuentas de almacenamiento. ", - "waf": "Seguridad" + "text": "Integre aplicaciones estrechamente acopladas en la misma suscripción de SAP para evitar la complejidad adicional del enrutamiento y la administración", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "severity": "Alto", - "text": "Aproveche un tipo de cuenta storagev2 para mejorar el rendimiento y la confiabilidad", - "waf": "Fiabilidad" + "text": "Aprovechar la suscripción como unidad de escala y escalar nuestros recursos, considere implementar la suscripción por entorno, por ejemplo. Sandbox, no prod, prod ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", "severity": "Alto", - "text": "Aproveche el almacenamiento GRS, ZRS o GZRS para obtener la máxima disponibilidad", - "waf": "Fiabilidad" + "text": "Garantizar el aumento de la cuota como parte del aprovisionamiento de suscripciones (por ejemplo, el total de núcleos de máquina virtual disponibles dentro de una suscripción)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Azure Storage", - "severity": "Medio", - "text": "Para la operación de escritura después de la conmutación por error, use la conmutación por error administrada por el cliente ", - "waf": "Fiabilidad" + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", + "severity": "Bajo", + "text": "La API de cuota es una API de REST que puede usar para ver y administrar las cuotas de los servicios de Azure. Considere usarlo si es necesario.", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Azure Storage", - "severity": "Medio", - "text": "Descripción de los detalles de la conmutación por error administrada por Microsoft", - "waf": "Fiabilidad" + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", + "severity": "Alto", + "text": "Si se implementa en una zona de disponibilidad, asegúrese de que la implementación de zona de la máquina virtual esté disponible una vez que se haya aprobado la cuota. Envíe una solicitud de soporte técnico con la suscripción, la serie de máquinas virtuales, el número de CPU y la zona de disponibilidad necesarias.", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Azure Storage", + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "Alto", + "text": "Asegúrese de que los servicios y funciones necesarios estén disponibles dentro de las regiones de implementación elegidas, por ejemplo. ANF, Zona, etc.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "waf": "Operaciones" + }, + { + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", "severity": "Medio", - "text": "Habilitar eliminación temporal", - "waf": "Fiabilidad" + "text": "Aproveche la etiqueta de recurso de Azure para la categorización de costos y la agrupación de recursos (: BillTo, Departamento (o unidad de negocio), Medio ambiente (producción, Fase, Desarrollo), Nivel (nivel web, nivel de aplicación), Propietario de la aplicación, Nombre del proyecto)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "severity": "Alto", - "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO", + "text": "Ayude a proteger la base de datos de HANA mediante el servicio Azure Backup.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", - "severity": "Alto", - "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad", + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", + "severity": "Medio", + "text": "Si implementa Azure NetApp Files para la base de datos HANA, Oracle o DB2, use la herramienta Azure Application Consistent Snapshot (AzAcSnap) para tomar instantáneas coherentes con la aplicación. AzAcSnap también es compatible con bases de datos de Oracle. Considere la posibilidad de usar AzAcSnap en una máquina virtual central en lugar de en máquinas virtuales individuales.", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "severity": "Alto", - "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas", - "waf": "Fiabilidad" + "text": "Asegúrese de que las zonas horarias coincidan entre el sistema operativo y el sistema SAP.", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", - "severity": "Alto", - "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3", + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", + "severity": "Medio", + "text": "No agrupe diferentes servicios de aplicaciones en el mismo clúster. Por ejemplo, no combine DRBD y clústeres de servicios centrales en el mismo clúster. Sin embargo, puede usar el mismo clúster de Pacemaker para administrar aproximadamente cinco servicios centrales diferentes (clúster de varios SID).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", + "severity": "Bajo", + "text": "Considere la posibilidad de ejecutar sistemas de desarrollo y pruebas en un modelo de repetición para ahorrar y optimizar los costos de ejecución de Azure.", + "waf": "Costar" + }, + { + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", "severity": "Medio", - "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica", + "text": "Si se asocia con los clientes mediante la administración de sus propiedades de SAP, considere la posibilidad de Azure Lighthouse. Azure Lighthouse permite a los proveedores de servicios administrados usar los servicios de identidad nativos de Azure para autenticarse en el entorno de los clientes. Pone el control en manos de los clientes, ya que pueden revocar el acceso en cualquier momento y auditar las acciones de los proveedores de servicios.", "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", + "severity": "Medio", + "text": "Use Azure Update Manager para comprobar el estado de las actualizaciones disponibles para una sola máquina virtual o varias máquinas virtuales y considere la posibilidad de programar la aplicación periódica de revisiones.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "waf": "Operaciones" + }, + { + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", "severity": "Bajo", - "text": "Consulte la arquitectura de aplicación web de redundancia de zona de alta disponibilidad de línea de base para conocer los procedimientos recomendados", - "waf": "Fiabilidad" + "text": "Optimice y gestione las operaciones de SAP Basis mediante SAP Landscape Management (LaMa). Use el conector de SAP LaMa para Azure para reubicar, copiar, clonar y actualizar sistemas SAP.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", "severity": "Medio", - "text": "Utilice los niveles Premium y Estándar. Estos niveles admiten ranuras de ensayo y copias de seguridad automatizadas.", - "waf": "Fiabilidad" + "text": "Use las soluciones de Azure Monitor para SAP para supervisar las cargas de trabajo de SAP (SAP HANA, clústeres de SUSE de alta disponibilidad y sistemas SQL) en Azure. Considere la posibilidad de complementar las soluciones de Azure Monitor para SAP con SAP Solution Manager.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", "severity": "Alto", - "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (requiere el nivel Premium v2 o v3)", - "waf": "Fiabilidad" + "text": "Ejecute una extensión de máquina virtual para la comprobación de SAP. VM Extension for SAP usa la identidad administrada asignada de una máquina virtual (VM) para acceder a los datos de configuración y supervisión de VM. La comprobación garantiza que todas las métricas de rendimiento de la aplicación SAP procedan de la extensión de Azure para SAP subyacente.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", "severity": "Medio", - "text": "Implementación de comprobaciones de estado", - "waf": "Fiabilidad" + "text": "Use Azure Policy para el control de acceso y los informes de cumplimiento. Azure Policy proporciona la capacidad de aplicar la configuración de toda la organización para garantizar el cumplimiento coherente de las directivas y la detección rápida de infracciones. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", - "service": "App Services", - "severity": "Alto", - "text": "Consulte los procedimientos recomendados de copia de seguridad y restauración para Azure App Service", - "waf": "Fiabilidad" + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", + "severity": "Medio", + "text": "Use el Monitor de conexión en Azure Network Watcher para supervisar las métricas de latencia de las bases de datos y los servidores de aplicaciones de SAP. O bien, recopile y muestre medidas de latencia de red mediante Azure Monitor.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", + "severity": "Medio", + "text": "Realice una comprobación de calidad de SAP HANA en la infraestructura de Azure aprovisionada para comprobar que las máquinas virtuales aprovisionadas cumplen con los procedimientos recomendados de SAP HANA en Azure.", + "waf": "Operaciones" + }, + { + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "severity": "Alto", - "text": "Implementación de los procedimientos recomendados de confiabilidad de Azure App Service", - "waf": "Fiabilidad" + "text": "Para cada suscripción de Azure, ejecute una prueba de latencia en las zonas de disponibilidad de Azure antes de la implementación zonal para elegir zonas de baja latencia para la implementación de SAP en Azure.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", - "severity": "Bajo", - "text": "Familiarizarse con cómo mover una aplicación de App Service a otra región durante un desastre", + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", + "severity": "Medio", + "text": "Ejecute el informe de resistencia para asegurarse de que la configuración de toda la infraestructura de Azure aprovisionada (proceso, base de datos, redes, almacenamiento, Site Recovery) cumpla con la configuración definida por Cloud Adaption Framework para Azure.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", - "service": "App Services", - "severity": "Alto", - "text": "Familiarizarse con la compatibilidad con la confiabilidad en Azure App Service", - "waf": "Fiabilidad" + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", + "severity": "Medio", + "text": "Implemente la protección contra amenazas mediante la solución Microsoft Sentinel para SAP. Utilice esta solución para supervisar sus sistemas SAP y detectar amenazas sofisticadas en toda la lógica empresarial y las capas de aplicación.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", "severity": "Medio", - "text": "Asegúrese de que \"Siempre activado\" está habilitado para las aplicaciones de funciones que se ejecutan en un plan de App Service", - "waf": "Fiabilidad" + "text": "El etiquetado de Azure se puede aprovechar para agrupar y realizar un seguimiento lógicos de los recursos, automatizar sus implementaciones y, lo que es más importante, proporcionar visibilidad de los costos incurridos.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", + "severity": "Bajo", + "text": "Utilice la supervisión de latencia entre máquinas virtuales para aplicaciones sensibles a la latencia.", + "waf": "Rendimiento" + }, + { + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "Medio", - "text": "Supervisión de instancias de App Service mediante comprobaciones de estado", + "text": "Use la supervisión de Azure Site Recovery para mantener el estado del servicio de recuperación ante desastres para los servidores de aplicaciones de SAP.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "severity": "Medio", - "text": "Supervisión de la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web mediante pruebas de disponibilidad de Application Insights", - "waf": "Fiabilidad" + "text": "Excluya todos los sistemas de archivos de bases de datos y programas ejecutables de los análisis antivirus. Incluirlos podría provocar problemas de rendimiento. Consulte con los proveedores de bases de datos para obtener detalles prescriptivos sobre la lista de exclusión. Por ejemplo, Oracle recomienda excluir /oracle//sapdata de los análisis antivirus.", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", "severity": "Bajo", - "text": "Uso de la prueba estándar de Application Insights para supervisar la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web", - "waf": "Fiabilidad" + "text": "Considere la posibilidad de recopilar estadísticas completas de bases de datos que no sean de HANA después de la migración. Por ejemplo, implemente la nota de SAP 1020260 - Entrega de estadísticas de Oracle.", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use Azure Key Vault para almacenar los secretos que necesita la aplicación. Key Vault proporciona un entorno seguro y auditado para almacenar secretos y está bien integrado con App Service a través del SDK de Key Vault o las referencias de Key Vault de App Service.", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", - "severity": "Alto", - "text": "Uso de Key Vault para almacenar secretos", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", + "severity": "Medio", + "text": "Considere la posibilidad de usar Oracle Automatic Storage Management (ASM) para todas las implementaciones de Oracle que utilicen SAP en Azure.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use una identidad administrada para conectarse a Key Vault mediante el SDK de Key Vault o a través de las referencias de Key Vault de App Service.", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", - "severity": "Alto", - "text": "Uso de la identidad administrada para conectarse a Key Vault", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", + "severity": "Medio", + "text": "En el caso de SAP en Azure que ejecuta Oracle, una colección de scripts SQL puede ayudarle a diagnosticar problemas de rendimiento. Los informes de Automatic Workload Repository (AWR) contienen información valiosa para diagnosticar problemas en el sistema Oracle. Le recomendamos que ejecute un informe de AWR durante varias sesiones y elija las horas punta para él, a fin de garantizar una amplia cobertura del análisis.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Almacene el certificado TLS de App Service en Key Vault.", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "Alto", - "text": "Use Key Vault para almacenar el certificado TLS.", - "waf": "Seguridad" + "text": "Use la supervisión de Azure Site Recovery para mantener el estado del servicio de recuperación ante desastres para los servidores de aplicaciones de SAP.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Los sistemas que procesan información confidencial deben estar aislados. Para ello, use planes del Servicio de aplicaciones o entornos del Servicio de aplicaciones independientes y considere la posibilidad de usar suscripciones o grupos de administración diferentes.", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", "severity": "Medio", - "text": "Aísle los sistemas que procesan información confidencial", + "text": "Para la entrega segura de aplicaciones HTTP/S, use Application Gateway v2 y asegúrese de que la protección y las directivas de WAF estén habilitadas.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Los discos locales de App Service no están cifrados y los datos confidenciales no deben almacenarse en ellos. (Por ejemplo: D:\\\\Local y %TMP%).", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "severity": "Medio", - "text": "No almacene datos confidenciales en el disco local", - "waf": "Seguridad" + "text": "Si el DNS o el nombre virtual de la máquina virtual no se cambia durante la migración a Azure, el DNS en segundo plano y los nombres virtuales conectan muchas interfaces del sistema en el entorno de SAP, y los clientes solo a veces son conscientes de las interfaces que los desarrolladores definen a lo largo del tiempo. Surgen desafíos de conexión entre varios sistemas cuando los nombres virtuales o de DNS cambian después de las migraciones, y se recomienda conservar los alias de DNS para evitar este tipo de dificultades.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "En el caso de la aplicación web autenticada, use un proveedor de identidades bien establecido, como Azure AD o Azure AD B2C. Aproveche el marco de aplicaciones de su elección para integrarse con este proveedor o use la característica de autenticación o autorización del Servicio de aplicaciones.", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "severity": "Medio", - "text": "Usar un proveedor de identidades establecido para la autenticación", - "waf": "Seguridad" + "text": "Utilice diferentes zonas DNS para distinguir cada entorno (espacio aislado, desarrollo, preproducción y producción) entre sí. La excepción es para las implementaciones de SAP con su propia red virtual; aquí, es posible que las zonas DNS privadas no sean necesarias.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Implemente código en App Service desde un entorno controlado y de confianza, como una canalización de implementación de DevOps bien administrada y segura. De este modo, se evita el código que no se ha controlado la versión y se ha comprobado que se implementará desde un host malintencionado.", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", - "severity": "Alto", - "text": "Implementación desde un entorno de confianza", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "description": "Al configurar el emparejamiento de red virtual, use la opción Permitir tráfico a redes virtuales remotas.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", + "severity": "Medio", + "text": "El emparejamiento de red virtual local y global proporciona conectividad y son los enfoques preferidos para garantizar la conectividad entre las zonas de aterrizaje para las implementaciones de SAP en varias regiones de Azure", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Deshabilite la autenticación básica tanto para FTP/FTPS como para WebDeploy/SCM. Esto deshabilita el acceso a estos servicios y exige el uso de puntos de conexión protegidos de Azure AD para la implementación. Tenga en cuenta que el sitio de SCM también se puede abrir con credenciales de Azure AD.", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "severity": "Alto", - "text": "Deshabilitar la autenticación básica", - "waf": "Seguridad" + "text": "No se admite la implementación de ninguna NVA entre la aplicación SAP y el servidor de base de datos SAP", + "training": "https://me.sap.com/notes/2731110", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Siempre que sea posible, use Managed Identity para conectarse a los recursos protegidos de Azure AD. Si esto no es posible, almacene los secretos en Key Vault y conéctese a Key Vault mediante una identidad administrada en su lugar.", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", - "severity": "Alto", - "text": "Uso de la identidad administrada para conectarse a los recursos", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", + "severity": "Medio", + "text": "Use Virtual WAN para implementaciones de Azure en redes nuevas, grandes o globales en las que necesite conectividad de tránsito global entre regiones de Azure y ubicaciones locales. Con este enfoque, no tendrá que configurar manualmente el enrutamiento transitivo para las redes de Azure y puede seguir un estándar para las implementaciones de SAP en Azure.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas mediante una identidad administrada.", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", - "severity": "Alto", - "text": "Extracción de contenedores mediante una identidad administrada", - "waf": "Seguridad" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Al configurar las opciones de diagnóstico de App Service, puede enviar todos los datos de telemetría a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad en tiempo de ejecución de App Service, como los registros HTTP, los registros de aplicaciones, los registros de plataforma, ...", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", - "severity": "Medio", - "text": "Envío de registros en tiempo de ejecución de App Service a Log Analytics", - "waf": "Seguridad" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure una configuración de diagnóstico para enviar el registro de actividad a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad del plano de control en el propio recurso de App Service.", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", "severity": "Medio", - "text": "Envío de registros de actividad de App Service a Log Analytics", - "waf": "Seguridad" + "text": "Considere la posibilidad de implementar aplicaciones virtuales de red (NVA) entre regiones solo si se usan NVA de asociados. Las aplicaciones virtuales de red entre regiones o redes virtuales no son necesarias si hay aplicaciones virtuales de red nativas. Al implementar tecnologías de redes de asociados y NVA, siga las instrucciones del proveedor para comprobar las configuraciones conflictivas con las redes de Azure.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Controle el acceso saliente a la red mediante una combinación de integración de red virtual regional, grupos de seguridad de red y UDR. El tráfico debe enrutarse a una aplicación virtual de red, como Azure Firewall. Asegúrese de supervisar los registros del cortafuegos.", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", "severity": "Medio", - "text": "El acceso a la red saliente debe controlarse", - "waf": "Seguridad" + "text": "Virtual WAN administra la conectividad entre redes virtuales de radio para topologías basadas en WAN virtuales (sin necesidad de configurar el enrutamiento definido por el usuario [UDR] o NVA) y el rendimiento máximo de red para el tráfico de red virtual a red virtual en el mismo centro virtual es de 50 gigabits por segundo. Si es necesario, las zonas de aterrizaje de SAP pueden usar el emparejamiento de red virtual para conectarse a otras zonas de aterrizaje y superar esta limitación de ancho de banda.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Puede proporcionar una dirección IP de salida estable mediante la integración de red virtual y una puerta de enlace NAT de red virtual o una aplicación virtual de red como Azure Firewall. Esto permite a la parte receptora incluir en la lista de permitidos en función de la IP, en caso de que sea necesario. Tenga en cuenta que para las comunicaciones con los servicios de Azure, a menudo no es necesario depender de la dirección IP y, en su lugar, se deben usar mecanismos como los puntos de conexión de servicio. (Además, el uso de puntos de conexión privados en el extremo receptor evita que se produzca SNAT y proporciona un intervalo de IP de salida estable).", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", - "severity": "Bajo", - "text": "Garantizar una IP estable para las comunicaciones salientes hacia las direcciones de Internet", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "Alto", + "text": "No se recomienda la asignación de direcciones IP públicas a la máquina virtual que ejecuta SAP Workload.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Controle el acceso entrante a la red mediante una combinación de restricciones de acceso al Servicio de aplicaciones, puntos de conexión de servicio o puntos de conexión privados. Se pueden requerir y configurar diferentes restricciones de acceso para la propia aplicación web y el sitio de SCM.", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", "severity": "Alto", - "text": "El acceso a la red entrante debe controlarse", - "waf": "Seguridad" + "text": "Considere la posibilidad de reservar la dirección IP en el lado de la recuperación ante desastres al configurar ASR", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Protéjase contra el tráfico entrante malintencionado mediante un firewall de aplicaciones web como Application Gateway o Azure Front Door. Asegúrese de supervisar los registros del WAF.", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "severity": "Alto", - "text": "Uso de un WAF delante de App Service", - "waf": "Seguridad" + "text": "Evite el uso de intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Asegúrese de que no se pueda omitir el WAF bloqueando el acceso solo al WAF. Use una combinación de restricciones de acceso, puntos de conexión de servicio y puntos de conexión privados.", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "Alto", - "text": "Evite que se omita WAF", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", + "severity": "Medio", + "text": "Aunque Azure le ayuda a crear varias subredes delegadas en una red virtual, solo puede existir una subred delegada en una red virtual para Azure NetApp Files. Se producirá un error al intentar crear un nuevo volumen si se utiliza más de una subred delegada para Azure NetApp Files.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "Operaciones" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Establezca la directiva TLS mínima en 1.2 en la configuración de App Service.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", + "checklist": "SAP Checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", "severity": "Medio", - "text": "Establezca la directiva TLS mínima en 1.2", + "text": "Use Azure Firewall para controlar el tráfico de salida de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado de tráfico este/oeste (si la organización lo requiere)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure App Service para que use solo HTTPS. Esto hace que App Service se redirija de HTTP a HTTPS. Considere seriamente el uso de HTTP Strict Transport Security (HSTS) en su código o desde su WAF, que informa a los navegadores que solo se debe acceder al sitio mediante HTTPS.", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", - "severity": "Alto", - "text": "Usar solo HTTPS", + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", + "severity": "Medio", + "text": "Application Gateway y Web Application Firewall tienen limitaciones cuando Application Gateway actúa como proxy inverso para aplicaciones web de SAP, como se muestra en la comparación entre Application Gateway, SAP Web Dispatcher y otros servicios de terceros.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "No utilice caracteres comodín en la configuración de CORS, ya que esto permite que todos los orígenes accedan al servicio (lo que anula el propósito de CORS). En concreto, solo permite los orígenes que esperas poder acceder al servicio.", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", - "severity": "Alto", - "text": "Los comodines no deben usarse para CORS", + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "Medio", + "text": "Use las directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "La depuración remota no debe estar activada en producción, ya que esto abre puertos adicionales en el servicio, lo que aumenta la superficie expuesta a ataques. Tenga en cuenta que el servicio desactiva la depuración remota automáticamente después de 48 horas.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", - "severity": "Alto", - "text": "Desactivar la depuración remota", + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", + "severity": "Medio", + "text": "Aproveche las directivas de firewall de aplicaciones web de Azure Front Door cuando use Azure Front Door y Application Gateway para proteger las aplicaciones HTTP/S. Bloquee Application Gateway para recibir tráfico solo desde Azure Front Door.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Habilite Defender para App Service. Esto (entre otras amenazas) detecta comunicaciones a direcciones IP maliciosas conocidas. Revise las recomendaciones de Defender para App Service como parte de las operaciones.", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "severity": "Medio", - "text": "Habilitación de Defender for Cloud: Defender for App Service", + "text": "Utilice un firewall de aplicaciones web para analizar su tráfico cuando esté expuesto a Internet. Otra opción es usarlo con el equilibrador de carga o con recursos que tengan funcionalidades de firewall integradas, como Application Gateway o soluciones de terceros.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure proporciona protección básica contra DDoS en su red, que se puede mejorar con funcionalidades inteligentes de DDoS Standard que aprenden sobre los patrones de tráfico normales y pueden detectar comportamientos inusuales. DDoS Standard se aplica a una red virtual, por lo que debe configurarse para el recurso de red delante de la aplicación, como Application Gateway o una aplicación virtual de red.", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", "severity": "Medio", - "text": "Habilitación del estándar de protección DDoS en la red virtual de WAF", - "waf": "Seguridad" + "text": "Use Virtual WAN para implementaciones de Azure en redes nuevas, grandes o globales en las que necesite conectividad de tránsito global entre regiones de Azure y ubicaciones locales. Con este enfoque, no tendrá que configurar manualmente el enrutamiento transitivo para las redes de Azure y puede seguir un estándar para las implementaciones de SAP en Azure.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas a través de una red virtual desde Azure Container Registry mediante su punto de conexión privado y la configuración de la aplicación \"WEBSITE_PULL_IMAGE_OVER_VNET\".", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", "severity": "Medio", - "text": "Extracción de contenedores a través de una red virtual", + "text": "Para evitar la pérdida de datos, use Azure Private Link para acceder de forma segura a los recursos de la plataforma como servicio, como Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, etc. Azure Private Endpoint también puede ayudar a proteger el tráfico entre redes virtuales y servicios como Azure Storage, Azure Backup, etc. El tráfico entre la red virtual y el servicio habilitado para el punto de conexión privado viaja a través de la red global de Microsoft, lo que impide su exposición a la red pública de Internet.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Realice una prueba de penetración en la aplicación web siguiendo las reglas de participación de las pruebas de penetración.", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", + "severity": "Alto", + "text": "Asegúrese de que las redes aceleradas de Azure estén habilitadas en las máquinas virtuales usadas en las capas de aplicación SAP y DBMS.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Rendimiento" + }, + { + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", "severity": "Medio", - "text": "Realizar una prueba de penetración", + "text": "Asegúrese de que las implementaciones internas de Azure Load Balancer están configuradas para usar Direct Server Return (DSR). Esta configuración (Habilitación de IP flotante) reducirá la latencia cuando se utilicen configuraciones de equilibrador de carga internas para configuraciones de alta disponibilidad en la capa DBMS.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Implemente código de confianza que se haya validado y analizado en busca de vulnerabilidades de acuerdo con las prácticas de DevSecOps.", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", "severity": "Medio", - "text": "Implementación de código validado", + "text": "Puede usar el grupo de seguridad de aplicaciones (ASG) y las reglas de NSG para definir listas de control de acceso de seguridad de red entre la aplicación SAP y las capas de DBMS. Los ASG agrupan las máquinas virtuales para ayudar a administrar su seguridad.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Utilice las versiones más recientes de plataformas, lenguajes de programación, protocolos y marcos compatibles.", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "severity": "Alto", - "text": "Utilizar plataformas, lenguajes, protocolos y marcos actualizados", - "waf": "Seguridad" + "text": "No se admite la colocación de la capa de aplicación de SAP y DBMS de SAP en diferentes redes virtuales de Azure que no están emparejadas.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", - "severity": "Bajo", - "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "Medio", + "text": "Para obtener una latencia de red óptima con aplicaciones SAP, considere la posibilidad de usar grupos de selección de ubicación por proximidad de Azure.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Los espacios de nombres de Azure Event Hubs permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Event Hubs para requerir que los clientes envíen y reciban datos con una versión más reciente de TLS. Si un espacio de nombres de Event Hubs requiere una versión mínima de TLS, se producirá un error en las solicitudes realizadas con una versión anterior. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", - "severity": "Medio", - "text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "Alto", + "text": "NO se admite en absoluto la ejecución de una capa de servidor de aplicaciones SAP y una capa de DBMS dividida entre local y Azure. Ambas capas deben residir completamente en el entorno local o en Azure.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Al crear un espacio de nombres de Event Hubs, se crea automáticamente una regla de directiva denominada RootManageSharedAccessKey para el espacio de nombres. Esta directiva tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", - "severity": "Medio", - "text": "Evite usar la cuenta raíz cuando no sea necesario", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Seguridad" + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "Alto", + "text": "No se recomienda hospedar el sistema de administración de bases de datos (DBMS) y las capas de aplicación de los sistemas SAP en diferentes redes virtuales y conectarlas con el emparejamiento de redes virtuales debido a los costos sustanciales que puede producir un tráfico de red excesivo entre las capas. Se recomienda usar subredes dentro de la red virtual de Azure para separar la capa de aplicación de SAP y la capa de DBMS.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Costar" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Las identidades administradas para los recursos de Azure pueden autorizar el acceso a los recursos de Event Hubs mediante credenciales de Azure AD desde aplicaciones que se ejecutan en Azure Virtual Machines (VM), aplicaciones de funciones, conjuntos de escalado de máquinas virtuales y otros servicios. Mediante el uso de identidades administradas para los recursos de Azure junto con la autenticación de Azure AD, puede evitar el almacenamiento de credenciales con las aplicaciones que se ejecutan en la nube. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", + "severity": "Alto", + "text": "Si utiliza Load Balancer con sistemas operativos invitados Linux, compruebe que el parámetro de red de Linux net.ipv4.tcp_timestamps esté establecido en 0.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Rendimiento" + }, + { + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", "severity": "Medio", - "text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Event Hub. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "En el caso de las implementaciones de SAP RISE/ECS, el emparejamiento virtual es la forma preferida de establecer la conectividad con el entorno de Azure existente del cliente. Tanto la red virtual de SAP como las redes virtuales del cliente están protegidas con grupos de seguridad de red (NSG), lo que permite la comunicación en SAP y los puertos de base de datos a través del emparejamiento de redes virtuales", "waf": "Seguridad" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Al crear permisos, proporcione un control específico sobre el acceso de un cliente al Centro de eventos de Azure. Los permisos del Centro de eventos de Azure pueden y deben limitarse al nivel de recurso individual, por ejemplo, grupo de consumidores, entidad del centro de eventos, espacios de nombres del centro de eventos, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "severity": "Alto", - "text": "Uso de RBAC de plano de datos con privilegios mínimos", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Seguridad" + "text": "Revise las copias de seguridad de bases de datos de SAP HANA para máquinas virtuales de Azure.", + "waf": "Costar" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Los registros de recursos del Centro de eventos de Azure incluyen registros operativos, registros de red virtual y registros de Kafka. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para todas las operaciones de acceso al plano de datos (como eventos de envío o recepción) en Event Hubs.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "Medio", - "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para capturar métricas y registros, como registros de recursos, registros de auditoría en tiempo de ejecución y registros de Kafka", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Seguridad" + "text": "Revise la supervisión integrada de Site Recovery, donde se use para SAP.", + "waf": "Costar" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "De forma predeterminada, Azure Event Hub tiene una dirección IP pública y es accesible a través de Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y Azure Event Hubs a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se usan. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", + "severity": "Alto", + "text": "Revise la guía Supervisión del panorama del sistema SAP HANA.", + "waf": "Operaciones" + }, + { + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", "severity": "Medio", - "text": "Considere la posibilidad de usar puntos de conexión privados para acceder al Centro de eventos de Azure y deshabilitar el acceso a la red pública cuando corresponda.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Seguridad" + "text": "Revise las estrategias de copia de seguridad de Oracle Database en máquinas virtuales Linux de Azure.", + "waf": "Operaciones" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Con el firewall IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", "severity": "Medio", - "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres del Centro de eventos de Azure desde direcciones IP o intervalos específicos", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Seguridad" + "text": "Revise el uso de Azure Blob Storage con SQL Server 2016.", + "waf": "Operaciones" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", "severity": "Medio", - "text": "Aproveche el Manual de Resiliencia de los TLC", - "waf": "Fiabilidad" + "text": "Revise el uso de Copia de seguridad automatizada v2 para máquinas virtuales de Azure.", + "waf": "Operaciones" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": " Esto se activará automáticamente para un nuevo espacio de nombres EH creado desde el portal con SKU Premium, Dedicado o Estándar en una región habilitada para zonas. Tanto los metadatos de EH como los propios datos de eventos se replican en todas las zonas", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", "severity": "Alto", - "text": "Aproveche las zonas de disponibilidad si corresponde regionalmente", - "waf": "Fiabilidad" + "text": "Habilitación del acelerador de escritura para la serie M cuando se utilizan discos premium (V1)", + "waf": "Operaciones" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", "severity": "Medio", - "text": "Usa las SKU Premium o Dedicadas para obtener un rendimiento predecible", - "waf": "Fiabilidad" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "La característica integrada de recuperación ante desastres geográfica, cuando está habilitada, garantiza que toda la configuración de un espacio de nombres (Event Hubs, grupos de consumidores y configuración) se replique continuamente desde un espacio de nombres principal a un espacio de nombres secundario, y permite un movimiento de conmutación por error de una sola vez del principal al secundario en cualquier momento. La característica Activo/Pasivo está diseñada para facilitar la recuperación y el abandono de una región de Azure con errores sin tener que cambiar las configuraciones de la aplicación", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", - "severity": "Alto", - "text": "Planeación de la recuperación ante desastres geográfica mediante la configuración pasiva activa", - "waf": "Fiabilidad" + "text": "Pruebe la latencia de la zona de disponibilidad.", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Debe utilizarse para configuraciones de recuperación ante desastres en las que no se puede tolerar una interrupción o pérdida de datos de eventos en la región inactiva. En estos casos, siga las instrucciones de replicación y no use la capacidad de recuperación ante desastres geográfica integrada (activa/pasiva). Con Activo/Activo, mantenga varios centros de eventos en diferentes regiones y espacios de nombres, y los eventos se replicarán entre los centros", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", "severity": "Medio", - "text": "En el caso de las aplicaciones críticas para la empresa, use la configuración Active Active", - "waf": "Fiabilidad" + "text": "Active SAP EarlyWatch Alert para todos los componentes de SAP.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", "severity": "Medio", - "text": "Diseño de centros de eventos resilientes", - "waf": "Fiabilidad" + "text": "Revise la latencia del servidor de aplicaciones SAP al servidor de bases de datos mediante el informe ABAPMeter de SAP /SSA/CAT.", + "training": "https://me.sap.com/notes/0002879613", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Siga las barreras de seguridad de Metaprompting para una IA responsable", - "waf": "Excelencia Operacional" + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", + "severity": "Medio", + "text": "Revise la supervisión del rendimiento de SQL Server mediante CCMS.", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Considere la posibilidad de crear patrones de puerta de enlace con APIM o soluciones como AI Central para mejorar la limitación de velocidad, el equilibrio de carga, la autenticación y el registro", - "waf": "Excelencia Operacional" + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", + "severity": "Medio", + "text": "Pruebe la latencia de red entre las máquinas virtuales de la capa de aplicación de SAP y las máquinas virtuales de DBMS (NIPING).", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Habilitación de la supervisión para las instancias de AOAI", - "waf": "Excelencia Operacional" + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", + "severity": "Medio", + "text": "Revise las alertas de SAP HANA Studio.", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Cree alertas para notificar a los equipos de eventos, como una entrada en el registro de actividad creada por una acción realizada en el recurso, como la regeneración de sus claves de suscripción, o un umbral de métrica, como el número de errores que superan los 10 en una hora", - "waf": "Excelencia Operacional" + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", + "severity": "Medio", + "text": "Realice comprobaciones de estado de SAP HANA mediante HANA_Configuration_Minichecks.", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Supervise el uso de tokens para evitar interrupciones del servicio debido a la capacidad", - "waf": "Excelencia Operacional" + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "Medio", + "text": "Si ejecuta máquinas virtuales Windows y Linux en Azure, en el entorno local o en otros entornos en la nube, puede usar el Centro de administración de actualizaciones de Azure Automation para administrar las actualizaciones del sistema operativo, incluidas las revisiones de seguridad.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", "severity": "Medio", - "text": "Observe métricas como tokens de inferencia procesados, tokens de finalización generados, monitoree el límite de velocidad", - "waf": "Excelencia Operacional" + "text": "Revise de forma rutinaria las notas del OSS de seguridad de SAP, ya que SAP publica parches de seguridad muy críticos, o correcciones en caliente, que requieren una acción inmediata para proteger sus sistemas SAP.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "severity": "Bajo", - "text": "Si los diagnósticos no son suficientes para usted, considere la posibilidad de usar una puerta de enlace como Azure API Managements frente a Azure OpenAI para registrar tanto los mensajes entrantes como las respuestas salientes, cuando esté permitido", - "waf": "Excelencia Operacional" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Use la infraestructura como código para implementar el servicio Azure OpenAI, las implementaciones de modelos y todos los recursos relacionados", - "waf": "Excelencia Operacional" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Uso de la autenticación de Microsoft Entra con identidad administrada en lugar de clave de API", + "text": "En el caso de SAP en SQL Server, puede deshabilitar la cuenta de administrador del sistema de SQL Server porque los sistemas SAP en SQL Server no usan la cuenta. Asegúrese de que otro usuario con derechos de administrador del sistema pueda acceder al servidor antes de deshabilitar la cuenta de administrador del sistema original.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "severity": "Alto", - "text": "Evalúe el rendimiento/precisión del sistema con un conjunto de datos dorado conocido que tenga las entradas y las respuestas correctas. Aproveche las capacidades de PromptFlow para la evaluación.", - "waf": "Excelencia Operacional" + "text": "Deshabilite xp_cmdshell. La característica SQL Server xp_cmdshell habilita un shell de comandos del sistema operativo interno de SQL Server. Es un riesgo potencial en las auditorías de seguridad.", + "training": "https://me.sap.com/notes/3019299/E", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "severity": "Alto", - "text": "Evaluación del uso del modelo de rendimiento aprovisionado ", - "waf": "Rendimiento" + "text": "El cifrado de servidores de base de datos de SAP HANA en Azure usa la tecnología de cifrado nativa de SAP HANA. Además, si usa SQL Server en Azure, use el cifrado de datos transparente (TDE) para proteger los datos y los archivos de registro y asegurarse de que las copias de seguridad también estén cifradas.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Revisión e implementación de la seguridad del contenido de Azure AI", - "waf": "Excelencia Operacional" + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", + "severity": "Medio", + "text": "El cifrado de Azure Storage está habilitado para todas las cuentas de Azure Resource Manager y de almacenamiento clásico, y no se puede deshabilitar. Dado que los datos están cifrados de forma predeterminada, no es necesario modificar el código ni las aplicaciones para usar el cifrado de Azure Storage.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", "severity": "Alto", - "text": "Defina y evalúe el rendimiento del sistema en función de los tokens y la respuesta por minuto y alinee con los requisitos", - "waf": "Rendimiento" + "text": "Uso de Azure Key Vault para almacenar los secretos y las credenciales", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "severity": "Medio", - "text": "Mejore la latencia del sistema limitando el tamaño de los tokens, las opciones de transmisión", - "waf": "Rendimiento" + "text": "Se recomienda bloquear los recursos de Azure después de la implementación correcta para protegerse contra cambios no autorizados. También puede aplicar restricciones y reglas de LOCK por suscripción mediante directivas de Azure personalizadas (rol Custome).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", "severity": "Medio", - "text": "Calcule las demandas de elasticidad para determinar la segregación de solicitudes sincrónicas y por lotes en función de la prioridad. Para la prioridad alta, utilice el enfoque sincrónico y para la prioridad baja, se prefiere el procesamiento por lotes asincrónico con cola", - "waf": "Rendimiento" + "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención para los objetos eliminados.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", "severity": "Alto", - "text": "Compare los requisitos de consumo de tokens en función de las demandas estimadas de los consumidores. Considere la posibilidad de usar la herramienta de pruebas comparativas de Azure OpenAI para ayudarle a validar el rendimiento si usa implementaciones de unidades de rendimiento aprovisionadas", - "waf": "Rendimiento" + "text": "En función de los requisitos existentes, controles normativos y de cumplimiento (internos y externos): determine qué rol de Azure Policies y Azure RBAC son necesarios", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Si usa unidades de rendimiento aprovisionadas (PTU), considere la posibilidad de implementar una implementación de token por minuto (TPM) para las solicitudes de desbordamiento. Use una puerta de enlace para enrutar las solicitudes a la implementación de TPM cuando se alcancen los límites de PTU.", - "waf": "Rendimiento" + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Alto", + "text": "Al habilitar Microsoft Defender para punto de conexión en el entorno de SAP, se recomienda excluir los archivos de datos y registros en servidores DBMS en lugar de dirigirse a todos los servidores. Siga las recomendaciones de su proveedor de DBMS al excluir archivos de destino.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", "severity": "Alto", - "text": "Elija el modelo adecuado para la tarea correcta. Elija modelos con el equilibrio adecuado entre velocidad, calidad de respuesta y complejidad de salida", - "waf": "Rendimiento" + "text": "Delegue un rol personalizado de administrador de SAP con acceso Just-In-Time de Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Tener una línea de base para el rendimiento sin ajuste fino para saber si el ajuste fino ha mejorado o no el rendimiento del modelo", - "waf": "Rendimiento" + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Bajo", + "text": "cifre los datos en tránsito integrando el producto de seguridad de terceros con comunicaciones de red seguras (SNC) para DIAG (SAP GUI), RFC y SPNEGO para HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", - "severity": "Bajo", - "text": "Implementación de varias instancias de OAI en todas las regiones", - "waf": "Fiabilidad" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Implemente reintentos y comprobaciones de estado con el patrón de puerta de enlace como APIM", - "waf": "Fiabilidad" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "severity": "Medio", - "text": "Asegúrese de tener cuotas adecuadas de TPM y RPM para la carga de trabajo", - "waf": "Fiabilidad" + "text": "De forma predeterminada, use claves administradas por Microsoft para la funcionalidad de cifrado principal y use claves administradas por el cliente cuando sea necesario.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Revise las consideraciones de la guía del kit de herramientas de HAI y aplique esas prácticas de interacción para el slution", - "waf": "Excelencia Operacional" + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", + "severity": "Alto", + "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Implemente modelos de ajuste de precisión independientes en todas las regiones si se emplea el ajuste de precisión", - "waf": "Fiabilidad" + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", + "severity": "Alto", + "text": "Para controlar y administrar las claves y los secretos de cifrado de disco para sistemas operativos Windows y Windows que no son de HANA, use Azure Key Vault. SAP HANA no es compatible con Azure Key Vault, por lo que debe usar métodos alternativos como SAP ABAP o claves SSH.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Realice copias de seguridad y replique regularmente los datos críticos para garantizar la disponibilidad y la capacidad de recuperación de los datos en caso de pérdida de datos o fallos del sistema. Aproveche los servicios de copia de seguridad y recuperación ante desastres de Azure para proteger sus datos.", - "waf": "Fiabilidad" + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", + "severity": "Alto", + "text": "Personalice los roles de control de acceso basado en roles (RBAC) para las suscripciones de SAP en Azure spoke para evitar cambios accidentales relacionados con la red", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", "severity": "Alto", - "text": "Los niveles de servicio de búsqueda de Azure AI deben elegirse para tener un Acuerdo de Nivel de Servicio ", - "waf": "Fiabilidad" + "text": "Aísle las DMZ y las NVA del resto del patrimonio de SAP, configure Azure Private Link y administre y controle de forma segura los recursos de SAP en Azure", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", "severity": "Bajo", - "text": "Clasifique los datos y la confidencialidad, etiquetando con Microsoft Purview antes de generar las incrustaciones y asegúrese de tratar las incrustaciones generadas con la misma confidencialidad y clasificación", + "text": "Considere la posibilidad de usar el software antimalware de Microsoft en Azure para proteger sus máquinas virtuales de archivos malintencionados, adware y otras amenazas.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Cifre los datos utilizados para RAG con cifrado SSE/Disk con BYOK opcional", + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", + "severity": "Bajo", + "text": "Para una protección aún más eficaz, considere la posibilidad de usar Microsoft Defender para punto de conexión.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "severity": "Alto", - "text": "Asegúrese de que TLS se aplica a los datos en tránsito a través de fuentes de datos, la búsqueda de IA utilizada para la generación aumentada de recuperación (RAG) y la comunicación de LLM", + "text": "Aísle los servidores de bases de datos y aplicaciones de SAP de Internet o de la red local pasando todo el tráfico a través de la red virtual del concentrador, que está conectada a la red radial mediante el emparejamiento de red virtual. Las redes virtuales emparejadas garantizan que la solución de SAP en Azure esté aislada de la red pública de Internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Use RBAC para administrar el acceso a los servicios de Azure OpenAI. Asigne los permisos adecuados a los usuarios y restrinja el acceso en función de sus funciones y responsabilidades", + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Bajo", + "text": "En el caso de las aplicaciones orientadas a Internet, como SAP Fiori, asegúrese de distribuir la carga según los requisitos de la aplicación mientras se mantienen los niveles de seguridad. Para la seguridad de nivel 7, puede usar un firewall de aplicaciones web (WAF) de terceros disponible en Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "Azure OpenAI", + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "severity": "Medio", - "text": "Implemente técnicas de cifrado, enmascaramiento o redacción de datos para ocultar datos confidenciales o reemplazarlos con valores ofuscados en entornos que no sean de producción o al compartir datos con fines de prueba o solución de problemas", + "text": "Para habilitar la comunicación segura en las soluciones de Azure Monitor para SAP, puede optar por usar un certificado raíz o un certificado de servidor. Le recomendamos encarecidamente que utilice certificados raíz.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", "severity": "Alto", - "text": "Use Azure Defender para detectar y responder a las amenazas de seguridad y configurar mecanismos de supervisión y alerta para identificar actividades sospechosas o infracciones. Aproveche Azure Sentinel para la detección y respuesta a amenazas avanzadas", + "text": "Asegúrese de que los controladores de dominio ADDS se implementan en la suscripción de identidad en Azure nativo", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", "severity": "Medio", - "text": "Establezca políticas de retención y eliminación de datos para cumplir con las regulaciones de cumplimiento. Implemente métodos de eliminación seguros para los datos que ya no son necesarios y mantenga un registro de auditoría de las actividades de retención y eliminación de datos", + "text": "Asegúrese de que los sitios y servicios de ADDS están configurados para mantener las solicitudes de autenticación de los recursos basados en Azure (incluida Azure VMware Solution) locales en Azure", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", "severity": "Alto", - "text": "Implemente los escudos de aviso y la detección de conexión a tierra mediante Content Safety ", - "waf": "Excelencia Operacional" + "text": "Asegúrese de que vCenter esté conectado a ADDS para habilitar la autenticación basada en \"cuentas de usuario designadas\"", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Garantice el cumplimiento de las normativas de protección de datos pertinentes, como el RGPD o la HIPAA, mediante la implementación de controles de privacidad y la obtención de los consentimientos o permisos necesarios para las actividades de tratamiento de datos.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", + "severity": "Medio", + "text": "Asegúrese de que la conexión de vCenter a ADDS utilice un protocolo seguro (LDAPS)", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", "severity": "Medio", - "text": "Eduque a sus empleados sobre las mejores prácticas de seguridad de datos, la importancia de manejar los datos de forma segura y los riesgos potenciales asociados con las violaciones de datos. Anímelos a seguir diligentemente los protocolos de seguridad de datos.", + "text": "La cuenta de CloudAdmin en vCenter IdP solo se utiliza como una cuenta de emergencia (break-glass)", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", "severity": "Alto", - "text": "Mantenga los datos de producción separados de los datos de desarrollo y pruebas. Utilice únicamente datos confidenciales reales en producción y utilice datos anónimos o sintéticos en entornos de desarrollo y prueba.", + "text": "Asegúrese de que NSX-Manager esté integrado con un proveedor de identidades externo (LDAPS)", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", "severity": "Medio", - "text": "Si tiene distintos niveles de confidencialidad de datos, considere la posibilidad de crear índices independientes para cada nivel. Por ejemplo, podría tener un índice para los datos generales y otro para los datos confidenciales, cada uno gobernado por diferentes protocolos de acceso", + "text": "¿Se ha creado un modelo RBAC para su uso en VMware vSphere?", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", "severity": "Medio", - "text": "Lleve la segregación un paso más allá colocando conjuntos de datos confidenciales en diferentes instancias del servicio. Cada instancia se puede controlar con su propio conjunto específico de políticas RBAC", + "text": "Los permisos RBAC deben concederse a grupos ADDS y no a usuarios específicos", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", "severity": "Alto", - "text": "Reconozca que las incrustaciones y los vectores generados a partir de información confidencial son en sí mismos confidenciales. Estos datos deben recibir las mismas medidas de protección que el material de origen", + "text": "Los permisos de RBAC en el recurso de Azure VMware Solution en Azure están \"bloqueados\" solo para un conjunto limitado de propietarios", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", "severity": "Alto", - "text": "Aplique RBAC a los almacenes de datos que tienen incrustaciones y vectores y alcance el acceso en función de los requisitos de acceso del rol", + "text": "Asegúrese de que todos los roles personalizados tengan el ámbito de las autorizaciones permitidas de CloudAdmin", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", "severity": "Alto", - "text": "Configure un punto de conexión privado para que los servicios de IA restrinjan el acceso al servicio dentro de su red", - "waf": "Seguridad" + "text": "¿Se ha seleccionado el modelo de conectividad de Azure VMware Solution correcto para el caso de uso del cliente en cuestión?", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", "severity": "Alto", - "text": "Aplique un estricto control del tráfico entrante y saliente con Azure Firewall y UDR, y limite los puntos de integración externos", - "waf": "Seguridad" + "text": "Asegúrese de que las conexiones de ExpressRoute o VPN desde el entorno local a Azure se supervisan mediante el \"monitor de conexiones\"", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Implemente la segmentación de la red y los controles de acceso para restringir el acceso a la aplicación LLM solo a los usuarios y sistemas autorizados y evitar el movimiento lateral", - "waf": "Seguridad" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", + "severity": "Medio", + "text": "Asegúrese de que se crea un monitor de conexión desde un recurso nativo de Azure a una máquina virtual de Azure VMware Solution para supervisar la conexión de ExpressRoute back-end de Azure VMware Solution", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", "severity": "Medio", - "text": "Utilice herramientas de compresión rápida como LLMLingua o gprtrim", - "waf": "Optimización de costes" + "text": "Asegúrese de que se crea un monitor de conexión desde un recurso local a una máquina virtual de Azure VMware Solution para supervisar la conectividad de extremo a extremo", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", "severity": "Alto", - "text": "Asegúrese de que las API y los puntos finales utilizados por la aplicación LLM estén correctamente protegidos con mecanismos de autenticación y autorización, como identidades administradas, claves de API u OAuth, para evitar el acceso no autorizado.", - "waf": "Seguridad" + "text": "Cuando se utiliza el servidor de rutas, asegúrese de que no se propaguen más de 1000 rutas desde el servidor de rutas a la puerta de enlace de ExR al entorno local (límite de ARS).", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Aplique mecanismos sólidos de autenticación de usuario final, como la autenticación multifactor, para evitar el acceso no autorizado a la aplicación LLM y a los recursos de red asociados", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", + "severity": "Alto", + "text": "¿Se ha implementado Privileged Identity Management para los roles que administran el recurso de Azure VMware Solution en Azure Portal (no se permiten permisos permanentes)?", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Implemente herramientas de monitoreo de red para detectar y analizar el tráfico de red en busca de actividades sospechosas o maliciosas. Habilite el registro para capturar eventos de red y facilitar el análisis forense en caso de incidentes de seguridad", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", + "severity": "Alto", + "text": "Los informes de auditoría de Privileged Identity Management deben implementarse para los roles PIM de Azure VMware Solution", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", "severity": "Medio", - "text": "Realizar auditorías de seguridad y pruebas de penetración para identificar y abordar cualquier debilidad o vulnerabilidad de seguridad de red en la infraestructura de red de la aplicación LLM", + "text": "Si se usa Privileged Identity Management, asegúrese de que se crea una cuenta válida habilitada para Entra ID con un registro SMTP válido para las notificaciones de reemplazo automático de host de Azure VMware Solution. (se requieren permisos permanentes)", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "Azure OpenAI", - "severity": "Bajo", - "text": "Los servicios de Azure AI están etiquetados correctamente para una mejor administración", - "waf": "Excelencia Operacional" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "Azure OpenAI", - "severity": "Bajo", - "text": "Las cuentas de Azure AI Service siguen las convenciones de nomenclatura de la organización", - "waf": "Excelencia Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", + "severity": "Alto", + "text": "Limite el uso de la cuenta de CloudAdmin solo al acceso de emergencia", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Los registros de diagnóstico en los recursos de servicios de Azure AI deben estar habilitados", - "waf": "Excelencia Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", + "severity": "Medio", + "text": "Cree funciones RBAC personalizadas en vCenter para implementar un modelo de privilegios mínimos dentro de vCenter", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Se recomienda deshabilitar el acceso a claves (autenticación local) por seguridad. Después de deshabilitar el acceso basado en claves, el identificador de Microsoft Entra se convierte en el único método de acceso, lo que permite mantener el principio de privilegio mínimo y el control granular. ", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", + "severity": "Medio", + "text": "Es un proceso definido para rotar periódicamente las credenciales de administrador de la nube (vCenter) y administrador (NSX)", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", "severity": "Alto", - "text": "Almacene y administre claves de forma segura con Azure Key Vault. Evite codificar de forma rígida o incrustar claves confidenciales en el código de la aplicación de LLM y recupérelas de forma segura de Azure Key Vault mediante identidades administradas", + "text": "Uso de un proveedor de identidades centralizado que se usará para las cargas de trabajo (VM) que se ejecutan en Azure VMware Solution", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Rotar y expirar periódicamente las claves almacenadas en Azure Key Vault para minimizar el riesgo de acceso no autorizado.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", + "severity": "Medio", + "text": "¿Se implementa el filtrado de tráfico este-oeste en NSX-T?", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", "severity": "Alto", - "text": "Use tiktoken para comprender los tamaños de los tokens para las optimizaciones de tokens en el modo conversacional", - "waf": "Optimización de costes" + "text": "Las cargas de trabajo de Azure VMware Solution no se exponen directamente a Internet. El tráfico se filtra e inspecciona mediante Azure Application Gateway, Azure Firewall o soluciones de terceros", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", "severity": "Alto", - "text": "Siga prácticas de codificación seguras para evitar vulnerabilidades comunes, como ataques de inyección, secuencias de comandos entre sitios (XSS) o errores de configuración de seguridad.", + "text": "La auditoría y el registro se implementan para las solicitudes entrantes de Internet a Azure VMware Solution y a las cargas de trabajo basadas en Azure VMware Solution", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Configurar un proceso para actualizar y parchear regularmente las bibliotecas de LLM y otros componentes del sistema", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", + "severity": "Medio", + "text": "La supervisión de sesiones se implementa para las conexiones salientes a Internet desde Azure VMware Solution o cargas de trabajo basadas en Azure VMware Solution para identificar actividades sospechosas o malintencionadas", "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Cumplir con los términos de uso, las directivas y las directrices de Azure OpenAI u otros LLM, así como con los casos de uso permitidos.", - "waf": "Excelencia Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", + "severity": "Medio", + "text": "¿Está habilitada la protección estándar de DDoS en la subred de puerta de enlace de ExR/VPN en Azure?", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", "severity": "Medio", - "text": "Comprenda la diferencia en el costo de los modelos base y los modelos ajustados y los tamaños de paso de token", - "waf": "Optimización de costes" + "text": "Use una estación de trabajo de acceso con privilegios (PAW) dedicada para administrar Azure VMware Solution, vCenter, NSX Manager y HCX Manager", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Solicitudes por lotes, siempre que sea posible, para minimizar la sobrecarga por llamada, lo que puede reducir los costos generales. Asegúrese de optimizar el tamaño del lote", - "waf": "Optimización de costes" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", "severity": "Medio", - "text": "Configure un sistema de seguimiento de costos que supervise el uso del modelo y use esa información para ayudar a informar las opciones de modelos y los tamaños indicados", - "waf": "Optimización de costes" + "text": "Habilitación de la detección avanzada de amenazas (Microsoft Defender for Cloud, también conocida como ASC) para cargas de trabajo que se ejecutan en Azure VMware Solution", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", "severity": "Medio", - "text": "Establezca un límite máximo en el número de tokens por respuesta de modelo. Optimice el tamaño para asegurarse de que sea lo suficientemente grande para una respuesta válida", - "waf": "Optimización de costes" + "text": "Use Azure ARC for Servers para controlar correctamente las cargas de trabajo que se ejecutan en Azure VMware Solution mediante tecnologías nativas de Azure (Azure ARC for Azure VMware Solution aún no está disponible)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Revise las instrucciones proporcionadas sobre la configuración de la búsqueda de IA para la confiabilidad", - "waf": "Excelencia Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", + "severity": "Bajo", + "text": "Asegúrese de que las cargas de trabajo de Azure VMware Solution usen suficiente cifrado de datos durante el tiempo de ejecución (como el cifrado de disco invitado y SQL TDE). (El cifrado de vSAN en reposo es el predeterminado)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Planifique y administre el almacenamiento de vectores de búsqueda de IA", - "waf": "Excelencia Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", + "severity": "Bajo", + "text": "Cuando se usa el cifrado en invitado, almacene las claves de cifrado en Azure Key Vault siempre que sea posible", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", "severity": "Medio", - "text": "Aplique prácticas de LLMOps para automatizar la gestión del ciclo de vida de sus aplicaciones GenAI", - "waf": "Excelencia Operacional" + "text": "Considere la posibilidad de usar la compatibilidad con actualizaciones de seguridad extendidas para las cargas de trabajo que se ejecutan en Azure VMware Solution (Azure VMware Solution es apta para ESU)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", "severity": "Alto", - "text": "Evalúe el uso de los modelos de facturación: PAYG frente a PTU", - "waf": "Optimización de costes" + "text": "Asegúrese de que se utiliza el método de redundancia de datos de vSAN adecuado (especificación RAID)", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Evalúe la calidad de los mensajes y las aplicaciones al cambiar entre versiones de modelo", - "waf": "Excelencia Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", + "severity": "Alto", + "text": "Asegúrese de que la directiva de error de tolerancia esté implementada para satisfacer sus necesidades de almacenamiento de vSAN", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Evalúe, supervise y perfeccione sus aplicaciones GenAI para características como la fundamentación, la relevancia, la precisión, la coherencia, la fluidez,", - "waf": "Excelencia Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", + "severity": "Alto", + "text": "Asegúrese de que ha solicitado una cuota suficiente, asegurándose de que ha tenido en cuenta el crecimiento y el requisito de recuperación ante desastres", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", "severity": "Medio", - "text": "Evalúe los resultados de búsqueda de Azure AI en función de diferentes parámetros de búsqueda", - "waf": "Excelencia Operacional" + "text": "Asegúrese de que se comprenden las restricciones de acceso a ESXi, ya que existen límites de acceso que pueden afectar a las soluciones de terceros.", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", "severity": "Medio", - "text": "Considere los modelos de ajuste fino como una forma de aumentar la precisión solo cuando haya probado otros enfoques básicos como la ingeniería de avisos y RAG con sus datos", - "waf": "Excelencia Operacional" + "text": "Asegúrese de tener una política en torno a la densidad y la eficiencia del host ESXi, teniendo en cuenta el tiempo de espera para solicitar nuevos nodos", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", "severity": "Medio", - "text": "Utilice técnicas de ingeniería rápida para mejorar la precisión de las respuestas de LLM", - "waf": "Excelencia Operacional" + "text": "Asegúrese de que existe un buen proceso de administración de costos para Azure VMware Solution: se puede usar Azure Cost Management", + "waf": "Costar" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Equipo rojo con sus aplicaciones GenAI", - "waf": "Seguridad" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", + "severity": "Bajo", + "text": "¿Se usan instancias reservadas de Azure para optimizar el costo de uso de Azure VMware Solution?", + "waf": "Costar" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", "severity": "Medio", - "text": "Proporcione a los usuarios finales opciones de puntuación para las respuestas de LLM y realice un seguimiento de estas puntuaciones. ", - "waf": "Excelencia Operacional" + "text": "Tenga en cuenta el uso de Azure Private-Link cuando use otros servicios nativos de Azure", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", "severity": "Alto", - "text": "Considere las prácticas de administración de cuotas", - "waf": "Optimización de costes" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "Azure OpenAI", - "severity": "Medio", - "text": "Utilice soluciones de equilibrador de carga, como la puerta de enlace basada en APIM, para equilibrar la carga y la capacidad entre servicios y regiones", - "waf": "Excelencia Operacional" + "text": "Asegúrese de que todos los recursos necesarios residen en las mismas zonas de disponibilidad de Azure", + "waf": "Rendimiento" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", "service": "AVS", - "severity": "Alto", - "text": "Asegúrese de que los controladores de dominio ADDS se implementan en la suscripción de identidad en Azure nativo", + "severity": "Medio", + "text": "Habilitación de cargas de trabajo de máquina virtual invitada de Microsoft Defender for Cloud for Azure VMware Solution", "waf": "Seguridad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "75089c20-990d-4927-b105-885576f76fc2", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", "service": "AVS", "severity": "Medio", - "text": "Asegúrese de que los sitios y servicios de ADDS están configurados para mantener las solicitudes de autenticación de los recursos basados en Azure (incluida Azure VMware Solution) locales en Azure", + "text": "Uso de servidores habilitados para Azure Arc para administrar las cargas de trabajo de máquinas virtuales invitadas de Azure VMware Solution", "waf": "Seguridad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", "service": "AVS", "severity": "Alto", - "text": "Asegúrese de que vCenter esté conectado a ADDS para habilitar la autenticación basada en \"cuentas de usuario designadas\"", - "waf": "Seguridad" + "text": "Habilitación del registro de diagnósticos y métricas en Azure VMware Solution", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", "service": "AVS", "severity": "Medio", - "text": "Asegúrese de que la conexión de vCenter a ADDS utilice un protocolo seguro (LDAPS)", - "waf": "Seguridad" + "text": "Implementación de los agentes de Log Analytics en cargas de trabajo de máquinas virtuales invitadas de Azure VMware Solution", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", "service": "AVS", "severity": "Medio", - "text": "La cuenta de CloudAdmin en vCenter IdP solo se utiliza como una cuenta de emergencia (break-glass)", - "waf": "Seguridad" + "text": "Asegúrese de que dispone de una directiva y una solución de copia de seguridad documentadas e implementadas para las cargas de trabajo de máquina virtual de Azure VMware Solution", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", "service": "AVS", - "severity": "Alto", - "text": "Asegúrese de que NSX-Manager esté integrado con un proveedor de identidades externo (LDAPS)", + "severity": "Medio", + "text": "Uso de Microsoft Defender for Cloud para la supervisión del cumplimiento de las cargas de trabajo que se ejecutan en Azure VMware Solution", "waf": "Seguridad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", "service": "AVS", "severity": "Medio", - "text": "¿Se ha creado un modelo RBAC para su uso en VMware vSphere?", + "text": "¿Se agregan las líneas base de cumplimiento aplicables a Microsoft Defender for Cloud?", "waf": "Seguridad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", "service": "AVS", - "severity": "Medio", - "text": "Los permisos RBAC deben concederse a grupos ADDS y no a usuarios específicos", + "severity": "Alto", + "text": "¿Se evaluó la residencia de datos al seleccionar las regiones de Azure que se usarán para la implementación de Azure VMware Solution?", "waf": "Seguridad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", "service": "AVS", "severity": "Alto", - "text": "Los permisos de RBAC en el recurso de Azure VMware Solution en Azure están \"bloqueados\" solo para un conjunto limitado de propietarios", + "text": "¿Son claras y documentadas las implicaciones del procesamiento de datos (proveedor de servicios / modelo de consumidor de servicios)?", "waf": "Seguridad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", "service": "AVS", - "severity": "Alto", - "text": "Asegúrese de que todos los roles personalizados tengan el ámbito de las autorizaciones permitidas de CloudAdmin", + "severity": "Medio", + "text": "Considere la posibilidad de usar CMK (clave administrada por el cliente) para vSAN solo si es necesario por motivos de cumplimiento.", "waf": "Seguridad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", "service": "AVS", "severity": "Alto", - "text": "¿Se ha seleccionado el modelo de conectividad de Azure VMware Solution correcto para el caso de uso del cliente en cuestión?", - "waf": "Rendimiento" + "text": "Creación de paneles para habilitar la información principal de supervisión de Azure VMware Solution", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", "service": "AVS", "severity": "Alto", - "text": "Asegúrese de que las conexiones de ExpressRoute o VPN desde el entorno local a Azure se supervisan mediante el \"monitor de conexiones\"", + "text": "Creación de alertas de advertencia para umbrales críticos para alertas automáticas sobre el rendimiento de Azure VMware Solution (CPU >80 %, memoria media >80 %, vSAN >70 %)", "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", "service": "AVS", - "severity": "Medio", - "text": "Asegúrese de que se crea un monitor de conexión desde un recurso nativo de Azure a una máquina virtual de Azure VMware Solution para supervisar la conexión de ExpressRoute back-end de Azure VMware Solution", + "severity": "Alto", + "text": "Asegúrese de que se crea una alerta crítica para supervisar si el consumo de vSAN es inferior al 75 %, ya que se trata de un umbral de soporte de VMware", "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", "service": "AVS", - "severity": "Medio", - "text": "Asegúrese de que se crea un monitor de conexión desde un recurso local a una máquina virtual de Azure VMware Solution para supervisar la conectividad de extremo a extremo", + "severity": "Alto", + "text": "Asegúrese de que las alertas están configuradas para las alertas y notificaciones de Azure Service Health", "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", "service": "AVS", - "severity": "Alto", - "text": "Cuando se utiliza el servidor de rutas, asegúrese de que no se propaguen más de 1000 rutas desde el servidor de rutas a la puerta de enlace de ExR al entorno local (límite de ARS).", + "severity": "Medio", + "text": "Configure el registro de Azure VMware Solution para que se envíe a una cuenta de Azure Storage o Azure EventHub para su procesamiento", "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", "service": "AVS", - "severity": "Alto", - "text": "¿Se ha implementado Privileged Identity Management para los roles que administran el recurso de Azure VMware Solution en Azure Portal (no se permiten permisos permanentes)?", - "waf": "Seguridad" + "severity": "Bajo", + "text": "Si se requiere una visión profunda de VMware vSphere: ¿Se utiliza vRealize Operations o vRealize Network Insights en la solución?", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", "service": "AVS", "severity": "Alto", - "text": "Los informes de auditoría de Privileged Identity Management deben implementarse para los roles PIM de Azure VMware Solution", - "waf": "Seguridad" + "text": "Asegúrese de que la directiva de almacenamiento de vSAN para las máquinas virtuales NO sea la directiva de almacenamiento predeterminada, ya que esta directiva aplica el aprovisionamiento grueso", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", "service": "AVS", "severity": "Medio", - "text": "Si se usa Privileged Identity Management, asegúrese de que se crea una cuenta válida habilitada para Entra ID con un registro SMTP válido para las notificaciones de reemplazo automático de host de Azure VMware Solution. (se requieren permisos permanentes)", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", - "service": "AVS", - "severity": "Alto", - "text": "Limite el uso de la cuenta de CloudAdmin solo al acceso de emergencia", - "waf": "Seguridad" + "text": "Asegúrese de que las bibliotecas de contenido de vSphere no se coloquen en vSAN, ya que vSAN es un recurso finito", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", "service": "AVS", "severity": "Medio", - "text": "Cree funciones RBAC personalizadas en vCenter para implementar un modelo de privilegios mínimos dentro de vCenter", - "waf": "Seguridad" + "text": "Asegúrese de que los repositorios de datos de la solución de copia de seguridad se almacenen fuera del almacenamiento de vSAN. Ya sea en Azure nativo o en un almacén de datos respaldado por un grupo de discos", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", "service": "AVS", "severity": "Medio", - "text": "Es un proceso definido para rotar periódicamente las credenciales de administrador de la nube (vCenter) y administrador (NSX)", - "waf": "Seguridad" + "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se administran de forma híbrida mediante Azure Arc para servidores (Arc para Azure VMware Solution está en versión preliminar)", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", "service": "AVS", - "severity": "Alto", - "text": "Uso de un proveedor de identidades centralizado que se usará para las cargas de trabajo (VM) que se ejecutan en Azure VMware Solution", - "waf": "Seguridad" + "severity": "Medio", + "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se supervisan mediante Azure Log Analytics y Azure Monitor", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", "service": "AVS", "severity": "Medio", - "text": "¿Se implementa el filtrado de tráfico este-oeste en NSX-T?", - "waf": "Seguridad" + "text": "Inclusión de cargas de trabajo que se ejecutan en Azure VMware Solution en las herramientas de administración de actualizaciones existentes o en Azure Update Management", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", "service": "AVS", - "severity": "Alto", - "text": "Las cargas de trabajo de Azure VMware Solution no se exponen directamente a Internet. El tráfico se filtra e inspecciona mediante Azure Application Gateway, Azure Firewall o soluciones de terceros", - "waf": "Seguridad" + "severity": "Medio", + "text": "Uso de Azure Policy para incorporar cargas de trabajo de Azure VMware Solution en las soluciones de administración, supervisión y seguridad de Azure", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", "service": "AVS", - "severity": "Alto", - "text": "La auditoría y el registro se implementan para las solicitudes entrantes de Internet a Azure VMware Solution y a las cargas de trabajo basadas en Azure VMware Solution", + "severity": "Medio", + "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se incorporan a Microsoft Defender for Cloud", "waf": "Seguridad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", "service": "AVS", "severity": "Medio", - "text": "La supervisión de sesiones se implementa para las conexiones salientes a Internet desde Azure VMware Solution o cargas de trabajo basadas en Azure VMware Solution para identificar actividades sospechosas o malintencionadas", - "waf": "Seguridad" + "text": "Asegúrese de que las copias de seguridad no se almacenen en vSAN, ya que vSAN es un recurso finito", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "334fdf91-c234-4182-a652-75269440b4be", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", "service": "AVS", "severity": "Medio", - "text": "¿Está habilitada la protección estándar de DDoS en la subred de puerta de enlace de ExR/VPN en Azure?", - "waf": "Seguridad" + "text": "¿Se han considerado todas las soluciones de recuperación ante desastres y se ha decidido por la mejor solución para su negocio? [SRM/JetStream/Zerto/Veeam/...]", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", "service": "AVS", "severity": "Medio", - "text": "Use una estación de trabajo de acceso con privilegios (PAW) dedicada para administrar Azure VMware Solution, vCenter, NSX Manager y HCX Manager", - "waf": "Seguridad" + "text": "Uso de Azure Site Recovery cuando la tecnología de recuperación ante desastres sea IaaS nativa de Azure", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", "service": "AVS", - "severity": "Medio", - "text": "Habilitación de la detección avanzada de amenazas (Microsoft Defender for Cloud, también conocida como ASC) para cargas de trabajo que se ejecutan en Azure VMware Solution", - "waf": "Seguridad" + "severity": "Alto", + "text": "Utilice planes de recuperación automatizados con cualquiera de las soluciones ante desastres, evite las tareas manuales tanto como sea posible", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", "service": "AVS", "severity": "Medio", - "text": "Use Azure ARC for Servers para controlar correctamente las cargas de trabajo que se ejecutan en Azure VMware Solution mediante tecnologías nativas de Azure (Azure ARC for Azure VMware Solution aún no está disponible)", - "waf": "Seguridad" + "text": "Usar el par de regiones geopolíticas como entorno secundario de recuperación ante desastres", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", "service": "AVS", - "severity": "Bajo", - "text": "Asegúrese de que las cargas de trabajo de Azure VMware Solution usen suficiente cifrado de datos durante el tiempo de ejecución (como el cifrado de disco invitado y SQL TDE). (El cifrado de vSAN en reposo es el predeterminado)", - "waf": "Seguridad" + "severity": "Alto", + "text": "Utilice 2 espacios de direcciones diferentes entre las regiones, por ejemplo: 10.0.0.0/16 y 192.168.0.0/16 para las diferentes regiones", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", "service": "AVS", - "severity": "Bajo", - "text": "Cuando se usa el cifrado en invitado, almacene las claves de cifrado en Azure Key Vault siempre que sea posible", - "waf": "Seguridad" + "severity": "Medio", + "text": "¿Se usará Global Reach de ExpressRoute para la conectividad entre las nubes privadas de Azure VMware Solution principal y secundaria, o el enrutamiento se realiza a través de aplicaciones virtuales de red?", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "5ac94222-3e13-4810-9230-81a941741583", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", "service": "AVS", "severity": "Medio", - "text": "Considere la posibilidad de usar la compatibilidad con actualizaciones de seguridad extendidas para las cargas de trabajo que se ejecutan en Azure VMware Solution (Azure VMware Solution es apta para ESU)", - "waf": "Seguridad" + "text": "¿Se han considerado todas las soluciones de copia de seguridad y se ha decidido por la mejor solución para su negocio? [ MABS/CommVault/Metallic.io/Veeam/ . ]", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", "service": "AVS", - "severity": "Alto", - "text": "Asegúrese de que se utiliza el método de redundancia de datos de vSAN adecuado (especificación RAID)", + "severity": "Medio", + "text": "Implemente la solución de copia de seguridad en la misma región que la nube privada de Azure VMware Solution", "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d88408f3-7273-44c8-96ba-280214590146", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", "service": "AVS", - "severity": "Alto", - "text": "Asegúrese de que la directiva de error de tolerancia esté implementada para satisfacer sus necesidades de almacenamiento de vSAN", + "severity": "Medio", + "text": "Implementación de la solución de copia de seguridad fuera de vSan, en componentes nativos de Azure", "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", "service": "AVS", - "severity": "Alto", - "text": "Asegúrese de que ha solicitado una cuota suficiente, asegurándose de que ha tenido en cuenta el crecimiento y el requisito de recuperación ante desastres", + "severity": "Bajo", + "text": "¿Existe un proceso para solicitar una restauración de los componentes de VMware administrados por la plataforma Azure?", "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", "service": "AVS", - "severity": "Medio", - "text": "Asegúrese de que se comprenden las restricciones de acceso a ESXi, ya que existen límites de acceso que pueden afectar a las soluciones de terceros.", + "severity": "Bajo", + "text": "En el caso de las implementaciones manuales, se deben documentar todas las configuraciones e implementaciones", "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", "service": "AVS", - "severity": "Medio", - "text": "Asegúrese de tener una política en torno a la densidad y la eficiencia del host ESXi, teniendo en cuenta el tiempo de espera para solicitar nuevos nodos", + "severity": "Bajo", + "text": "En el caso de las implementaciones manuales, considere la posibilidad de implementar bloqueos de recursos para evitar acciones accidentales en la nube privada de Azure VMware Solution", "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", "service": "AVS", - "severity": "Medio", - "text": "Asegúrese de que existe un buen proceso de administración de costos para Azure VMware Solution: se puede usar Azure Cost Management", - "waf": "Costar" + "severity": "Bajo", + "text": "Para implementaciones automatizadas, implemente una nube privada mínima y escale según sea necesario", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", "service": "AVS", "severity": "Bajo", - "text": "¿Se usan instancias reservadas de Azure para optimizar el costo de uso de Azure VMware Solution?", - "waf": "Costar" + "text": "En el caso de las implementaciones automatizadas, solicite o reserve una cuota antes de iniciar la implementación", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", "service": "AVS", - "severity": "Medio", - "text": "Tenga en cuenta el uso de Azure Private-Link cuando use otros servicios nativos de Azure", - "waf": "Seguridad" + "severity": "Bajo", + "text": "En el caso de la implementación automatizada, asegúrese de que se crean bloqueos de recursos relevantes a través de la automatización o a través de Azure Policy para una gobernanza adecuada", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", "service": "AVS", - "severity": "Alto", - "text": "Asegúrese de que todos los recursos necesarios residen en las mismas zonas de disponibilidad de Azure", - "waf": "Rendimiento" + "severity": "Bajo", + "text": "Implemente nombres comprensibles para las claves de autorización ExR para permitir una fácil identificación del propósito y uso de las claves.", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", "service": "AVS", - "severity": "Medio", - "text": "Habilitación de cargas de trabajo de máquina virtual invitada de Microsoft Defender for Cloud for Azure VMware Solution", - "waf": "Seguridad" + "severity": "Bajo", + "text": "Uso de Key Vault para almacenar secretos y claves de autorización cuando se usan principios de servicio independientes para implementar Azure VMware Solution y ExpressRoute", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", "service": "AVS", - "severity": "Medio", - "text": "Uso de servidores habilitados para Azure Arc para administrar las cargas de trabajo de máquinas virtuales invitadas de Azure VMware Solution", - "waf": "Seguridad" + "severity": "Bajo", + "text": "Defina dependencias de recursos para serializar acciones en IaC cuando sea necesario implementar muchos recursos en Azure VMware Solution, ya que Azure VMware Solution solo admite un número limitado de operaciones paralelas.", + "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", "service": "AVS", - "severity": "Alto", - "text": "Habilitación del registro de diagnósticos y métricas en Azure VMware Solution", + "severity": "Bajo", + "text": "Al realizar la configuración automatizada de segmentos de NSX-T con una única puerta de enlace de nivel 1, use las API de Azure Portal en lugar de las API de NSX-Manager", "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", "service": "AVS", "severity": "Medio", - "text": "Implementación de los agentes de Log Analytics en cargas de trabajo de máquinas virtuales invitadas de Azure VMware Solution", - "waf": "Operaciones" + "text": "Si tiene la intención de usar el escalado horizontal automatizado, asegúrese de solicitar una cuota suficiente de Azure VMware Solution para las suscripciones que ejecutan Azure VMware Solution", + "waf": "Rendimiento" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", "service": "AVS", "severity": "Medio", - "text": "Asegúrese de que dispone de una directiva y una solución de copia de seguridad documentadas e implementadas para las cargas de trabajo de máquina virtual de Azure VMware Solution", - "waf": "Operaciones" + "text": "Cuando tenga la intención de usar la reducción horizontal automatizada, asegúrese de tener en cuenta los requisitos de la directiva de almacenamiento antes de realizar dicha acción", + "waf": "Rendimiento" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", "service": "AVS", "severity": "Medio", - "text": "Uso de Microsoft Defender for Cloud para la supervisión del cumplimiento de las cargas de trabajo que se ejecutan en Azure VMware Solution", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "service": "AVS", - "severity": "Medio", - "text": "¿Se agregan las líneas base de cumplimiento aplicables a Microsoft Defender for Cloud?", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "service": "AVS", - "severity": "Alto", - "text": "¿Se evaluó la residencia de datos al seleccionar las regiones de Azure que se usarán para la implementación de Azure VMware Solution?", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "service": "AVS", - "severity": "Alto", - "text": "¿Son claras y documentadas las implicaciones del procesamiento de datos (proveedor de servicios / modelo de consumidor de servicios)?", - "waf": "Seguridad" + "text": "Las operaciones de escalado siempre deben serializarse dentro de un único SDDC, ya que solo se puede realizar una operación de escalado a la vez (incluso cuando se utilizan varios clústeres)", + "waf": "Rendimiento" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", "service": "AVS", "severity": "Medio", - "text": "Considere la posibilidad de usar CMK (clave administrada por el cliente) para vSAN solo si es necesario por motivos de cumplimiento.", - "waf": "Seguridad" + "text": "Considerar y validar las operaciones de escalado en soluciones de terceros utilizadas en la arquitectura (compatibles o no)", + "waf": "Rendimiento" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", "service": "AVS", - "severity": "Alto", - "text": "Creación de paneles para habilitar la información principal de supervisión de Azure VMware Solution", - "waf": "Operaciones" + "severity": "Medio", + "text": "Defina y aplique límites máximos de escalado vertical y horizontal para su entorno en las automatizaciones", + "waf": "Rendimiento" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", "service": "AVS", - "severity": "Alto", - "text": "Creación de alertas de advertencia para umbrales críticos para alertas automáticas sobre el rendimiento de Azure VMware Solution (CPU >80 %, memoria media >80 %, vSAN >70 %)", + "severity": "Medio", + "text": "Implemente reglas de supervisión para supervisar las operaciones de escalado automatizadas y supervisar el éxito y el fracaso para permitir respuestas adecuadas (automatizadas)", "waf": "Operaciones" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", "service": "AVS", "severity": "Alto", - "text": "Asegúrese de que se crea una alerta crítica para supervisar si el consumo de vSAN es inferior al 75 %, ya que se trata de un umbral de soporte de VMware", - "waf": "Operaciones" + "text": "Al usar MON, tenga en cuenta los límites de las máquinas virtuales configuradas simultáneamente (límite de MON para HCX [400 - estándar, 1000 - dispositivo más grande])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", "service": "AVS", "severity": "Alto", - "text": "Asegúrese de que las alertas están configuradas para las alertas y notificaciones de Azure Service Health", - "waf": "Operaciones" + "text": "Al usar MON, no puede habilitar MON en más de 100 extensiones de red", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", "service": "AVS", "severity": "Medio", - "text": "Configure el registro de Azure VMware Solution para que se envíe a una cuenta de Azure Storage o Azure EventHub para su procesamiento", - "waf": "Operaciones" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", - "severity": "Bajo", - "text": "Si se requiere una visión profunda de VMware vSphere: ¿Se utiliza vRealize Operations o vRealize Network Insights en la solución?", - "waf": "Operaciones" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", - "severity": "Alto", - "text": "Asegúrese de que la directiva de almacenamiento de vSAN para las máquinas virtuales NO sea la directiva de almacenamiento predeterminada, ya que esta directiva aplica el aprovisionamiento grueso", - "waf": "Operaciones" + "text": "Si utiliza una conexión VPN para migraciones, ajuste el tamaño de su MTU en consecuencia.", + "waf": "Rendimiento" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", "service": "AVS", "severity": "Medio", - "text": "Asegúrese de que las bibliotecas de contenido de vSphere no se coloquen en vSAN, ya que vSAN es un recurso finito", - "waf": "Operaciones" + "text": "En el caso de las regiones de baja conectividad que se conectan a Azure (500 Mbps o menos), considere la posibilidad de implementar el dispositivo de optimización de WAN de HCX", + "waf": "Rendimiento" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", "service": "AVS", "severity": "Medio", - "text": "Asegúrese de que los repositorios de datos de la solución de copia de seguridad se almacenen fuera del almacenamiento de vSAN. Ya sea en Azure nativo o en un almacén de datos respaldado por un grupo de discos", - "waf": "Operaciones" + "text": "Asegúrese de que las migraciones se inicien desde el dispositivo local y NO desde el dispositivo en la nube (NO realice una migración inversa)", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", "service": "AVS", "severity": "Medio", - "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se administran de forma híbrida mediante Azure Arc para servidores (Arc para Azure VMware Solution está en versión preliminar)", - "waf": "Operaciones" + "text": "Cuando se usa Azure NetApp Files para ampliar el almacenamiento de Azure VMware Solution, considere la posibilidad de usarlo como almacén de datos de VMware en lugar de adjuntarlo directamente a una máquina virtual.", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", "service": "AVS", "severity": "Medio", - "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se supervisan mediante Azure Log Analytics y Azure Monitor", - "waf": "Operaciones" + "text": "Asegúrese de que se usa una puerta de enlace de ExpressRoute dedicada para soluciones de almacenamiento de datos externos", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", "service": "AVS", "severity": "Medio", - "text": "Inclusión de cargas de trabajo que se ejecutan en Azure VMware Solution en las herramientas de administración de actualizaciones existentes o en Azure Update Management", - "waf": "Operaciones" + "text": "Asegúrese de que FastPath está habilitado en la puerta de enlace de ExpressRoute que se usa para las soluciones de almacenamiento de datos externos", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", "service": "AVS", - "severity": "Medio", - "text": "Uso de Azure Policy para incorporar cargas de trabajo de Azure VMware Solution en las soluciones de administración, supervisión y seguridad de Azure", - "waf": "Operaciones" + "severity": "Alto", + "text": "Si utiliza un clúster ampliado, asegúrese de que la solución de recuperación ante desastres seleccionada sea compatible con el proveedor", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", "service": "AVS", - "severity": "Medio", - "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se incorporan a Microsoft Defender for Cloud", - "waf": "Seguridad" + "severity": "Alto", + "text": "Si utiliza un clúster ampliado, asegúrese de que el Acuerdo de Nivel de Servicio proporcionado cumpla sus requisitos", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", "service": "AVS", - "severity": "Medio", - "text": "Asegúrese de que las copias de seguridad no se almacenen en vSAN, ya que vSAN es un recurso finito", + "severity": "Alto", + "text": "Si usa un clúster extendido, asegúrese de que ambos circuitos ExpressRoute están conectados al centro de conectividad.", "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", "service": "AVS", - "severity": "Medio", - "text": "¿Se han considerado todas las soluciones de recuperación ante desastres y se ha decidido por la mejor solución para su negocio? [SRM/JetStream/Zerto/Veeam/...]", + "severity": "Alto", + "text": "Si usa un clúster extendido, asegúrese de que ambos circuitos ExpressRoute tengan habilitado GlobalReach.", "waf": "Fiabilidad" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", "service": "AVS", - "severity": "Medio", - "text": "Uso de Azure Site Recovery cuando la tecnología de recuperación ante desastres sea IaaS nativa de Azure", + "severity": "Alto", + "text": "Haga que la configuración de tolerancia ante desastres del sitio se considere y cambie correctamente para su negocio si es necesario.", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrinja el uso de métodos de autenticación locales para el acceso al plano de datos. En su lugar, use Microsoft Entra ID como método de autenticación predeterminado para controlar el acceso al plano de datos.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "service": "Azure Synapse Analytics", "severity": "Alto", - "text": "Utilice planes de recuperación automatizados con cualquiera de las soluciones ante desastres, evite las tareas manuales tanto como sea posible", - "waf": "Fiabilidad" + "text": "Restringir el uso de usuarios locales en cargas de trabajo de SQL en Synapse", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use el identificador de Microsoft Entra como método de autenticación predeterminado para controlar el acceso al plano de datos.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "severity": "Medio", - "text": "Usar el par de regiones geopolíticas como entorno secundario de recuperación ante desastres", - "waf": "Fiabilidad" + "text": "Uso de la identidad administrada para autenticarse en los servicios", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Si no es necesario para las operaciones administrativas rutinarias, deshabilite o restrinja las cuentas de administrador local solo para uso de emergencia.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "service": "Azure Synapse Analytics", "severity": "Alto", - "text": "Utilice 2 espacios de direcciones diferentes entre las regiones, por ejemplo: 10.0.0.0/16 y 192.168.0.0/16 para las diferentes regiones", - "waf": "Fiabilidad" + "text": "Separe y limite los usuarios administrativos o con muchos privilegios y habilite las directivas condicionales y de MFA", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse también incluye roles de control de acceso basado en roles (RBAC) de Synapse para administrar diferentes aspectos de Synapse Studio. Aproveche estos roles integrados para asignar permisos a usuarios, grupos u otras entidades de seguridad para administrar quién puede publicar artefactos de código y enumerar o acceder a artefactos de código publicados,Ejecutar código en grupos de Apache Spark y entornos de ejecución de integración,Acceder a servicios vinculados (datos) protegidos por credenciales,Supervisar o cancelar ejecuciones de trabajos, revisar la salida de trabajos y los registros de ejecución.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", "severity": "Medio", - "text": "¿Se usará Global Reach de ExpressRoute para la conectividad entre las nubes privadas de Azure VMware Solution principal y secundaria, o el enrutamiento se realiza a través de aplicaciones virtuales de red?", - "waf": "Fiabilidad" + "text": "Use Azure RBAC para controlar el acceso en el almacenamiento y Synapse RBAC para controlar el acceso en el nivel de área de trabajo en función de los roles del equipo para precisar el acceso a los datos y el proceso", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "severity": "Medio", - "text": "¿Se han considerado todas las soluciones de copia de seguridad y se ha decidido por la mejor solución para su negocio? [ MABS/CommVault/Metallic.io/Veeam/ . ]", - "waf": "Fiabilidad" + "text": "Implemente RLS, CLS y enmascaramiento de datos en cargas de trabajo de SQL en un grupo de SQL dedicado para agregar una capa adicional de seguridad", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Al crear el área de trabajo de Azure Synapse, puede optar por asociarla a una red virtual de Microsoft Azure. Azure Synapse administra la red virtual asociada al área de trabajo. Esta red virtual se denomina red virtual de área de trabajo administrada. Esto se puede seleccionar al implementar un área de trabajo", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "Medio", - "text": "Implemente la solución de copia de seguridad en la misma región que la nube privada de Azure VMware Solution", - "waf": "Fiabilidad" + "text": "Uso del área de trabajo de red virtual administrada para restringir el acceso a través de la red pública de Internet", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Para proteger los datos confidenciales, se recomienda deshabilitar por completo el acceso público a los puntos de conexión del área de trabajo. Al hacerlo, garantiza que solo se pueda acceder a todos los puntos de conexión del área de trabajo mediante puntos de conexión privados.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "Medio", - "text": "Implementación de la solución de copia de seguridad fuera de vSan, en componentes nativos de Azure", - "waf": "Fiabilidad" + "text": "Configurar puntos de conexión privados para conectarse a los servicios externos y deshabilitar el acceso público", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", - "severity": "Bajo", - "text": "¿Existe un proceso para solicitar una restauración de los componentes de VMware administrados por la plataforma Azure?", - "waf": "Fiabilidad" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Si es necesario habilitar el acceso público, se recomienda encarecidamente configurar las reglas de firewall de IP para permitir conexiones entrantes solo desde la lista especificada de direcciones IP públicas.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "text": "Si se habilita el acceso público, se recomienda encarecidamente configurar las reglas de firewall de IP", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "service": "AVS", - "severity": "Bajo", - "text": "En el caso de las implementaciones manuales, se deben documentar todas las configuraciones e implementaciones", - "waf": "Operaciones" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "text": "Implemente máquinas virtuales SHIR en la red virtual si trabaja con datos confidenciales que no deben salir de la red corporativa", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "service": "AVS", - "severity": "Bajo", - "text": "En el caso de las implementaciones manuales, considere la posibilidad de implementar bloqueos de recursos para evitar acciones accidentales en la nube privada de Azure VMware Solution", - "waf": "Operaciones" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Esto solo se puede hacer cuando se implementa el área de trabajo, pero las bibliotecas de Python instaladas desde repositorios públicos como PyPI no son compatibles. (Piense en la limitación antes de habilitarlo)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "text": "Habilitar la protección de exfiltración de datos (DEP)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "service": "AVS", - "severity": "Bajo", - "text": "Para implementaciones automatizadas, implemente una nube privada mínima y escale según sea necesario", - "waf": "Operaciones" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "La primera capa de cifrado la realizan las claves administradas por Microsoft, puede agregar una segunda capa de cifrado mediante claves administradas por el cliente", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "text": "Cifrado de datos en reposo mediante claves administradas por el cliente para el área de trabajo", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "service": "AVS", - "severity": "Bajo", - "text": "En el caso de las implementaciones automatizadas, solicite o reserve una cuota antes de iniciar la implementación", - "waf": "Operaciones" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse aprovecha TLS para garantizar que los datos se cifran en movimiento. Los grupos dedicados de SQL admiten las versiones TLS 1.0, TLS 1.1 y TLS 1.2 para el cifrado, en los que los controladores proporcionados por Microsoft usan TLS 1.2 de forma predeterminada. El grupo de SQL sin servidor y el grupo de Apache Spark usan TLS 1.2 para todas las conexiones de salida.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "severity": "Medio", + "text": "Cifrado de datos en tránsito ", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "service": "AVS", - "severity": "Bajo", - "text": "En el caso de la implementación automatizada, asegúrese de que se crean bloqueos de recursos relevantes a través de la automatización o a través de Azure Policy para una gobernanza adecuada", - "waf": "Operaciones" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Uso de Keyvaults para almacenar sus secretos y credenciales", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "service": "Azure Synapse Analytics", + "severity": "Alto", + "text": "Almacenamiento de contraseñas, seguridades y claves en Azure Key Vault", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "service": "AVS", - "severity": "Bajo", - "text": "Implemente nombres comprensibles para las claves de autorización ExR para permitir una fácil identificación del propósito y uso de las claves.", - "waf": "Operaciones" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrinja el uso de métodos de autenticación locales para el acceso al plano de datos. En su lugar, use Microsoft Entra ID como método de autenticación predeterminado para controlar el acceso al plano de datos.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "service": "Azure Data Factory", + "severity": "Alto", + "text": "Restrinja el uso de usuarios locales siempre que sea necesario", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "service": "AVS", - "severity": "Bajo", - "text": "Uso de Key Vault para almacenar secretos y claves de autorización cuando se usan principios de servicio independientes para implementar Azure VMware Solution y ExpressRoute", - "waf": "Operaciones" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Las identidades administradas eliminan la necesidad de administrar credenciales. Las identidades administradas proporcionan una identidad para la instancia de servicio al conectarse a recursos que admiten la autenticación de Microsoft Entra.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", + "severity": "Medio", + "text": "Uso de la identidad administrada para autenticarse en los servicios", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "service": "AVS", - "severity": "Bajo", - "text": "Defina dependencias de recursos para serializar acciones en IaC cuando sea necesario implementar muchos recursos en Azure VMware Solution, ya que Azure VMware Solution solo admite un número limitado de operaciones paralelas.", - "waf": "Operaciones" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Si no es necesario para las operaciones administrativas rutinarias, deshabilite o restrinja las cuentas de administrador local solo para uso de emergencia.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "service": "Azure Data Factory", + "severity": "Alto", + "text": "Separe y limite los usuarios administrativos o con muchos privilegios y habilite las directivas condicionales y de MFA", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "service": "AVS", - "severity": "Bajo", - "text": "Al realizar la configuración automatizada de segmentos de NSX-T con una única puerta de enlace de nivel 1, use las API de Azure Portal en lugar de las API de NSX-Manager", - "waf": "Operaciones" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "service": "Azure Data Factory", + "severity": "Medio", + "text": "Implemente máquinas virtuales SHIR en la red virtual si trabaja con datos confidenciales que no deben salir de la red corporativa", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Al crear un entorno de ejecución de integración de Azure dentro de una red virtual administrada de Data Factory, el entorno de ejecución de integración se aprovisiona con la red virtual administrada. Utiliza puntos de conexión privados para conectarse de forma segura a los almacenes de datos compatibles.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "service": "Azure Data Factory", "severity": "Medio", - "text": "Si tiene la intención de usar el escalado horizontal automatizado, asegúrese de solicitar una cuota suficiente de Azure VMware Solution para las suscripciones que ejecutan Azure VMware Solution", - "waf": "Rendimiento" + "text": "Uso de IR de red virtual administrada para restringir el acceso a través de la red pública de Internet para Azure Integration Runtime", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Los puntos de conexión privados administrados son puntos de conexión privados creados en la red virtual administrada de Data Factory que establece un vínculo privado a los recursos de Azure. Data Factory administra estos puntos de conexión privados en su nombre.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", "severity": "Medio", - "text": "Cuando tenga la intención de usar la reducción horizontal automatizada, asegúrese de tener en cuenta los requisitos de la directiva de almacenamiento antes de realizar dicha acción", - "waf": "Rendimiento" + "text": "Configuración de puntos de conexión privados administrados para conectarse a recursos mediante Azure IR administrado", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Esta es una configuración predeterminada", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "service": "Azure Data Factory", "severity": "Medio", - "text": "Las operaciones de escalado siempre deben serializarse dentro de un único SDDC, ya que solo se puede realizar una operación de escalado a la vez (incluso cuando se utilizan varios clústeres)", - "waf": "Rendimiento" + "text": "Cifrado de datos en reposo mediante claves administradas de Microsoft", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Esta es una configuración predeterminada", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "service": "Azure Data Factory", "severity": "Medio", - "text": "Considerar y validar las operaciones de escalado en soluciones de terceros utilizadas en la arquitectura (compatibles o no)", - "waf": "Rendimiento" + "text": "Cifrado de datos en tránsito por claves administradas de Microsoft", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Cuando se especifica una clave administrada por el cliente, Data Factory usa tanto la clave del sistema de fábrica como la CMK para cifrar los datos del cliente. Si no se produce ninguno de ellos, se denegaría el acceso a los datos y a la fábrica.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", "severity": "Medio", - "text": "Defina y aplique límites máximos de escalado vertical y horizontal para su entorno en las automatizaciones", - "waf": "Rendimiento" + "text": "Cifrado de datos en tránsito por BYOK (claves administradas por el cliente)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "Alto", + "text": "Almacenamiento de contraseñas y secretos en Azure Key Vault", + "waf": "Seguridad" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "service": "Microsoft Purview", "severity": "Medio", - "text": "Implemente reglas de supervisión para supervisar las operaciones de escalado automatizadas y supervisar el éxito y el fracaso para permitir respuestas adecuadas (automatizadas)", - "waf": "Operaciones" + "text": "Definir roles y responsabilidades para administrar Microsoft Purview en el plano de control y el plano de datos", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use RBAC de Azure para esto", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Definición de roles y tareas necesarios para implementar y administrar Microsoft Purview dentro de una suscripción de Azure (plano de control)", + "waf": "Seguridad" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use los roles de Microsoft Purview para esto.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Defina los roles y las tareas necesarias para realizar la administración y la gobernanza de datos mediante Microsoft Purview. (Plano de datos para el mapa de datos y el catálogo de datos).", + "waf": "Seguridad" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Asigne roles a grupos de Microsoft Entra en lugar de asignar roles a usuarios individuales.", + "waf": "Seguridad" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Use Azure Active Directory Entitlement Management para asignar el acceso de los usuarios a los grupos de Microsoft Entra mediante paquetes de acceso.", + "waf": "Seguridad" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "service": "Microsoft Purview", "severity": "Alto", - "text": "Al usar MON, tenga en cuenta los límites de las máquinas virtuales configuradas simultáneamente (límite de MON para HCX [400 - estándar, 1000 - dispositivo más grande])", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "Fiabilidad" + "text": "Aplique la autenticación multifactor para los usuarios de Microsoft Purview, especialmente para los usuarios con roles con privilegios, como administradores de colecciones, administradores de orígenes de datos o conservadores de datos.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "service": "Microsoft Purview", "severity": "Alto", - "text": "Al usar MON, no puede habilitar MON en más de 100 extensiones de red", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Fiabilidad" + "text": "Use el identificador de Microsoft Entra para proporcionar autenticación y autorización a todos los usuarios, grupos de seguridad registrados en Entra, entidad de servicio e identidades administradas dentro de colecciones en Microsoft Purview", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "service": "Microsoft Purview", + "severity": "Alto", + "text": "Definir el modelo de privilegios mínimos y la menor exposición de cuentas con privilegios", + "waf": "Seguridad" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", "severity": "Medio", - "text": "Si utiliza una conexión VPN para migraciones, ajuste el tamaño de su MTU en consecuencia.", - "waf": "Rendimiento" + "text": "Habilite el aislamiento de red de extremo a extremo mediante el servicio Private Link. (Mapa de datos de Microsoft Purview)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", "severity": "Medio", - "text": "En el caso de las regiones de baja conectividad que se conectan a Azure (500 Mbps o menos), considere la posibilidad de implementar el dispositivo de optimización de WAN de HCX", - "waf": "Rendimiento" + "text": "Use el firewall de Microsoft Purview para deshabilitar el acceso público. (Mapa de datos de Microsoft Purview)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "severity": "Medio", - "text": "Asegúrese de que las migraciones se inicien desde el dispositivo local y NO desde el dispositivo en la nube (NO realice una migración inversa)", - "waf": "Fiabilidad" + "text": "Implemente reglas de grupo de seguridad de red (NSG) para subredes en las que se implementan puntos de conexión privados de orígenes de datos de Azure, puntos de conexión privados de Microsoft Purview y máquinas virtuales en tiempo de ejecución autohospedadas. (Mapa de datos de Microsoft Purview)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", "severity": "Medio", - "text": "Cuando se usa Azure NetApp Files para ampliar el almacenamiento de Azure VMware Solution, considere la posibilidad de usarlo como almacén de datos de VMware en lugar de adjuntarlo directamente a una máquina virtual.", - "waf": "Fiabilidad" + "text": "Implemente Microsoft Purview con puntos de conexión privados administrados por una aplicación virtual de red, como Azure Firewall, para la inspección y el filtrado de red. (Mapa de datos de Microsoft Purview)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Este punto de conexión privado también es un requisito previo para el punto de conexión privado del portal. El punto de conexión privado del portal de Microsoft Purview es necesario para habilitar la conectividad con el portal de gobernanza de Microsoft Purview mediante una red privada. Microsoft Purview puede examinar orígenes de datos en Azure o en un entorno local mediante puntos de conexión privados de ingesta. Limitaciones en el uso de puntos de conexión privados https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", "severity": "Medio", - "text": "Asegúrese de que se usa una puerta de enlace de ExpressRoute dedicada para soluciones de almacenamiento de datos externos", - "waf": "Fiabilidad" + "text": "Implemente puntos de conexión privados para cuentas de Microsoft Purview para agregar otra capa de seguridad, de modo que solo las llamadas de cliente que se originan desde la red virtual puedan acceder a la cuenta de Microsoft Purview", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitación a revisar: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "service": "Microsoft Purview", "severity": "Medio", - "text": "Asegúrese de que FastPath está habilitado en la puerta de enlace de ExpressRoute que se usa para las soluciones de almacenamiento de datos externos", - "waf": "Fiabilidad" + "text": "Bloquear el acceso público mediante el firewall de Microsoft Purview", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "AVS", - "severity": "Alto", - "text": "Si utiliza un clúster ampliado, asegúrese de que la solución de recuperación ante desastres seleccionada sea compatible con el proveedor", - "waf": "Fiabilidad" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Uso de grupos de seguridad de red para filtrar el tráfico de red hacia y desde los recursos de Azure en una red virtual de Azure", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "service": "Microsoft Purview", "severity": "Alto", - "text": "Si utiliza un clúster ampliado, asegúrese de que el Acuerdo de Nivel de Servicio proporcionado cumpla sus requisitos", - "waf": "Fiabilidad" + "text": "Si tiene datos confidenciales que no pueden salir del límite de la red virtual local, se recomienda encarecidamente usar máquinas virtuales SHIR dentro de la red virtual corporativa para extraer los metadatos ", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "AVS", - "severity": "Alto", - "text": "Si usa un clúster extendido, asegúrese de que ambos circuitos ExpressRoute están conectados al centro de conectividad.", - "waf": "Fiabilidad" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Los metadatos se extraen y almacenan en el mapa de datos de Microsoft Purview, si no usa una cuenta de almacenamiento administrado para su cuenta de Purview, están abiertos para que todos puedan acceder a ellos, por lo que debe implementar los RBAC adecuados y restringir el acceso de los datos solo a los usuarios previstos. Aplicable a las cuentas implementadas después del 15 de diciembre de 2023 (o implementadas con la versión de API 2023-05-01-preview en adelante", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Use RBAC de Azure para restringir el acceso de la cuenta de almacenamiento (no administrada por MS) solo a los usuarios previstos.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "AVS", - "severity": "Alto", - "text": "Si usa un clúster extendido, asegúrese de que ambos circuitos ExpressRoute tengan habilitado GlobalReach.", - "waf": "Fiabilidad" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Los datos en reposo se cifran mediante claves administradas de Microsoft", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Los datos en tránsito se cifran mediante TLS 1.3", + "waf": "Seguridad" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "service": "Microsoft Purview", "severity": "Alto", - "text": "Haga que la configuración de tolerancia ante desastres del sitio se considere y cambie correctamente para su negocio si es necesario.", - "waf": "Fiabilidad" + "text": "Use siempre Azure Key Vaults para almacenar todas las credenciales si no usa identidades administradas o sin métodos de necesidad de contraseña", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Azure Monitor", - "text": "Reglas de recopilación de datos en Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Costar" - }, - { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Azure Backup", - "text": "Comprobar las instancias de copia de seguridad con la fuente de datos subyacente no encontrada", - "waf": "Costar" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", - "text": "Eliminar o archivar servicios no asociados (discos, NIC, direcciones IP, etc.)", - "waf": "Costar" - }, - { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Azure Backup", - "text": "Considere un buen equilibrio entre el almacenamiento de recuperación del sitio y la copia de seguridad para aplicaciones que no son críticas", - "waf": "Costar" - }, - { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Azure Monitor", - "text": "Compruebe las oportunidades de gasto y ahorro entre las 40 áreas de trabajo de Log Analytics diferentes: use diferentes retenciones y recopilación de datos para áreas de trabajo que no sean de producción: cree un límite diario para el reconocimiento y el tamaño de los niveles: si establece un límite diario, además de crear una alerta cuando se alcance el límite, asegúrese de crear también una regla de alerta para que se le notifique cuando se alcance algún porcentaje (90 %, por ejemplo). - Considere la posibilidad de transformar el espacio de trabajo si es posible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "Costar" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Evitar la eliminación accidental de cuentas de Microsoft Purview mediante la aplicación de bloqueos de recursos", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Azure Monitor", - "text": "Aplique una política de purga de registros y automatización (si es necesario, los registros se pueden mover al almacenamiento en frío)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "Costar" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Planee una estrategia de emergencia para el inquilino de Microsoft Entra, la suscripción de Azure y las cuentas de Microsoft Purview para evitar el bloqueo de cuentas en todo el inquilino.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", - "text": "Compruebe que los discos son realmente necesarios, si no: eliminar. Si son necesarios, busque niveles de almacenamiento más bajos o use una copia de seguridad:", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "Costar" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "service": "Microsoft Purview", + "severity": "Medio", + "text": "Integración con Microsoft 365 y Microsoft Defender for Cloud", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", - "text": "Considere la posibilidad de mover el almacenamiento no utilizado al nivel inferior, con reglas personalizadas: https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Separe las cuentas de administrador de las cuentas de usuario normales.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "service": "Azure Databricks", + "severity": "Alto", + "text": "Definir el modelo de privilegios mínimos y la menor exposición de cuentas con privilegios", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", - "text": "Asegúrese de que el asesor está configurado para el tamaño correcto de la máquina virtual ", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Databricks admite el acceso condicional de identificador de Microsoft Entra, que permite a los administradores controlar dónde y cuándo se permite a los usuarios iniciar sesión en Azure Databricks. Las directivas de acceso condicional pueden restringir el inicio de sesión en la red corporativa o pueden requerir autenticación multifactor (MFA).", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "Alto", + "text": "Configure el inicio de sesión único y el inicio de sesión unificado. Habilite la autenticación multifactor.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "description": "comprobando la búsqueda de las licencias de categoría de contador en el análisis de costes", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", - "service": "VM", - "text": "ejecutar el script en todas las máquinas virtuales de Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server: considere la posibilidad de implementar una directiva si las máquinas virtuales de Windows se crean con frecuencia", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Los clientes pueden usar la API de administración de tokens o los controles de la interfaz de usuario para habilitar o deshabilitar los tokens de acceso personal (PAT) para la autenticación de la API de REST, limitar los usuarios que pueden usar PAT, establecer la duración máxima de los nuevos tokens y administrar los tokens existentes. Los clientes de alta seguridad suelen aprovisionar una duración máxima del token para los nuevos tokens de un área de trabajo. Esta característica requiere el plan de tarifa Premium.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Utilice la administración de tokens.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "VM", - "text": " esto también se puede poner bajo AHUB si ya tiene licencias https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Si tiene administradores de Databricks que también son usuarios normales de la plataforma Databricks (por ejemplo, hay un ingeniero de datos principal que administra la plataforma y también realiza trabajos de ingeniería de datos), Databricks recomienda crear una cuenta independiente para las tareas administrativas. Es importante tener en cuenta que, como parte del modelo RBAC de Azure, los usuarios a los que se les conceden permisos de colaborador o superior para el grupo de recursos de un área de trabajo de Azure Databricks implementada se convierten automáticamente en administradores cuando inician sesión en esa área de trabajo. Por lo tanto, las mismas consideraciones descritas anteriormente también deben aplicarse a los usuarios de Azure Portal.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "service": "Azure Databricks", + "severity": "Alto", + "text": "Separe las cuentas de administrador de las cuentas de usuario normales", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", - "text": "Consolide familias de máquinas virtuales reservadas con la opción de flexibilidad (no más de 4-5 familias)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "SCIM (System for Cross-domain Identity Management) permite sincronizar usuarios y grupos de Microsoft Entra ID con Azure Databricks. Hay tres ventajas principales de este enfoque: 1. Al quitar un usuario, el usuario se quita automáticamente de Databricks. 2. Los usuarios también pueden ser deshabilitados temporalmente a través de SCIM. Los clientes han usado esta funcionalidad para escenarios en los que creen que una cuenta puede estar en peligro y necesitan investigar 3. Los grupos se sincronizan automáticamente Consulte la documentación para obtener instrucciones detalladas sobre cómo configurar SCIM para Azure Databricks. Esta característica requiere el plan de tarifa Premium", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Sincronización SCIM de usuarios y grupos.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", - "text": "Uso de Azure Reserved Instances: esta característica le permite reservar máquinas virtuales durante un período de 1 o 3 años, lo que proporciona un importante ahorro de costos en comparación con los precios de pago por uso.", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Mediante el uso de políticas de clúster o las ACL de clúster más antiguas, los administradores pueden definir qué usuarios o grupos dentro de la organización pueden crear clústeres. Las ACL de clúster permiten especificar qué usuarios pueden adjuntar un bloc de notas a un clúster determinado. Tenga en cuenta que si un usuario comparte un bloc de notas que ya está conectado a un clúster de modo estándar, el destinatario también podrá ejecutar código en ese clúster. Esto no se aplica a los clústeres que aplican el aislamiento de usuarios: Almacenes SQL, alta simultaneidad con clústeres de ACL de tabla y alta simultaneidad con clústeres de paso a través de credenciales. Los clientes que usan Unity Catalog también pueden habilitar clústeres de un solo usuario para aplicar clústeres de aislamiento.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Limite los derechos de creación de clústeres.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", - "text": "Solo se pueden reservar discos más grandes => 1 TiB -", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Es importante tener en cuenta que, aunque los clientes usen Azure Key Vault para almacenar sus secretos, los controles de acceso deben definirse en Azure Databricks. Esto se debe a que se usa la misma identidad de servicio para recuperar el secreto de todos los usuarios de un área de trabajo de Azure Databricks.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "service": "Azure Databricks", + "severity": "Alto", + "text": "Almacenamiento de contraseñas y secretos en Azure Key Vault", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", - "text": "Después de la optimización del tamaño correcto", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Los clústeres con aislamiento de usuario incluyen la aplicación de modo que cada usuario se ejecute como una cuenta de usuario sin privilegios diferente en el host del clúster. Los lenguajes también se limitan a aquellos que se pueden implementar de forma aislada (SQL y Python), y las API de Spark deben estar en una lista de permitidos de aquellos que creemos que son seguros para el aislamiento.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Utilice clústeres que admitan el aislamiento de usuarios.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", - "text": "Compruebe si corresponde y aplique la política/cambio https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Va en contra de los procedimientos recomendados de seguridad vincular las cargas de trabajo de producción a cuentas de usuario individuales, por lo que se recomienda configurar entidades de servicio dentro de Databricks. Los principios de servicio separan las acciones del administrador y del usuario de la carga de trabajo y evitan que las cargas de trabajo se vean afectadas si un usuario abandona una organización. Con Databricks, puede configurar trabajos para que se ejecuten como entidades de servicio y generar tokens de acceso personal para entidades de servicio.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Use entidades de servicio para ejecutar trabajos de producción. Utilice el control de acceso adecuado para los controles de seguridad de nivel de área de trabajo (ACL), nivel de cuenta (RBAC) y nivel de datos (catálogo de Unity)", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", - "text": "El descuento de la parte de la licencia VM + (ahub + 3YRI) es de alrededor del 70% de descuento", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "De forma predeterminada, DBFS es un sistema de archivos al que pueden acceder todos los usuarios del espacio de trabajo determinado y al que se puede acceder a través de la API. Esto no es necesariamente un problema importante de exfiltración de datos, ya que puede limitar el acceso al acceso a los datos a través de la API de DBFS o la CLI de Databricks mediante listas de acceso IP o acceso a redes privadas. Sin embargo, a medida que crezca el uso de Azure Databricks y más usuarios se unan a un área de trabajo, esos usuarios tendrían acceso a los datos almacenados en DBFS, lo que crearía la posibilidad de que se compartiera información no deseada. Databricks recomienda a nuestros clientes que no almacenen datos de producción en DBFS.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "service": "Azure Databricks", + "severity": "Alto", + "text": "Evite almacenar datos de producción en DBFS.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", - "text": "Considere la posibilidad de utilizar un VMSS para satisfacer la demanda en lugar de un tamaño fijo", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "En el caso de las cuentas de almacenamiento que administra, es su responsabilidad asegurarse de que las cuentas de almacenamiento estén protegidas según sus requisitos. Algunos ejemplos pueden ser: Cifrado con la clave administrada por el cliente, Restricción del acceso a redes de confianza con un firewall de almacenamiento, No se permite el acceso público anónimo", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Cifre el almacenamiento y restrinja el acceso.", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", - "text": "Use el escalador automático de AKS para que coincida con el uso de los clústeres (asegúrese de que los requisitos de los pods coincidan con el escalador)", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Agregue una clave administrada por el cliente para los datos seleccionados almacenados en el plano de control de Azure Databricks, como cuadernos, secretos, consultas SQL de Databricks y el historial de consultas SQL de Databricks, así como para la cuenta de almacenamiento raíz usada para DBFS. Azure Databricks requiere acceso a esta clave para las operaciones en curso. Puede revocar el acceso a la clave para impedir que Azure Databricks acceda a los datos cifrados en el plano de control (o en nuestras copias de seguridad). Esto es como una opción nuclear donde el espacio de trabajo deja de funcionar, pero proporciona un control de emergencia para situaciones extremas. Esta característica requiere el plan de tarifa Premium.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Adición de una clave administrada por el cliente para los servicios administrados y el almacenamiento del área de trabajo", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Azure Backup", - "text": "Mover los puntos de recuperación al archivo de almacén cuando corresponda (Validar)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Costar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Configure listas de acceso IP que restrinjan las direcciones IP que se pueden autenticar en Databricks en el nivel de la consola de cuenta y el área de trabajo comprobando si el usuario o el cliente de API procede de un intervalo de direcciones IP correcto conocido, como una VPN o una red de oficina. Las sesiones de usuario establecidas no funcionan si el usuario se mueve a una dirección IP incorrecta, como cuando se desconecta de la VPN. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Habilite las listas de acceso IP para restringir el acceso a determinadas direcciones IP.", + "waf": "Seguridad" }, { "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", - "text": "Considere la posibilidad de usar máquinas virtuales de acceso puntual con reserva siempre que sea posible. Considere la posibilidad de la terminación automática de clústeres.", - "waf": "Costar" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Private Link proporciona una ruta de red privada de un entorno de Azure a otro. Private Link se puede configurar tanto entre los usuarios de Azure Databricks y el plano de control, como entre el plano de control y el plano de datos. Entre los usuarios de Databricks y el plano de control, Private Link proporciona controles seguros que limitan el origen de las solicitudes entrantes. Si una empresa ya enruta el tráfico a través de un entorno de Azure, puede usar Private Link para que la comunicación entre los usuarios y el plano de control de Azure Databricks no atraviese direcciones IP públicas. Esta característica requiere el plan de tarifa Premium. Use Azure Private Link para conectarse desde Azure Databricks a los recursos de Azure. Private Link no solo garantiza", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", + "severity": "Medio", + "text": "Configure y use Azure Private Link para acceder a los recursos de Azure.", + "waf": "Seguridad" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Azure Functions", - "text": "Funciones - Reutilizar conexiones", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "Costar" + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", + "severity": "Alto", + "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Azure Functions", - "text": "Funciones: almacenar datos en caché localmente", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "Costar" + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", + "severity": "Alto", + "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Azure Functions", - "text": "Funciones - Arranques en frío: utilice la funcionalidad 'Ejecutar desde el paquete'. De esta manera, el código se descarga como un único archivo zip. Esto puede, por ejemplo, resultar en mejoras significativas con las funciones de Javascript, que tienen muchos módulos de nodos. Utilice herramientas específicas del lenguaje para reducir el tamaño del paquete, por ejemplo, aplicaciones Javascript que sacuden el árbol.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Costar" + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", + "severity": "Alto", + "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Azure Functions", - "text": "Funciones - Mantén tus funciones calientes", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Costar" + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", + "severity": "Alto", + "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Azure Functions", - "text": "Al usar el escalado automático con diferentes funciones, es posible que haya uno que controle todo el escalado automático para todos los recursos: considere la posibilidad de moverlo a un plan de consumo independiente (y considere un plan superior para la CPU)", - "waf": "Costar" + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", + "severity": "Medio", + "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Azure Functions", - "text": "Las aplicaciones de funciones de un plan determinado se escalan juntas, por lo que cualquier problema con el escalado puede afectar a todas las aplicaciones del plan.", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", + "severity": "Bajo", + "text": "Consulte la arquitectura de aplicación web de redundancia de zona de alta disponibilidad de línea de base para conocer los procedimientos recomendados", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Azure Functions", - "text": "¿Se me factura por el \"tiempo de espera\"? Esta pregunta se suele formular en el contexto de una función de C# que realiza una operación asincrónica y espera el resultado, por ejemplo, await Task.Delay(1000) o await client. GetAsync('http://google.com'). La respuesta es sí: el segundo cálculo de GB se basa en la hora de inicio y finalización de la función y el uso de memoria durante ese período. Lo que realmente sucede durante ese tiempo en términos de actividad de la CPU no se tiene en cuenta en el cálculo. Una excepción a esta regla es si está utilizando funciones duraderas. No se le facturará por el tiempo empleado en las esperas en las funciones de orquestador.aplique técnicas de modelado de la demanda siempre que sea posible (¿entornos de desarrollo?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "Medio", + "text": "Utilice los niveles Premium y Estándar. Estos niveles admiten ranuras de ensayo y copias de seguridad automatizadas.", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", - "text": "Frontdoor: desactivar la página principal predeterminadaEn la configuración de la aplicación de la aplicación, establezca AzureWebJobsDisableHomepage en true. Esto devolverá un 204 (sin contenido) al PoP para que solo se devuelvan los datos del encabezado.", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", + "service": "App Services", + "severity": "Alto", + "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (requiere el nivel Premium v2 o v3)", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", - "text": "Frontdoor: ruta a algo que no devuelve nada. Configure una función, un proxy de función o agregue una ruta en la aplicación web que devuelva 200 (correctamente) y envíe contenido mínimo o nulo. La ventaja de esto es que podrá cerrar la sesión cuando se llame.", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Medio", + "text": "Implementación de comprobaciones de estado", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", - "text": "Considere la posibilidad de archivar niveles para los datos menos utilizados", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", + "service": "App Services", + "severity": "Alto", + "text": "Consulte los procedimientos recomendados de copia de seguridad y restauración para Azure App Service", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", - "text": "Compruebe los tamaños de disco en los que el tamaño no coincida con el nivel (es decir, un disco de 513 GiB pagará un P30 (1 TiB) y considere la posibilidad de cambiar el tamaño", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", + "severity": "Alto", + "text": "Implementación de los procedimientos recomendados de confiabilidad de Azure App Service", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", - "text": "Considere la posibilidad de utilizar un SSD estándar en lugar de Premium o Ultra siempre que sea posible", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", + "severity": "Bajo", + "text": "Familiarizarse con cómo mover una aplicación de App Service a otra región durante un desastre", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", - "text": "En el caso de las cuentas de almacenamiento, asegúrese de que el nivel elegido no suma cargos por transacción (puede ser más barato pasar al siguiente nivel)", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", + "service": "App Services", + "severity": "Alto", + "text": "Familiarizarse con la compatibilidad con la confiabilidad en Azure App Service", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", - "text": "Para ASR, considere la posibilidad de usar discos SSD estándar si el RPO/RTO y el rendimiento de replicación lo permiten", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", + "severity": "Medio", + "text": "Asegúrese de que \"Siempre activado\" está habilitado para las aplicaciones de funciones que se ejecutan en un plan de App Service", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", - "text": "Cuentas de almacenamiento: compruebe el nivel de acceso frecuente o GRS necesario", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Medio", + "text": "Supervisión de instancias de App Service mediante comprobaciones de estado", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "text": "Discos: valide el uso de discos SSD Premium en todas partes: por ejemplo, los que no son de producción podrían cambiar a SSD estándar o SSD Premium bajo demanda ", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", + "service": "App Services", + "severity": "Medio", + "text": "Supervisión de la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web mediante pruebas de disponibilidad de Application Insights", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", - "text": "Cree presupuestos para administrar los costos y cree alertas que notifiquen automáticamente a las partes interesadas sobre anomalías en el gasto y riesgos de gasto excesivo.", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", + "severity": "Bajo", + "text": "Uso de la prueba estándar de Application Insights para supervisar la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", - "text": "Exporte los datos de costos a una cuenta de almacenamiento para realizar análisis de datos adicionales.", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use Azure Key Vault para almacenar los secretos que necesita la aplicación. Key Vault proporciona un entorno seguro y auditado para almacenar secretos y está bien integrado con App Service a través del SDK de Key Vault o las referencias de Key Vault de App Service.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "Alto", + "text": "Uso de Key Vault para almacenar secretos", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", - "text": "Controle los costos de un grupo de SQL dedicado pausando el recurso cuando no esté en uso.", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use una identidad administrada para conectarse a Key Vault mediante el SDK de Key Vault o a través de las referencias de Key Vault de App Service.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "Alto", + "text": "Uso de la identidad administrada para conectarse a Key Vault", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", - "text": "Habilite la función de pausa automática de Apache Spark sin servidor y establezca el valor de tiempo de espera en consecuencia.", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Almacene el certificado TLS de App Service en Key Vault.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", + "severity": "Alto", + "text": "Use Key Vault para almacenar el certificado TLS.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", - "text": "Cree varias definiciones de grupo de Apache Spark de varios tamaños.", - "waf": "Costar" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", - "text": "Compre unidades de confirmación (SCU) de Azure Synapse durante un año con un plan de compra anticipada para ahorrar en los costos de Azure Synapse Analytics.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Los sistemas que procesan información confidencial deben estar aislados. Para ello, use planes del Servicio de aplicaciones o entornos del Servicio de aplicaciones independientes y considere la posibilidad de usar suscripciones o grupos de administración diferentes.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "Medio", + "text": "Aísle los sistemas que procesan información confidencial", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", - "text": "Uso de máquinas virtuales de acceso puntual para trabajos interrumpibles: se trata de máquinas virtuales por las que se puede pujar y comprar a un precio reducido, lo que proporciona una solución rentable para cargas de trabajo no críticas.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Los discos locales de App Service no están cifrados y los datos confidenciales no deben almacenarse en ellos. (Por ejemplo: D:\\\\Local y %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", + "severity": "Medio", + "text": "No almacene datos confidenciales en el disco local", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", - "text": "Ajustar el tamaño de todas las máquinas virtuales", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "En el caso de la aplicación web autenticada, use un proveedor de identidades bien establecido, como Azure AD o Azure AD B2C. Aproveche el marco de aplicaciones de su elección para integrarse con este proveedor o use la característica de autenticación o autorización del Servicio de aplicaciones.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", + "severity": "Medio", + "text": "Usar un proveedor de identidades establecido para la autenticación", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", - "text": "Intercambiar el tamaño de la máquina virtual con los tamaños normalizados y más recientes", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Implemente código en App Service desde un entorno controlado y de confianza, como una canalización de implementación de DevOps bien administrada y segura. De este modo, se evita el código que no se ha controlado la versión y se ha comprobado que se implementará desde un host malintencionado.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", + "severity": "Alto", + "text": "Implementación desde un entorno de confianza", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "Ajustar el tamaño de las máquinas virtuales: comience con la supervisión del uso por debajo del 5 % y, a continuación, trabaje hasta el 40 %", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Deshabilite la autenticación básica tanto para FTP/FTPS como para WebDeploy/SCM. Esto deshabilita el acceso a estos servicios y exige el uso de puntos de conexión protegidos de Azure AD para la implementación. Tenga en cuenta que el sitio de SCM también se puede abrir con credenciales de Azure AD.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", + "severity": "Alto", + "text": "Deshabilitar la autenticación básica", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "La inclusión de una aplicación en contenedores puede mejorar la densidad de la máquina virtual y ahorrar dinero en su escalado", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Costar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Siempre que sea posible, use Managed Identity para conectarse a los recursos protegidos de Azure AD. Si esto no es posible, almacene los secretos en Key Vault y conéctese a Key Vault mediante una identidad administrada en su lugar.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", + "severity": "Alto", + "text": "Uso de la identidad administrada para conectarse a los recursos", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", - "severity": "Medio", - "text": "Azure Spring Apps permite dos implementaciones para cada aplicación, de las cuales solo una recibe tráfico de producción. Puede lograr cero tiempo de inactividad con estrategias de implementación azul verde. La implementación azul verde solo está disponible en los niveles Estándar y Enterprise. Puede automatizar la implementación mediante CI/CD con acciones de ADO/GitHub", - "waf": "Fiabilidad" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas mediante una identidad administrada.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", + "severity": "Alto", + "text": "Extracción de contenedores mediante una identidad administrada", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Al configurar las opciones de diagnóstico de App Service, puede enviar todos los datos de telemetría a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad en tiempo de ejecución de App Service, como los registros HTTP, los registros de aplicaciones, los registros de plataforma, ...", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", "severity": "Medio", - "text": "Las instancias de Azure Spring Apps se pueden crear en varias regiones para las aplicaciones y el tráfico se puede enrutar mediante Traffic Manager o Front Door.", - "waf": "Fiabilidad" + "text": "Envío de registros en tiempo de ejecución de App Service a Log Analytics", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure una configuración de diagnóstico para enviar el registro de actividad a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad del plano de control en el propio recurso de App Service.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", "severity": "Medio", - "text": "En la región admitida, Azure Spring Apps se puede implementar como zona redundante, lo que significa que las instancias se distribuyen automáticamente entre las zonas de disponibilidad. Esta función solo está disponible en los niveles Standard y Enterprise.", - "waf": "Fiabilidad" + "text": "Envío de registros de actividad de App Service a Log Analytics", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Controle el acceso saliente a la red mediante una combinación de integración de red virtual regional, grupos de seguridad de red y UDR. El tráfico debe enrutarse a una aplicación virtual de red, como Azure Firewall. Asegúrese de supervisar los registros del cortafuegos.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", "severity": "Medio", - "text": "Usar más de 1 instancia de aplicación para las aplicaciones", - "waf": "Fiabilidad" + "text": "El acceso a la red saliente debe controlarse", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", - "severity": "Medio", - "text": "Supervise Azure Spring Apps con registros, métricas y seguimiento. Integre ASA con la información de las aplicaciones, realice un seguimiento de los errores y cree libros de trabajo.", - "waf": "Fiabilidad" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Puede proporcionar una dirección IP de salida estable mediante la integración de red virtual y una puerta de enlace NAT de red virtual o una aplicación virtual de red como Azure Firewall. Esto permite a la parte receptora incluir en la lista de permitidos en función de la IP, en caso de que sea necesario. Tenga en cuenta que para las comunicaciones con los servicios de Azure, a menudo no es necesario depender de la dirección IP y, en su lugar, se deben usar mecanismos como los puntos de conexión de servicio. (Además, el uso de puntos de conexión privados en el extremo receptor evita que se produzca SNAT y proporciona un intervalo de IP de salida estable).", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", + "severity": "Bajo", + "text": "Garantizar una IP estable para las comunicaciones salientes hacia las direcciones de Internet", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", - "severity": "Medio", - "text": "Configuración del escalado automático en Spring Cloud Gateway", - "waf": "Fiabilidad" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Controle el acceso entrante a la red mediante una combinación de restricciones de acceso al Servicio de aplicaciones, puntos de conexión de servicio o puntos de conexión privados. Se pueden requerir y configurar diferentes restricciones de acceso para la propia aplicación web y el sitio de SCM.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", + "severity": "Alto", + "text": "El acceso a la red entrante debe controlarse", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", - "severity": "Bajo", - "text": "Habilite el escalado automático para las aplicaciones con el consumo estándar y el plan dedicado.", - "waf": "Fiabilidad" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Protéjase contra el tráfico entrante malintencionado mediante un firewall de aplicaciones web como Application Gateway o Azure Front Door. Asegúrese de supervisar los registros del WAF.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", + "severity": "Alto", + "text": "Uso de un WAF delante de App Service", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", - "severity": "Medio", - "text": "Use el plan Enterprise para obtener soporte comercial de Spring Boot para aplicaciones de misión crítica. Con otros niveles, obtienes soporte OSS.", - "waf": "Fiabilidad" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Asegúrese de que no se pueda omitir el WAF bloqueando el acceso solo al WAF. Use una combinación de restricciones de acceso, puntos de conexión de servicio y puntos de conexión privados.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", + "severity": "Alto", + "text": "Evite que se omita WAF", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Establezca la directiva TLS mínima en 1.2 en la configuración de App Service.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", "severity": "Medio", - "text": "Implemente los recursos de conectividad de la zona de aterrizaje de Azure en varias regiones, de modo que pueda admitir rápidamente zonas de aterrizaje de aplicaciones de varias regiones y escenarios de recuperación ante desastres.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Fiabilidad" + "text": "Establezca la directiva TLS mínima en 1.2", + "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", - "severity": "Medio", - "text": "Use un inquilino de Entra para administrar los recursos de Azure, a menos que tenga un requisito normativo o empresarial claro para varios inquilinos.", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", - "waf": "Operaciones" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", - "severity": "Bajo", - "text": "Use el enfoque de automatización multiinquilino para administrar los inquilinos de identificador de Microsoft Entra.", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", - "waf": "Operaciones" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure App Service para que use solo HTTPS. Esto hace que App Service se redirija de HTTP a HTTPS. Considere seriamente el uso de HTTP Strict Transport Security (HSTS) en su código o desde su WAF, que informa a los navegadores que solo se debe acceder al sitio mediante HTTPS.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", "severity": "Alto", - "text": "Use Azure Lighthouse para la administración de varios inquilinos con los mismos identificadores.", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", - "waf": "Operaciones" + "text": "Usar solo HTTPS", + "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "No utilice caracteres comodín en la configuración de CORS, ya que esto permite que todos los orígenes accedan al servicio (lo que anula el propósito de CORS). En concreto, solo permite los orígenes que esperas poder acceder al servicio.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", "severity": "Alto", - "text": "Si concede a un asociado acceso para administrar el inquilino, use Azure Lighthouse.", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "Costar" + "text": "Los comodines no deben usarse para CORS", + "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "La depuración remota no debe estar activada en producción, ya que esto abre puertos adicionales en el servicio, lo que aumenta la superficie expuesta a ataques. Tenga en cuenta que el servicio desactiva la depuración remota automáticamente después de 48 horas.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", "severity": "Alto", - "text": "Aplique un modelo RBAC que se alinee con su modelo operativo en la nube. Ámbito y asignación entre grupos de administración y suscripciones.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "text": "Desactivar la depuración remota", "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Habilite Defender para App Service. Esto (entre otras amenazas) detecta comunicaciones a direcciones IP maliciosas conocidas. Revise las recomendaciones de Defender para App Service como parte de las operaciones.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", "severity": "Medio", - "text": "Utilice solo el tipo de autenticación Cuenta profesional o educativa para todos los tipos de cuenta. Evite usar la cuenta de Microsoft", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Habilitación de Defender for Cloud: Defender for App Service", "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure proporciona protección básica contra DDoS en su red, que se puede mejorar con funcionalidades inteligentes de DDoS Standard que aprenden sobre los patrones de tráfico normales y pueden detectar comportamientos inusuales. DDoS Standard se aplica a una red virtual, por lo que debe configurarse para el recurso de red delante de la aplicación, como Application Gateway o una aplicación virtual de red.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", "severity": "Medio", - "text": "Utilice solo grupos para asignar permisos. Agregue grupos locales al grupo Solo ID de Entra si ya hay un sistema de administración de grupos en su lugar.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "Habilitación del estándar de protección DDoS en la red virtual de WAF", "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", - "severity": "Alto", - "text": "Aplique directivas de acceso condicional de identificador de Microsoft Entra para cualquier usuario con derechos en entornos de Azure.", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas a través de una red virtual desde Azure Container Registry mediante su punto de conexión privado y la configuración de la aplicación \"WEBSITE_PULL_IMAGE_OVER_VNET\".", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", + "severity": "Medio", + "text": "Extracción de contenedores a través de una red virtual", "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", - "severity": "Alto", - "text": "Aplique la autenticación multifactor para cualquier usuario con derechos sobre los entornos de Azure.", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Realice una prueba de penetración en la aplicación web siguiendo las reglas de participación de las pruebas de penetración.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", + "severity": "Medio", + "text": "Realizar una prueba de penetración", "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Implemente código de confianza que se haya validado y analizado en busca de vulnerabilidades de acuerdo con las prácticas de DevSecOps.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", "severity": "Medio", - "text": "Aplique la administración de identidades privilegiadas (PIM) de Microsoft Entra ID para establecer un acceso permanente cero y privilegios mínimos.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "Implementación de código validado", "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", - "severity": "Medio", - "text": "Si planea cambiar de Servicios de dominio de Active Directory a Servicios de dominio Entra, evalúe la compatibilidad de todas las cargas de trabajo.", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Utilice las versiones más recientes de plataformas, lenguajes de programación, protocolos y marcos compatibles.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", + "severity": "Alto", + "text": "Utilizar plataformas, lenguajes, protocolos y marcos actualizados", "waf": "Seguridad" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", - "severity": "Medio", - "text": "Al usar Microsoft Entra Domain Services, use conjuntos de réplicas. Los conjuntos de réplicas mejorarán la resistencia del dominio administrado y le permitirán implementarlo en regiones adicionales. ", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", + "severity": "Alto", + "text": "Seleccione el plan de hospedaje de funciones adecuado en función de los requisitos de su empresa y SLO", "waf": "Fiabilidad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", + "severity": "Alto", + "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (no disponible para el nivel de consumo)", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", "severity": "Medio", - "text": "Integre los registros de identificador de Microsoft Entra con Azure Monitor central de la plataforma. Azure Monitor permite una única fuente de información sobre los datos de registro y supervisión en Azure, lo que proporciona a las organizaciones opciones nativas en la nube para cumplir los requisitos relacionados con la recopilación y retención de registros.", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", - "waf": "Seguridad" + "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas", + "waf": "Fiabilidad" }, { - "ammp": true, - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", "severity": "Alto", - "text": "Implemente un acceso de emergencia o cuentas de emergencia para evitar el bloqueo de cuentas en todo el inquilino. MFA se activará de forma predeterminada para todos los usuarios en octubre de 2024. Recomendamos actualizar estas cuentas para usar la clave de paso (FIDO2) o configurar la autenticación basada en certificados para MFA. ", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", - "waf": "Seguridad" + "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3", + "waf": "Fiabilidad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", - "severity": "Medio", - "text": "No use cuentas sincronizadas locales para las asignaciones de roles de identificador de Microsoft Entra, a menos que tenga un escenario que lo requiera específicamente.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", - "waf": "Seguridad" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "Azure Functions", + "severity": "Alto", + "text": "Asegúrese de que \"Siempre activado\" esté habilitado para todas las aplicaciones de funciones que se ejecutan en el plan de App Service", + "waf": "Fiabilidad" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", "severity": "Medio", - "text": "Al usar el proxy de aplicación de Microsoft Entra ID para proporcionar a los usuarios remotos acceso a las aplicaciones, adminístrelo como un recurso de plataforma, ya que solo puede tener una instancia por inquilino.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Seguridad" + "text": "Empareje una aplicación de funciones con su propia cuenta de almacenamiento. Intente no volver a usar las cuentas de almacenamiento para las aplicaciones de funciones a menos que estén estrechamente acopladas", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", "severity": "Medio", - "text": "Utilice una topología de red radial para escenarios de red que requieran la máxima flexibilidad.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "text": "Aproveche Azure DevOps o GitHub para optimizar la CI/CD y proteger el código de la aplicación de funciones", + "waf": "Operaciones" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", + "severity": "Bajo", + "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", - "severity": "Alto", - "text": "Implemente servicios de redes compartidas, incluidas puertas de enlace de ExpressRoute, puertas de enlace de VPN y Azure Firewall o aplicaciones virtuales de red de asociados en la red virtual del centro central. Si es necesario, implemente también servicios DNS.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Costar" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", - "severity": "Alto", - "text": "Utilice una red DDoS o un plan de protección de IP para todas las direcciones IP públicas en las zonas de aterrizaje de aplicaciones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Los espacios de nombres de Azure Event Hubs permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Event Hubs para requerir que los clientes envíen y reciban datos con una versión más reciente de TLS. Si un espacio de nombres de Event Hubs requiere una versión mínima de TLS, se producirá un error en las solicitudes realizadas con una versión anterior. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", + "severity": "Medio", + "text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Al crear un espacio de nombres de Event Hubs, se crea automáticamente una regla de directiva denominada RootManageSharedAccessKey para el espacio de nombres. Esta directiva tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", "severity": "Medio", - "text": "Al implementar tecnologías de redes de asociados o NVA, siga las instrucciones del proveedor del asociado.", - "waf": "Fiabilidad" + "text": "Evite usar la cuenta raíz cuando no sea necesario", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", - "severity": "Bajo", - "text": "Si necesita el tránsito entre ExpressRoute y puertas de enlace de VPN en escenarios tipo hub-and-spoke, use Azure Route Server.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Las identidades administradas para los recursos de Azure pueden autorizar el acceso a los recursos de Event Hubs mediante credenciales de Azure AD desde aplicaciones que se ejecutan en Azure Virtual Machines (VM), aplicaciones de funciones, conjuntos de escalado de máquinas virtuales y otros servicios. Mediante el uso de identidades administradas para los recursos de Azure junto con la autenticación de Azure AD, puede evitar el almacenamiento de credenciales con las aplicaciones que se ejecutan en la nube. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", + "severity": "Medio", + "text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Event Hub. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/virtualHubs", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", - "severity": "Bajo", - "text": "Si utiliza el servidor de rutas, utilice un prefijo /27 para la subred del servidor de rutas.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Al crear permisos, proporcione un control específico sobre el acceso de un cliente al Centro de eventos de Azure. Los permisos del Centro de eventos de Azure pueden y deben limitarse al nivel de recurso individual, por ejemplo, grupo de consumidores, entidad del centro de eventos, espacios de nombres del centro de eventos, etc.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", + "severity": "Alto", + "text": "Uso de RBAC de plano de datos con privilegios mínimos", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Los registros de recursos del Centro de eventos de Azure incluyen registros operativos, registros de red virtual y registros de Kafka. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para todas las operaciones de acceso al plano de datos (como eventos de envío o recepción) en Event Hubs.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", "severity": "Medio", - "text": "En el caso de las arquitecturas de red con varias topologías radiales en las regiones de Azure, use emparejamientos de redes virtuales globales entre las redes virtuales del centro para conectar las regiones entre sí.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", - "waf": "Rendimiento" + "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para capturar métricas y registros, como registros de recursos, registros de auditoría en tiempo de ejecución y registros de Kafka", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "De forma predeterminada, Azure Event Hub tiene una dirección IP pública y es accesible a través de Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y Azure Event Hubs a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se usan. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", "severity": "Medio", - "text": "Use Azure Monitor para redes para supervisar el estado de un extremo a otro de las redes de Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Operaciones" + "text": "Considere la posibilidad de usar puntos de conexión privados para acceder al Centro de eventos de Azure y deshabilitar el acceso a la red pública cuando corresponda.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Con el firewall IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", "severity": "Medio", - "text": "Si tiene más de 400 redes radiales en una región, implemente un centro adicional para omitir los límites de emparejamiento de red virtual (500) y el número máximo de prefijos que se pueden anunciar a través de ExpressRoute (1000).", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Fiabilidad" + "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres del Centro de eventos de Azure desde direcciones IP o intervalos específicos", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", "severity": "Medio", - "text": "Limite el número de rutas por tabla de rutas a 400.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "Aproveche el Manual de Resiliencia de los TLC", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": " Esto se activará automáticamente para un nuevo espacio de nombres EH creado desde el portal con SKU Premium, Dedicado o Estándar en una región habilitada para zonas. Tanto los metadatos de EH como los propios datos de eventos se replican en todas las zonas", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", "severity": "Alto", - "text": "Use la opción \"Permitir tráfico a la red virtual remota\" al configurar emparejamientos de red virtual.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "Aproveche las zonas de disponibilidad si corresponde regionalmente", "waf": "Fiabilidad" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "severity": "Alto", - "text": "Uso de SKU de Standard Load Balancer con una implementación con redundancia de zona, la selección de Standard SKU Load Balancer mejora la confiabilidad a través de zonas de disponibilidad y resistencia de zona, lo que garantiza que las implementaciones resistan errores de zona y región. A diferencia de Basic, admite el equilibrio de carga global y ofrece un SLA.", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", + "severity": "Medio", + "text": "Usa las SKU Premium o Dedicadas para obtener un rendimiento predecible", "waf": "Fiabilidad" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "La característica integrada de recuperación ante desastres geográfica, cuando está habilitada, garantiza que toda la configuración de un espacio de nombres (Event Hubs, grupos de consumidores y configuración) se replique continuamente desde un espacio de nombres principal a un espacio de nombres secundario, y permite un movimiento de conmutación por error de una sola vez del principal al secundario en cualquier momento. La característica Activo/Pasivo está diseñada para facilitar la recuperación y el abandono de una región de Azure con errores sin tener que cambiar las configuraciones de la aplicación", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", "severity": "Alto", - "text": "Asegúrese de que los grupos de back-end del equilibrador de carga contengan al menos dos instancias, La implementación de Azure Load Balancers con al menos dos instancias en el back-end evita un único punto de error y admite la escalabilidad.", + "text": "Planeación de la recuperación ante desastres geográfica mediante la configuración pasiva activa", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Debe utilizarse para configuraciones de recuperación ante desastres en las que no se puede tolerar una interrupción o pérdida de datos de eventos en la región inactiva. En estos casos, siga las instrucciones de replicación y no use la capacidad de recuperación ante desastres geográfica integrada (activa/pasiva). Con Activo/Activo, mantenga varios centros de eventos en diferentes regiones y espacios de nombres, y los eventos se replicarán entre los centros", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", "severity": "Medio", - "text": "Cuando use ExpressRoute Direct, configure MACsec para cifrar el tráfico en el nivel de capa dos entre los enrutadores de la organización y MSEE. El diagrama muestra este cifrado en el flujo.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Seguridad" + "text": "En el caso de las aplicaciones críticas para la empresa, use la configuración Active Active", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", "severity": "Medio", - "text": "En escenarios en los que MACsec no es una opción (por ejemplo, no usar ExpressRoute Direct), use una puerta de enlace de VPN para establecer túneles IPsec a través del emparejamiento privado de ExpressRoute.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Seguridad" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", - "severity": "Alto", - "text": "Asegúrese de que no se usen espacios de direcciones IP superpuestos entre regiones de Azure y ubicaciones locales.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Seguridad" + "text": "Diseño de centros de eventos resilientes", + "waf": "Fiabilidad" }, { "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", "service": "VNet", "severity": "Medio", - "text": "Utilice las direcciones IP de los rangos de asignación de direcciones para Internets privadas (RFC 1918).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Seguridad" + "text": "Implemente los recursos de conectividad de la zona de aterrizaje de Azure en varias regiones, de modo que pueda admitir rápidamente zonas de aterrizaje de aplicaciones de varias regiones y escenarios de recuperación ante desastres.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", - "severity": "Alto", - "text": "Asegúrese de que no se desperdicie el espacio de direcciones IP, no cree redes virtuales innecesariamente grandes (por ejemplo, /16).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Rendimiento" + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", + "severity": "Medio", + "text": "Use un inquilino de Entra para administrar los recursos de Azure, a menos que tenga un requisito normativo o empresarial claro para varios inquilinos.", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", + "severity": "Bajo", + "text": "Use el enfoque de automatización multiinquilino para administrar los inquilinos de identificador de Microsoft Entra.", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "waf": "Operaciones" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", "severity": "Alto", - "text": "No utilice intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Fiabilidad" + "text": "Use Azure Lighthouse para la administración de varios inquilinos con los mismos identificadores.", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "waf": "Operaciones" }, { "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", "severity": "Alto", - "text": "Use SKU estándar e IP con redundancia de zona cuando corresponda, las direcciones IP públicas de Azure pueden ser de SKU estándar, disponibles como no zonales, zonales o con redundancia de zona. Las direcciones IP con redundancia de zona son accesibles en todas las zonas, resistiendo cualquier error de una sola zona, lo que proporciona una mayor resistencia. ", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", - "waf": "Fiabilidad" + "text": "Si concede a un asociado acceso para administrar el inquilino, use Azure Lighthouse.", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "Costar" }, { - "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", + "severity": "Alto", + "text": "Aplique un modelo RBAC que se alinee con su modelo operativo en la nube. Ámbito y asignación entre grupos de administración y suscripciones.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Seguridad" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", "severity": "Medio", - "text": "En entornos en los que la resolución de nombres en Azure es todo lo necesario, use Azure Private DNS para la resolución con una zona delegada para la resolución de nombres (como 'azure.contoso.com').", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Operaciones" + "text": "Utilice solo el tipo de autenticación Cuenta profesional o educativa para todos los tipos de cuenta. Evite usar la cuenta de Microsoft", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", "severity": "Medio", - "text": "En el caso de los entornos en los que se requiere la resolución de nombres en Azure y en el entorno local y no existe ningún servicio DNS empresarial como Active Directory, use Azure DNS Private Resolver para enrutar las solicitudes DNS a Azure o a servidores DNS locales.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", + "text": "Utilice solo grupos para asignar permisos. Agregue grupos locales al grupo Solo ID de Entra si ya hay un sistema de administración de grupos en su lugar.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", - "severity": "Bajo", - "text": "Las cargas de trabajo especiales que requieren e implementan su propio DNS (como Red Hat OpenShift) deben utilizar su solución de DNS preferida.", - "training": "https://learn.microsoft.com/training/courses/az-700t00", - "waf": "Operaciones" + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", + "severity": "Alto", + "text": "Aplique directivas de acceso condicional de identificador de Microsoft Entra para cualquier usuario con derechos en entornos de Azure.", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", "severity": "Alto", - "text": "Habilite el registro automático de Azure DNS para administrar automáticamente el ciclo de vida de los registros DNS de las máquinas virtuales implementadas en una red virtual.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Operaciones" + "text": "Aplique la autenticación multifactor para cualquier usuario con derechos sobre los entornos de Azure.", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", "severity": "Medio", - "text": "Implementación de un plan para administrar la resolución de DNS entre varias regiones de Azure y cuando los servicios conmutan por error a otra región", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Fiabilidad" + "text": "Aplique la administración de identidades privilegiadas (PIM) de Microsoft Entra ID para establecer un acceso permanente cero y privilegios mínimos.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/bastionHosts", "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "Medio", - "text": "Use Azure Bastion para conectarse de forma segura a la red.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "text": "Si planea cambiar de Servicios de dominio de Active Directory a Servicios de dominio Entra, evalúe la compatibilidad de todas las cargas de trabajo.", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "waf": "Seguridad" }, { - "arm-service": "microsoft.network/bastionHosts", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "Medio", - "text": "Use Azure Bastion en una subred /26 o superior.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Seguridad" + "text": "Al usar Microsoft Entra Domain Services, use conjuntos de réplicas. Los conjuntos de réplicas mejorarán la resistencia del dominio administrado y le permitirán implementarlo en regiones adicionales. ", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "severity": "Medio", - "text": "Use las directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "Integre los registros de identificador de Microsoft Entra con Azure Monitor central de la plataforma. Azure Monitor permite una única fuente de información sobre los datos de registro y supervisión en Azure, lo que proporciona a las organizaciones opciones nativas en la nube para cumplir los requisitos relacionados con la recopilación y retención de registros.", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", "waf": "Seguridad" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "ammp": true, "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "Bajo", - "text": "Al usar Azure Front Door y Azure Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Azure Front Door. Bloquee Azure Application Gateway para recibir tráfico solo de Azure Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", + "severity": "Alto", + "text": "Implemente un acceso de emergencia o cuentas de emergencia para evitar el bloqueo de cuentas en todo el inquilino. MFA se activará de forma predeterminada para todos los usuarios en octubre de 2024. Recomendamos actualizar estas cuentas para usar la clave de paso (FIDO2) o configurar la autenticación basada en certificados para MFA. ", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", "waf": "Seguridad" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "Alto", - "text": "Cuando se requieran WAF y otros servidores proxy inversos para las conexiones HTTP/S entrantes, impleméntelos dentro de una red virtual de zona de aterrizaje y junto con las aplicaciones que protegen y exponen a Internet.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", + "severity": "Medio", + "text": "No use cuentas sincronizadas locales para las asignaciones de roles de identificador de Microsoft Entra, a menos que tenga un escenario que lo requiera específicamente.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "Seguridad" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", + "severity": "Medio", + "text": "Al usar el proxy de aplicación de Microsoft Entra ID para proporcionar a los usuarios remotos acceso a las aplicaciones, adminístrelo como un recurso de plataforma, ya que solo puede tener una instancia por inquilino.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "Seguridad" }, { "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", "service": "VNet", - "severity": "Alto", - "text": "Use los planes de protección IP o de red DDoS de Azure para ayudar a proteger los puntos de conexión de direcciones IP públicas dentro de las redes virtuales.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "severity": "Medio", + "text": "Utilice una topología de red radial para escenarios de red que requieran la máxima flexibilidad.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Seguridad" }, { "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", "service": "VNet", "severity": "Alto", - "text": "Planifique cómo administrar la configuración y la estrategia del tráfico saliente de la red antes del próximo cambio importante. El 30 de septiembre de 2025, se retirará el acceso saliente predeterminado para las nuevas implementaciones y solo se permitirán configuraciones de acceso explícitas.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", - "waf": "Fiabilidad" + "text": "Implemente servicios de redes compartidas, incluidas puertas de enlace de ExpressRoute, puertas de enlace de VPN y Azure Firewall o aplicaciones virtuales de red de asociados en la red virtual del centro central. Si es necesario, implemente también servicios DNS.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Costar" }, { "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "service": "VNet", "severity": "Alto", - "text": "Agregue configuraciones de diagnóstico para guardar los registros relacionados con DDoS para todas las direcciones IP públicas protegidas (DDoS IP o Protección de red).", + "text": "Utilice una red DDoS o un plan de protección de IP para todas las direcciones IP públicas en las zonas de aterrizaje de aplicaciones.", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", - "severity": "Alto", - "text": "Asegúrese de que haya una asignación de directiva para denegar las direcciones IP públicas vinculadas directamente a las máquinas virtuales. Use exclusiones si se necesitan direcciones IP públicas en máquinas virtuales específicas.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Seguridad" + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", + "severity": "Medio", + "text": "Al implementar tecnologías de redes de asociados o NVA, siga las instrucciones del proveedor del asociado.", + "waf": "Fiabilidad" }, { "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", "service": "ExpressRoute", - "severity": "Medio", - "text": "Use ExpressRoute como conexión principal a Azure. Utilice las VPN como fuente de conectividad de respaldo.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Rendimiento" + "severity": "Bajo", + "text": "Si necesita el tránsito entre ExpressRoute y puertas de enlace de VPN en escenarios tipo hub-and-spoke, use Azure Route Server.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/virtualHubs", "checklist": "Azure Landing Zone Review", - "description": "Puede usar la anteposición de AS Path y los pesos de conexión para influir en el tráfico de Azure al entorno local, y la gama completa de atributos BGP en sus propios enrutadores para influir en el tráfico del entorno local a Azure.", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", - "severity": "Medio", - "text": "Cuando use varios circuitos ExpressRoute o varias ubicaciones locales, use atributos BGP para optimizar el enrutamiento.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidad" + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "Bajo", + "text": "Si utiliza el servidor de rutas, utilice un prefijo /27 para la subred del servidor de rutas.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", "severity": "Medio", - "text": "Seleccione la SKU correcta para las puertas de enlace de ExpressRoute/VPN en función de los requisitos de ancho de banda y rendimiento.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "En el caso de las arquitecturas de red con varias topologías radiales en las regiones de Azure, use emparejamientos de redes virtuales globales entre las redes virtuales del centro para conectar las regiones entre sí.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", "waf": "Rendimiento" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", - "severity": "Alto", - "text": "Asegúrese de que usa circuitos ExpressRoute de datos ilimitados solo si alcanza el ancho de banda que justifica su costo.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Costar" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", - "severity": "Alto", - "text": "Aproveche la SKU local de ExpressRoute para reducir el costo de los circuitos, si la ubicación de emparejamiento de circuitos admite las regiones de Azure para la SKU local.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Costar" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", "severity": "Medio", - "text": "Implemente una puerta de enlace de ExpressRoute con redundancia de zona en las regiones de Azure admitidas.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidad" + "text": "Use Azure Monitor para redes para supervisar el estado de un extremo a otro de las redes de Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Operaciones" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "Medio", - "text": "En escenarios que requieren un ancho de banda superior a 10 Gbps o puertos dedicados de 10/100 Gbps, use ExpressRoute Direct.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Rendimiento" + "text": "Si tiene más de 400 redes radiales en una región, implemente un centro adicional para omitir los límites de emparejamiento de red virtual (500) y el número máximo de prefijos que se pueden anunciar a través de ExpressRoute (1000).", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "Medio", - "text": "Cuando se requiera una latencia baja o el rendimiento del entorno local a Azure debe ser superior a 10 Gbps, habilite FastPath para omitir la puerta de enlace de ExpressRoute de la ruta de acceso de datos.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Rendimiento" + "text": "Limite el número de rutas por tabla de rutas a 400.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", - "severity": "Medio", - "text": "Use puertas de enlace de VPN con redundancia de zona para conectar sucursales o ubicaciones remotas a Azure (donde estén disponibles).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", + "severity": "Alto", + "text": "Use la opción \"Permitir tráfico a la red virtual remota\" al configurar emparejamientos de red virtual.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", - "severity": "Medio", - "text": "Utilice dispositivos VPN redundantes en las instalaciones (activo/activo o activo/pasivo).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "severity": "Alto", + "text": "Uso de SKU de Standard Load Balancer con una implementación con redundancia de zona, la selección de Standard SKU Load Balancer mejora la confiabilidad a través de zonas de disponibilidad y resistencia de zona, lo que garantiza que las implementaciones resistan errores de zona y región. A diferencia de Basic, admite el equilibrio de carga global y ofrece un SLA.", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", "severity": "Alto", - "text": "Si usa ExpressRoute Direct, considere la posibilidad de usar circuitos locales de ExpressRoute a las regiones locales de Azure para ahorrar costos.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Costar" + "text": "Asegúrese de que los grupos de back-end del equilibrador de carga contengan al menos dos instancias, La implementación de Azure Load Balancers con al menos dos instancias en el back-end evita un único punto de error y admite la escalabilidad.", + "waf": "Fiabilidad" }, { "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", "service": "ExpressRoute", "severity": "Medio", - "text": "Cuando se requiera aislamiento de tráfico o ancho de banda dedicado, por ejemplo, para separar entornos de producción y no de producción, use diferentes circuitos ExpressRoute. Le ayudará a garantizar dominios de enrutamiento aislados y a aliviar los riesgos de vecinos ruidosos.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Cuando use ExpressRoute Direct, configure MACsec para cifrar el tráfico en el nivel de capa dos entre los enrutadores de la organización y MSEE. El diagrama muestra este cifrado en el flujo.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "Seguridad" }, { "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", "service": "ExpressRoute", "severity": "Medio", - "text": "Supervise la disponibilidad y el uso de ExpressRoute mediante Express Route Insights integrado.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operaciones" + "text": "En escenarios en los que MACsec no es una opción (por ejemplo, no usar ExpressRoute Direct), use una puerta de enlace de VPN para establecer túneles IPsec a través del emparejamiento privado de ExpressRoute.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Seguridad" }, { "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", "service": "ExpressRoute", - "severity": "Medio", - "text": "Use el Monitor de conexión para la supervisión de la conectividad en toda la red, especialmente entre el entorno local y Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operaciones" + "severity": "Alto", + "text": "Asegúrese de que no se usen espacios de direcciones IP superpuestos entre regiones de Azure y ubicaciones locales.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "severity": "Medio", - "text": "Use circuitos ExpressRoute de diferentes ubicaciones de emparejamiento para obtener redundancia.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidad" + "text": "Utilice las direcciones IP de los rangos de asignación de direcciones para Internets privadas (RFC 1918).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", - "severity": "Medio", - "text": "Use VPN de sitio a sitio como conmutación por error de ExpressRoute, si solo usa un único circuito ExpressRoute.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidad" + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "Alto", + "text": "Asegúrese de que no se desperdicie el espacio de direcciones IP, no cree redes virtuales innecesariamente grandes (por ejemplo, /16).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", "severity": "Alto", - "text": "Si utiliza una tabla de rutas en GatewaySubnet, asegúrese de que las rutas de puerta de enlace se propagan.", + "text": "No utilice intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", "severity": "Alto", - "text": "Si usa ExpressRoute, el enrutamiento local debe ser dinámico: en caso de que se produzca un error de conexión, debe converger a la conexión restante del circuito. La carga debe compartirse entre ambas conexiones, idealmente como activa/activa, aunque también se admite activa/pasiva.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "text": "Use SKU estándar e IP con redundancia de zona cuando corresponda, las direcciones IP públicas de Azure pueden ser de SKU estándar, disponibles como no zonales, zonales o con redundancia de zona. Las direcciones IP con redundancia de zona son accesibles en todas las zonas, resistiendo cualquier error de una sola zona, lo que proporciona una mayor resistencia. ", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", "severity": "Medio", - "text": "Asegúrese de que los dos vínculos físicos del circuito ExpressRoute están conectados a dos dispositivos perimetrales distintos de la red.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidad" + "text": "En entornos en los que la resolución de nombres en Azure es todo lo necesario, use Azure Private DNS para la resolución con una zona delegada para la resolución de nombres (como 'azure.contoso.com').", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operaciones" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", "severity": "Medio", - "text": "Asegúrese de que la detección de reenvío bidireccional (BFD) esté habilitada y configurada en los dispositivos de enrutamiento perimetral del cliente o proveedor.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidad" + "text": "En el caso de los entornos en los que se requiere la resolución de nombres en Azure y en el entorno local y no existe ningún servicio DNS empresarial como Active Directory, use Azure DNS Private Resolver para enrutar las solicitudes DNS a Azure o a servidores DNS locales.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", - "severity": "Alto", - "text": "Conecte la puerta de enlace de ExpressRoute a dos o más circuitos de diferentes ubicaciones de emparejamiento para una mayor resistencia.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidad" + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "severity": "Bajo", + "text": "Las cargas de trabajo especiales que requieren e implementan su propio DNS (como Red Hat OpenShift) deben utilizar su solución de DNS preferida.", + "training": "https://learn.microsoft.com/training/courses/az-700t00", + "waf": "Operaciones" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", - "severity": "Medio", - "text": "Configure registros de diagnóstico y alertas para la puerta de enlace de red virtual de ExpressRoute.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", + "severity": "Alto", + "text": "Habilite el registro automático de Azure DNS para administrar automáticamente el ciclo de vida de los registros DNS de las máquinas virtuales implementadas en una red virtual.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "Operaciones" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Network/dnsZones", "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", "severity": "Medio", - "text": "No use circuitos ExpressRoute para la comunicación de red virtual a red virtual.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Rendimiento" + "text": "Implementación de un plan para administrar la resolución de DNS entre varias regiones de Azure y cuando los servicios conmutan por error a otra región", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Fiabilidad" }, { + "arm-service": "microsoft.network/bastionHosts", "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", - "severity": "Bajo", - "text": "No envíe el tráfico de Azure a ubicaciones híbridas para su inspección. En su lugar, siga el principio \"el tráfico de Azure se queda en Azure\" para que la comunicación entre los recursos de Azure se produzca a través de la red troncal de Microsoft.", - "waf": "Rendimiento" + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", + "severity": "Medio", + "text": "Use Azure Bastion para conectarse de forma segura a la red.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/bastionHosts", "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", - "severity": "Alto", - "text": "Use Azure Firewall para controlar el tráfico de salida de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado del tráfico este/oeste (si la organización lo requiere).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", + "severity": "Medio", + "text": "Use Azure Bastion en una subred /26 o superior.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", "severity": "Medio", - "text": "Cree una directiva global de Azure Firewall para controlar la posición de seguridad en todo el entorno de red global y asígnela a todas las instancias de Azure Firewall. Permita que las directivas granulares cumplan los requisitos de regiones específicas delegando directivas de firewall incrementales a los equipos de seguridad locales a través del control de acceso basado en roles de Azure.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Use las directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "severity": "Bajo", - "text": "Configure los proveedores de seguridad SaaS de socios compatibles dentro de Firewall Manager si la organización desea utilizar dichas soluciones para ayudar a proteger las conexiones salientes.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Al usar Azure Front Door y Azure Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Azure Front Door. Bloquee Azure Application Gateway para recibir tráfico solo de Azure Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "severity": "Alto", - "text": "Utilice las reglas de la aplicación para filtrar el tráfico saliente en el nombre de host de destino para los protocolos compatibles. Use reglas de red basadas en FQDN y Azure Firewall con proxy DNS para filtrar el tráfico de salida a Internet a través de otros protocolos.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Cuando se requieran WAF y otros servidores proxy inversos para las conexiones HTTP/S entrantes, impleméntelos dentro de una red virtual de zona de aterrizaje y junto con las aplicaciones que protegen y exponen a Internet.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", "severity": "Alto", - "text": "Use Azure Firewall Premium para habilitar características de seguridad adicionales.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "Use los planes de protección IP o de red DDoS de Azure para ayudar a proteger los puntos de conexión de direcciones IP públicas dentro de las redes virtuales.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", "severity": "Alto", - "text": "Configure el modo de Inteligencia sobre amenazas de Azure Firewall en Alerta y Denegar para obtener protección adicional.", - "waf": "Seguridad" + "text": "Planifique cómo administrar la configuración y la estrategia del tráfico saliente de la red antes del próximo cambio importante. El 30 de septiembre de 2025, se retirará el acceso saliente predeterminado para las nuevas implementaciones y solo se permitirán configuraciones de acceso explícitas.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", "severity": "Alto", - "text": "Configure el modo IDPS de Azure Firewall en Denegar para obtener protección adicional.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "Agregue configuraciones de diagnóstico para guardar los registros relacionados con DDoS para todas las direcciones IP públicas protegidas (DDoS IP o Protección de red).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", "severity": "Alto", - "text": "En el caso de las subredes de redes virtuales que no están conectadas a Virtual WAN, adjunte una tabla de rutas para que el tráfico de Internet se redirija a Azure Firewall o a una aplicación virtual de red.", + "text": "Asegúrese de que haya una asignación de directiva para denegar las direcciones IP públicas vinculadas directamente a las máquinas virtuales. Use exclusiones si se necesitan direcciones IP públicas en máquinas virtuales específicas.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "Medio", - "text": "Agregue la configuración de diagnóstico para guardar registros, mediante la tabla de destino Recurso específico, para todas las implementaciones de Azure Firewall.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operaciones" + "text": "Use ExpressRoute como conexión principal a Azure. Utilice las VPN como fuente de conectividad de respaldo.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", - "severity": "Importante", - "text": "Migre de las reglas de Azure Firewall clásico (si existen) a la directiva de firewall.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operaciones" + "description": "Puede usar la anteposición de AS Path y los pesos de conexión para influir en el tráfico de Azure al entorno local, y la gama completa de atributos BGP en sus propios enrutadores para influir en el tráfico del entorno local a Azure.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", + "severity": "Medio", + "text": "Cuando use varios circuitos ExpressRoute o varias ubicaciones locales, use atributos BGP para optimizar el enrutamiento.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", - "severity": "Alto", - "text": "Use un prefijo /26 para las subredes de Azure Firewall.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Seguridad" + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", + "severity": "Medio", + "text": "Seleccione la SKU correcta para las puertas de enlace de ExpressRoute/VPN en función de los requisitos de ancho de banda y rendimiento.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", - "severity": "Medio", - "text": "Organice las reglas dentro de la política de firewall en grupos de recopilación de reglas y colecciones de reglas, en función de su frecuencia de uso.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "Rendimiento" + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", + "severity": "Alto", + "text": "Asegúrese de que usa circuitos ExpressRoute de datos ilimitados solo si alcanza el ancho de banda que justifica su costo.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Costar" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", - "severity": "Medio", - "text": "Utilice grupos de direcciones IP o prefijos de direcciones IP para reducir el número de reglas de tabla de direcciones IP.", - "waf": "Rendimiento" + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", + "severity": "Alto", + "text": "Aproveche la SKU local de ExpressRoute para reducir el costo de los circuitos, si la ubicación de emparejamiento de circuitos admite las regiones de Azure para la SKU local.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Costar" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", "severity": "Medio", - "text": "No utilice caracteres comodín como IP de origen para los DNAT, como * o cualquiera, debe especificar las direcciones IP de origen para los DNAT entrantes.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Rendimiento" + "text": "Implemente una puerta de enlace de ExpressRoute con redundancia de zona en las regiones de Azure admitidas.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "Medio", - "text": "Evite el agotamiento del puerto SNAT supervisando el uso del puerto SNAT, evaluando la configuración de la puerta de enlace NAT y garantizando una conmutación por error sin problemas. Si el número de puertos se acerca al límite, es una señal de que el agotamiento de SNAT podría ser inminente.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "text": "En escenarios que requieren un ancho de banda superior a 10 Gbps o puertos dedicados de 10/100 Gbps, use ExpressRoute Direct.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", - "severity": "Alto", - "text": "Si usa Azure Firewall Premium, habilite la inspección de TLS.", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", + "severity": "Medio", + "text": "Cuando se requiera una latencia baja o el rendimiento del entorno local a Azure debe ser superior a 10 Gbps, habilite FastPath para omitir la puerta de enlace de ExpressRoute de la ruta de acceso de datos.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/virtualNetworkGateways", "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", - "severity": "Bajo", - "text": "Utilice categorías web para permitir o denegar el acceso saliente a temas específicos.", - "waf": "Rendimiento" + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", + "severity": "Medio", + "text": "Use puertas de enlace de VPN con redundancia de zona para conectar sucursales o ubicaciones remotas a Azure (donde estén disponibles).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/virtualNetworkGateways", "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", "severity": "Medio", - "text": "Como parte de la inspección de TLS, planee la recepción de tráfico de Azure App Gateways para su inspección.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "Rendimiento" + "text": "Utilice dispositivos VPN redundantes en las instalaciones (activo/activo o activo/pasivo).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", + "severity": "Alto", + "text": "Si usa ExpressRoute Direct, considere la posibilidad de usar circuitos locales de ExpressRoute a las regiones locales de Azure para ahorrar costos.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Costar" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", "severity": "Medio", - "text": "Habilite la configuración de proxy DNS de Azure Firewall.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "text": "Cuando se requiera aislamiento de tráfico o ancho de banda dedicado, por ejemplo, para separar entornos de producción y no de producción, use diferentes circuitos ExpressRoute. Le ayudará a garantizar dominios de enrutamiento aislados y a aliviar los riesgos de vecinos ruidosos.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", - "severity": "Alto", - "text": "Integre Azure Firewall con Azure Monitor y habilite el registro de diagnóstico para almacenar y analizar los registros y las métricas del firewall.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", + "severity": "Medio", + "text": "Supervise la disponibilidad y el uso de ExpressRoute mediante Express Route Insights integrado.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Operaciones" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", - "severity": "Bajo", - "text": "Implementación de copias de seguridad para las reglas de firewall", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", + "severity": "Medio", + "text": "Use el Monitor de conexión para la supervisión de la conectividad en toda la red, especialmente entre el entorno local y Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Operaciones" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", - "severity": "Alto", - "text": "Implemente Azure Firewall en varias zonas de disponibilidad. Azure Firewall ofrece diferentes acuerdos de nivel de servicio en función de su implementación; en una sola zona de disponibilidad o en varias, lo que podría mejorar la fiabilidad y el rendimiento.", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", + "severity": "Medio", + "text": "Use circuitos ExpressRoute de diferentes ubicaciones de emparejamiento para obtener redundancia.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", + "severity": "Medio", + "text": "Use VPN de sitio a sitio como conmutación por error de ExpressRoute, si solo usa un único circuito ExpressRoute.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidad" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", "severity": "Alto", - "text": "Configure la protección contra DDoS en la red virtual de Azure Firewall y asocie un plan de protección contra DDoS con la red virtual que hospeda Azure Firewall para proporcionar una mitigación mejorada contra ataques DDoS. Azure Firewall Manager integra la creación de infraestructura de firewall y planes de protección contra DDoS. ", + "text": "Si utiliza una tabla de rutas en GatewaySubnet, asegúrese de que las rutas de puerta de enlace se propagan.", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/applicationGateways", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", "severity": "Alto", - "text": "No interrumpa la comunicación del plano de control para los servicios PaaS de Azure insertados en una red virtual, como con una ruta 0.0.0.0/0 o una regla de grupo de seguridad de red que bloquee el tráfico del plano de control.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Seguridad" + "text": "Si usa ExpressRoute, el enrutamiento local debe ser dinámico: en caso de que se produzca un error de conexión, debe converger a la conexión restante del circuito. La carga debe compartirse entre ambas conexiones, idealmente como activa/activa, aunque también se admite activa/pasiva.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidad" }, { "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", "service": "ExpressRoute", "severity": "Medio", - "text": "Acceda a los servicios PaaS de Azure desde el entorno local a través de puntos de conexión privados y el emparejamiento privado de ExpressRoute. Este método evita el tránsito por la Internet pública.", + "text": "Asegúrese de que los dos vínculos físicos del circuito ExpressRoute están conectados a dos dispositivos perimetrales distintos de la red.", "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Seguridad" + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", + "severity": "Medio", + "text": "Asegúrese de que la detección de reenvío bidireccional (BFD) esté habilitada y configurada en los dispositivos de enrutamiento perimetral del cliente o proveedor.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidad" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", "severity": "Alto", - "text": "No habilite los puntos de conexión de servicio de red virtual de forma predeterminada en todas las subredes.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Seguridad" + "text": "Conecte la puerta de enlace de ExpressRoute a dos o más circuitos de diferentes ubicaciones de emparejamiento para una mayor resistencia.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Network/azureFirewalls", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", "severity": "Medio", - "text": "Filtre el tráfico de salida a los servicios PaaS de Azure mediante FQDN en lugar de direcciones IP en Azure Firewall o una NVA para evitar la filtración de datos. Si usa Private Link, puede bloquear todos los FQDN, de lo contrario, permitir solo los servicios PaaS necesarios.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Seguridad" + "text": "Configure registros de diagnóstico y alertas para la puerta de enlace de red virtual de ExpressRoute.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operaciones" }, { "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", "service": "ExpressRoute", - "severity": "Alto", - "text": "Utilice al menos un prefijo /27 para las subredes de puerta de enlace.", - "waf": "Seguridad" + "severity": "Medio", + "text": "No use circuitos ExpressRoute para la comunicación de red virtual a red virtual.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", + "severity": "Bajo", + "text": "No envíe el tráfico de Azure a ubicaciones híbridas para su inspección. En su lugar, siga el principio \"el tráfico de Azure se queda en Azure\" para que la comunicación entre los recursos de Azure se produzca a través de la red troncal de Microsoft.", + "waf": "Rendimiento" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", "severity": "Alto", - "text": "No confíe en las reglas predeterminadas de entrada del grupo de seguridad de red que usan la etiqueta de servicio VirtualNetwork para limitar la conectividad.", + "text": "Use Azure Firewall para controlar el tráfico de salida de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado del tráfico este/oeste (si la organización lo requiere).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", "severity": "Medio", - "text": "Use los grupos de seguridad de red para ayudar a proteger el tráfico a través de las subredes, así como el tráfico este/oeste a través de la plataforma (tráfico entre zonas de aterrizaje).", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "Cree una directiva global de Azure Firewall para controlar la posición de seguridad en todo el entorno de red global y asígnela a todas las instancias de Azure Firewall. Permita que las directivas granulares cumplan los requisitos de regiones específicas delegando directivas de firewall incrementales a los equipos de seguridad locales a través del control de acceso basado en roles de Azure.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", - "severity": "Medio", - "text": "Use grupos de seguridad de red y grupos de seguridad de aplicaciones para microsegmentar el tráfico dentro de la zona de aterrizaje y evite usar una NVA central para filtrar los flujos de tráfico.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", + "severity": "Bajo", + "text": "Configure los proveedores de seguridad SaaS de socios compatibles dentro de Firewall Manager si la organización desea utilizar dichas soluciones para ayudar a proteger las conexiones salientes.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", - "severity": "Medio", - "text": "Habilite los registros de flujo de red virtual e introdúzcalos en Traffic Analytics para obtener información sobre los flujos de tráfico internos y externos.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", + "severity": "Alto", + "text": "Utilice las reglas de la aplicación para filtrar el tráfico saliente en el nombre de host de destino para los protocolos compatibles. Use reglas de red basadas en FQDN y Azure Firewall con proxy DNS para filtrar el tráfico de salida a Internet a través de otros protocolos.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", - "severity": "Medio", - "text": "No implemente más de 900 reglas de grupo de seguridad de red por grupo de seguridad de red, debido al límite de 1000 reglas.", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "waf": "Fiabilidad" + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "severity": "Alto", + "text": "Use Azure Firewall Premium para habilitar características de seguridad adicionales.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", - "severity": "Medio", - "text": "Use Virtual WAN si el escenario se describe explícitamente en la lista de diseños de enrutamiento de Virtual WAN.", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", - "waf": "Operaciones" + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", + "severity": "Alto", + "text": "Configure el modo de Inteligencia sobre amenazas de Azure Firewall en Alerta y Denegar para obtener protección adicional.", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", - "severity": "Medio", - "text": "Use un centro de conectividad de Virtual WAN por región de Azure para conectar varias zonas de aterrizaje entre sí en regiones de Azure a través de una Azure Virtual WAN global común.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Rendimiento" + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", + "severity": "Alto", + "text": "Configure el modo IDPS de Azure Firewall en Denegar para obtener protección adicional.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", - "severity": "Medio", - "text": "Para la protección y el filtrado del tráfico de Internet saliente, implemente Azure Firewall en centros seguros.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", + "severity": "Alto", + "text": "En el caso de las subredes de redes virtuales que no están conectadas a Virtual WAN, adjunte una tabla de rutas para que el tráfico de Internet se redirija a Azure Firewall o a una aplicación virtual de red.", "waf": "Seguridad" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", "severity": "Medio", - "text": "Asegúrese de que la arquitectura de red WAN virtual se alinee con un escenario de arquitectura identificado.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidad" + "text": "Agregue la configuración de diagnóstico para guardar registros, mediante la tabla de destino Recurso específico, para todas las implementaciones de Azure Firewall.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operaciones" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", - "severity": "Medio", - "text": "Use Azure Monitor Insights para Virtual WAN para supervisar la topología de un extremo a otro de Virtual WAN, el estado y las métricas clave.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", + "severity": "Alto", + "text": "Migre de las reglas de Azure Firewall clásico (si existen) a la directiva de firewall.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Operaciones" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", + "severity": "Alto", + "text": "Use un prefijo /26 para las subredes de Azure Firewall.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "Seguridad" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", "severity": "Medio", - "text": "No deshabilite el tráfico de rama a rama en Virtual WAN, a menos que estos flujos se deban bloquear explícitamente.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidad" + "text": "Organice las reglas dentro de la política de firewall en grupos de recopilación de reglas y colecciones de reglas, en función de su frecuencia de uso.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", "severity": "Medio", - "text": "Use AS-Path como preferencia de enrutamiento del concentrador, ya que es más flexible que ExpressRoute o VPN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidad" + "text": "Utilice grupos de direcciones IP o prefijos de direcciones IP para reducir el número de reglas de tabla de direcciones IP.", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", "severity": "Medio", - "text": "Configure la propagación basada en etiquetas en Virtual WAN, de lo contrario, la conectividad entre los centros virtuales se verá afectada.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidad" + "text": "No utilice caracteres comodín como IP de origen para los DNAT, como * o cualquiera, debe especificar las direcciones IP de origen para los DNAT entrantes.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.network/virtualWans", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", - "severity": "Alto", - "text": "Asigne al menos un prefijo /23 a los centros virtuales para asegurarse de que haya suficiente espacio IP disponible.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidad" + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", + "severity": "Medio", + "text": "Evite el agotamiento del puerto SNAT supervisando el uso del puerto SNAT, evaluando la configuración de la puerta de enlace NAT y garantizando una conmutación por error sin problemas. Si el número de puertos se acerca al límite, es una señal de que el agotamiento de SNAT podría ser inminente.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", "severity": "Alto", - "text": "Aproveche Azure Policy de forma estratégica, defina controles para su entorno mediante iniciativas de directivas para agrupar directivas relacionadas.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Seguridad" + "text": "Si usa Azure Firewall Premium, habilite la inspección de TLS.", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", + "severity": "Bajo", + "text": "Utilice categorías web para permitir o denegar el acceso saliente a temas específicos.", + "waf": "Rendimiento" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", "severity": "Medio", - "text": "Asigne los requisitos normativos y de cumplimiento a las definiciones de Azure Policy y las asignaciones de roles de Azure.", - "training": "https://learn.microsoft.com/training/modules/governance-security/", - "waf": "Seguridad" + "text": "Como parte de la inspección de TLS, planee la recepción de tráfico de Azure App Gateways para su inspección.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", "severity": "Medio", - "text": "Establezca definiciones de Azure Policy en el grupo de administración raíz intermedio para que se puedan asignar en ámbitos heredados.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "Habilite la configuración de proxy DNS de Azure Firewall.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "severity": "Alto", - "text": "Administre las asignaciones de políticas en el nivel más alto apropiado con exclusiones en los niveles inferiores, si es necesario.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Seguridad" + "text": "Integre Azure Firewall con Azure Monitor y habilite el registro de diagnóstico para almacenar y analizar los registros y las métricas del firewall.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", "severity": "Bajo", - "text": "Use Azure Policy para controlar los servicios que los usuarios pueden aprovisionar en el nivel de suscripción o grupo de administración.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Seguridad" + "text": "Implementación de copias de seguridad para las reglas de firewall", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "severity": "Alto", - "text": "Utilice políticas integradas siempre que sea posible para minimizar la sobrecarga operativa.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Seguridad" + "text": "Implemente Azure Firewall en varias zonas de disponibilidad. Azure Firewall ofrece diferentes acuerdos de nivel de servicio en función de su implementación; en una sola zona de disponibilidad o en varias, lo que podría mejorar la fiabilidad y el rendimiento.", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "description": "La asignación del rol Colaborador de políticas de recursos a ámbitos específicos le permite delegar la administración de directivas a los equipos pertinentes. Por ejemplo, un equipo de TI central puede supervisar las políticas a nivel de grupo de administración, mientras que los equipos de aplicaciones se encargan de las políticas de sus suscripciones, lo que permite la gobernanza distribuida con el cumplimiento de los estándares de la organización.", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", - "severity": "Medio", - "text": "Asigne el rol integrado Colaborador de directiva de recursos en un ámbito determinado para habilitar la gobernanza de nivel de aplicación.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Seguridad" + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", + "severity": "Alto", + "text": "Configure la protección contra DDoS en la red virtual de Azure Firewall y asocie un plan de protección contra DDoS con la red virtual que hospeda Azure Firewall para proporcionar una mitigación mejorada contra ataques DDoS. Azure Firewall Manager integra la creación de infraestructura de firewall y planes de protección contra DDoS. ", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "severity": "Medio", - "text": "Limite el número de asignaciones de Azure Policy realizadas en el ámbito del grupo de administración raíz para evitar la administración a través de exclusiones en ámbitos heredados.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", + "severity": "Alto", + "text": "No interrumpa la comunicación del plano de control para los servicios PaaS de Azure insertados en una red virtual, como con una ruta 0.0.0.0/0 o una regla de grupo de seguridad de red que bloquee el tráfico del plano de control.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", "severity": "Medio", - "text": "Si existen requisitos de soberanía de datos, se deben implementar Azure Policies para aplicarlos.", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "text": "Acceda a los servicios PaaS de Azure desde el entorno local a través de puntos de conexión privados y el emparejamiento privado de ExpressRoute. Este método evita el tránsito por la Internet pública.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", - "severity": "Medio", - "text": "Para la zona de aterrizaje soberana, implemente la línea base de la política de soberanía y asígnela en el nivel de grupo de gestión correcto.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", + "severity": "Alto", + "text": "No habilite los puntos de conexión de servicio de red virtual de forma predeterminada en todas las subredes.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "severity": "Medio", - "text": "En el caso de la Zona de Aterrizaje Soberano, documente los objetivos del Control Soberano para el mapeo de políticas.", + "text": "Filtre el tráfico de salida a los servicios PaaS de Azure mediante FQDN en lugar de direcciones IP en Azure Firewall o una NVA para evitar la filtración de datos. Si usa Private Link, puede bloquear todos los FQDN, de lo contrario, permitir solo los servicios PaaS necesarios.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", - "severity": "Medio", - "text": "En el caso de la Zona de Aterrizaje Soberana, garantizar que exista un proceso para la gestión de los \"objetivos de control soberano para el mapeo de políticas\".", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", + "severity": "Alto", + "text": "Utilice al menos un prefijo /27 para las subredes de puerta de enlace.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Insights/components", + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", - "severity": "Medio", - "text": "Use un único área de trabajo de registros de monitor para administrar las plataformas de forma centralizada, excepto cuando el control de acceso basado en rol de Azure (Azure RBAC), los requisitos de soberanía de datos o las directivas de retención de datos exijan áreas de trabajo independientes.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Operaciones" + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", + "severity": "Alto", + "text": "No confíe en las reglas predeterminadas de entrada del grupo de seguridad de red que usan la etiqueta de servicio VirtualNetwork para limitar la conectividad.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Insights/components", + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", "severity": "Medio", - "text": "Decida si desea usar una única área de trabajo de Azure Monitor Logs para todas las regiones o crear varias áreas de trabajo para cubrir varias regiones geográficas. Cada enfoque tiene ventajas y desventajas, incluidos los posibles cargos de red entre regiones", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Fiabilidad" + "text": "Use los grupos de seguridad de red para ayudar a proteger el tráfico a través de las subredes, así como el tráfico este/oeste a través de la plataforma (tráfico entre zonas de aterrizaje).", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Insights/components", + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", - "severity": "Alto", - "text": "Exporte los registros a Azure Storage si los requisitos de retención de registros superan los doce años. Use el almacenamiento inmutable con una política de escritura única y lectura múltiple para que los datos no se puedan borrar ni modificar durante un intervalo especificado por el usuario.", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operaciones" + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", + "severity": "Medio", + "text": "Use grupos de seguridad de red y grupos de seguridad de aplicaciones para microsegmentar el tráfico dentro de la zona de aterrizaje y evite usar una NVA central para filtrar los flujos de tráfico.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", "severity": "Medio", - "text": "Supervise el desfase de configuración de la máquina virtual (VM) a nivel de sistema operativo mediante Azure Policy. La habilitación de las funcionalidades de auditoría de Azure Automanage Machine Configuration a través de directivas ayuda a las cargas de trabajo del equipo de aplicaciones a consumir inmediatamente las funcionalidades de características con poco esfuerzo.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Operaciones" + "text": "Habilite los registros de flujo de red virtual e introdúzcalos en Traffic Analytics para obtener información sobre los flujos de tráfico internos y externos.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", "severity": "Medio", - "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux en Azure.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operaciones" + "text": "No implemente más de 900 reglas de grupo de seguridad de red por grupo de seguridad de red, debido al límite de 1000 reglas.", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", "severity": "Medio", - "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux fuera de Azure mediante Azure Arc.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "text": "Use Virtual WAN si el escenario se describe explícitamente en la lista de diseños de enrutamiento de Virtual WAN.", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", "waf": "Operaciones" }, { - "arm-service": "microsoft.network/networkWatchers", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", "severity": "Medio", - "text": "Utilice Network Watcher para supervisar de forma proactiva los flujos de tráfico.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Operaciones" + "text": "Use un centro de conectividad de Virtual WAN por región de Azure para conectar varias zonas de aterrizaje entre sí en regiones de Azure a través de una Azure Virtual WAN global común.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.Insights/components", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", "severity": "Medio", - "text": "Use los registros de Azure Monitor para obtener información e informes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "Operaciones" + "text": "Para la protección y el filtrado del tráfico de Internet saliente, implemente Azure Firewall en centros seguros.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Insights/components", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", "severity": "Medio", - "text": "Use las alertas de Azure Monitor para la generación de alertas operativas.", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "Operaciones" + "text": "Asegúrese de que la arquitectura de red WAN virtual se alinee con un escenario de arquitectura identificado.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Insights/components", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", "severity": "Medio", - "text": "Al usar el seguimiento de cambios e inventario a través de cuentas de Azure Automation, asegúrese de que ha seleccionado regiones compatibles para vincular el área de trabajo de Log Analytics y las cuentas de automatización.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "text": "Use Azure Monitor Insights para Virtual WAN para supervisar la topología de un extremo a otro de Virtual WAN, el estado y las métricas clave.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Operaciones" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", - "severity": "Bajo", - "text": "Al usar Azure Backup, use los tipos de copia de seguridad correctos (GRS, ZRS Y LRS) para la copia de seguridad, ya que la configuración predeterminada es GRS.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", + "severity": "Medio", + "text": "No deshabilite el tráfico de rama a rama en Virtual WAN, a menos que estos flujos se deban bloquear explícitamente.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", - "severity": "Medio", - "text": "Use directivas de invitado de Azure para implementar automáticamente configuraciones de software a través de extensiones de máquina virtual y aplicar una configuración de máquina virtual de línea base compatible.", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "description": "Use las características de configuración de invitado de Azure Policy para auditar y corregir la configuración de la máquina (por ejemplo, el sistema operativo, la aplicación, el entorno) para asegurarse de que los recursos se alinean con las configuraciones esperadas, y Update Management puede aplicar la administración de revisiones para las máquinas virtuales.", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", - "severity": "Medio", - "text": "Supervise el desfase de la configuración de seguridad de la máquina virtual a través de Azure Policy.", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", "severity": "Medio", - "text": "Use Azure Site Recovery para escenarios de recuperación ante desastres de Azure a Azure Virtual Machines. Esto le permite replicar cargas de trabajo en todas las regiones.", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", - "waf": "Operaciones" + "text": "Use AS-Path como preferencia de enrutamiento del concentrador, ya que es más flexible que ExpressRoute o VPN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", "severity": "Medio", - "text": "Use funcionalidades de copia de seguridad nativas de Azure o una solución de copia de seguridad de terceros compatible con Azure.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Operaciones" + "text": "Configure la propagación basada en etiquetas en Virtual WAN, de lo contrario, la conectividad entre los centros virtuales se verá afectada.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", "severity": "Alto", - "text": "Agregue configuración de diagnóstico para guardar los registros de WAF de los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway. Revise periódicamente los registros para comprobar si hay ataques y detecciones de falsos positivos.", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", - "waf": "Operaciones" - }, - { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", - "severity": "Medio", - "text": "Envíe registros de WAF desde los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway, a Microsoft Sentinel. Detecte ataques e integre la telemetría de WAF en su entorno general de Azure.", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", - "waf": "Operaciones" + "text": "Asigne al menos un prefijo /23 a los centros virtuales para asegurarse de que haya suficiente espacio IP disponible.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Alto", - "text": "Use Azure Key Vault para almacenar sus secretos y credenciales.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "text": "Aproveche Azure Policy de forma estratégica, defina controles para su entorno mediante iniciativas de directivas para agrupar directivas relacionadas.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medio", - "text": "Use diferentes instancias de Azure Key Vaults para diferentes aplicaciones y regiones para evitar límites de escala de transacciones y restringir el acceso a los secretos.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "text": "Asigne los requisitos normativos y de cumplimiento a las definiciones de Azure Policy y las asignaciones de roles de Azure.", + "training": "https://learn.microsoft.com/training/modules/governance-security/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medio", - "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención para los objetos eliminados.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "text": "Establezca definiciones de Azure Policy en el grupo de administración raíz intermedio para que se puedan asignar en ámbitos heredados.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medio", - "text": "Siga un modelo de privilegios mínimos limitando la autorización para eliminar claves, secretos y certificados de forma permanente a roles de identificador personalizados especializados de Microsoft Entra.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Alto", + "text": "Administre las asignaciones de políticas en el nivel más alto apropiado con exclusiones en los niveles inferiores, si es necesario.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medio", - "text": "Automatice el proceso de gestión y renovación de certificados con autoridades de certificación públicas para facilitar la administración.", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "Bajo", + "text": "Use Azure Policy para controlar los servicios que los usuarios pueden aprovisionar en el nivel de suscripción o grupo de administración.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medio", - "text": "Establezca un proceso automatizado para la rotación de claves y certificados.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Alto", + "text": "Utilice políticas integradas siempre que sea posible para minimizar la sobrecarga operativa.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "description": "La asignación del rol Colaborador de políticas de recursos a ámbitos específicos le permite delegar la administración de directivas a los equipos pertinentes. Por ejemplo, un equipo de TI central puede supervisar las políticas a nivel de grupo de administración, mientras que los equipos de aplicaciones se encargan de las políticas de sus suscripciones, lo que permite la gobernanza distribuida con el cumplimiento de los estándares de la organización.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "severity": "Medio", - "text": "Habilite el firewall y el punto de conexión de servicio de red virtual o el punto de conexión privado en el almacén para controlar el acceso al almacén de claves.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "text": "Asigne el rol integrado Colaborador de directiva de recursos en un ámbito determinado para habilitar la gobernanza de nivel de aplicación.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medio", - "text": "Use el área de trabajo de Log Analytics de Azure Monitor central de la plataforma para auditar el uso de claves, certificados y secretos en cada instancia de Key Vault.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "text": "Limite el número de asignaciones de Azure Policy realizadas en el ámbito del grupo de administración raíz para evitar la administración a través de exclusiones en ámbitos heredados.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", "severity": "Medio", - "text": "Delegue la creación de instancias de Key Vault y el acceso con privilegios, y use Azure Policy para aplicar una configuración coherente y conforme.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "text": "Si existen requisitos de soberanía de datos, se deben implementar Azure Policies para aplicarlos.", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", "severity": "Medio", - "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "text": "Para la zona de aterrizaje soberana, implemente la línea base de la política de soberanía y asígnela en el nivel de grupo de gestión correcto.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", "severity": "Medio", - "text": "Si desea traer sus propias claves, es posible que esto no sea compatible con todos los servicios considerados. Implemente la mitigación pertinente para que las inconsistencias no obstaculicen los resultados deseados. Elija los pares de regiones y las regiones de recuperación ante desastres adecuados que minimicen la latencia.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "text": "En el caso de la Zona de Aterrizaje Soberano, documente los objetivos del Control Soberano para el mapeo de políticas.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", "severity": "Medio", - "text": "En el caso de la zona de aterrizaje soberana, use el HSM administrado de Azure Key Vault para almacenar los secretos y las credenciales.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "text": "En el caso de la Zona de Aterrizaje Soberana, garantizar que exista un proceso para la gestión de los \"objetivos de control soberano para el mapeo de políticas\".", "waf": "Seguridad" }, { + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "severity": "Medio", - "text": "Use las capacidades de generación de informes de Microsoft Entra ID para generar informes de auditoría de control de acceso.", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", - "waf": "Seguridad" + "text": "Use un único área de trabajo de registros de monitor para administrar las plataformas de forma centralizada, excepto cuando el control de acceso basado en rol de Azure (Azure RBAC), los requisitos de soberanía de datos o las directivas de retención de datos exijan áreas de trabajo independientes.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operaciones" }, { + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", - "severity": "Alto", - "text": "Habilite la administración de la posición de seguridad en la nube de Defender para todas las suscripciones.", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", - "waf": "Seguridad" + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", + "severity": "Medio", + "text": "Decida si desea usar una única área de trabajo de Azure Monitor Logs para todas las regiones o crear varias áreas de trabajo para cubrir varias regiones geográficas. Cada enfoque tiene ventajas y desventajas, incluidos los posibles cargos de red entre regiones", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Fiabilidad" }, { + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "severity": "Alto", - "text": "Habilite un plan de protección de carga de trabajo en la nube de Defender para servidores en todas las suscripciones.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "Seguridad" + "text": "Exporte los registros a Azure Storage si los requisitos de retención de registros superan los doce años. Use el almacenamiento inmutable con una política de escritura única y lectura múltiple para que los datos no se puedan borrar ni modificar durante un intervalo especificado por el usuario.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operaciones" }, { + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", - "severity": "Alto", - "text": "Habilite los planes de protección de cargas de trabajo en la nube de Defender para recursos de Azure en todas las suscripciones.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "Seguridad" + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", + "severity": "Medio", + "text": "Supervise el desfase de configuración de la máquina virtual (VM) a nivel de sistema operativo mediante Azure Policy. La habilitación de las funcionalidades de auditoría de Azure Automanage Machine Configuration a través de directivas ayuda a las cargas de trabajo del equipo de aplicaciones a consumir inmediatamente las funcionalidades de características con poco esfuerzo.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operaciones" }, { "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", "service": "VM", - "severity": "Alto", - "text": "Habilite la protección de puntos de conexión en servidores IaaS.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", - "waf": "Seguridad" + "severity": "Medio", + "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux en Azure.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operaciones" }, { "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", "service": "VM", "severity": "Medio", - "text": "Supervise el desfase de revisiones del sistema operativo base a través de los registros de Azure Monitor y Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", - "waf": "Seguridad" + "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux fuera de Azure mediante Azure Arc.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operaciones" + }, + { + "arm-service": "microsoft.network/networkWatchers", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", + "severity": "Medio", + "text": "Utilice Network Watcher para supervisar de forma proactiva los flujos de tráfico.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Operaciones" }, { "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", "service": "Monitor", "severity": "Medio", - "text": "Conecte las configuraciones de recursos predeterminadas a un área de trabajo centralizada de Azure Monitor Log Analytics.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "Seguridad" + "text": "Use los registros de Azure Monitor para obtener información e informes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", + "waf": "Operaciones" }, { + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", - "severity": "Alto", - "text": "Detección centralizada de amenazas con registros correlacionados: consolide los datos de seguridad en una ubicación central donde se puedan correlacionar entre varios servicios a través de SIEM (información de seguridad y gestión de eventos)", - "waf": "Seguridad" + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", + "severity": "Medio", + "text": "Use las alertas de Azure Monitor para la generación de alertas operativas.", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "waf": "Operaciones" }, { + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", "severity": "Medio", - "text": "Para Sovereign Landing Zone, habilite los registros de transparencia en el inquilino de Entra ID.", - "waf": "Seguridad" + "text": "Al usar el seguimiento de cambios e inventario a través de cuentas de Azure Automation, asegúrese de que ha seleccionado regiones compatibles para vincular el área de trabajo de Log Analytics y las cuentas de automatización.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "Operaciones" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "severity": "Bajo", + "text": "Al usar Azure Backup, use los tipos de copia de seguridad correctos (GRS, ZRS Y LRS) para la copia de seguridad, ya que la configuración predeterminada es GRS.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Fiabilidad" }, { + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", "severity": "Medio", - "text": "Para Sovereign Landing Zone, habilite la caja de seguridad del cliente en el inquilino de Entra ID.", + "text": "Use directivas de invitado de Azure para implementar automáticamente configuraciones de software a través de extensiones de máquina virtual y aplicar una configuración de máquina virtual de línea base compatible.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", - "severity": "Alto", - "text": "Habilite la transferencia segura a las cuentas de almacenamiento.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "description": "Use las características de configuración de invitado de Azure Policy para auditar y corregir la configuración de la máquina (por ejemplo, el sistema operativo, la aplicación, el entorno) para asegurarse de que los recursos se alinean con las configuraciones esperadas, y Update Management puede aplicar la administración de revisiones para las máquinas virtuales.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", + "severity": "Medio", + "text": "Supervise el desfase de la configuración de seguridad de la máquina virtual a través de Azure Policy.", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", - "severity": "Alto", - "text": "Habilite la eliminación temporal de contenedor para que la cuenta de almacenamiento recupere un contenedor eliminado y su contenido.", - "waf": "Seguridad" + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", + "severity": "Medio", + "text": "Use Azure Site Recovery para escenarios de recuperación ante desastres de Azure a Azure Virtual Machines. Esto le permite replicar cargas de trabajo en todas las regiones.", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.KeyVault/vaults", + "arm-service": "Microsoft.RecoveryServices/vaults", "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", - "severity": "Alto", - "text": "Use los secretos de Key Vault para evitar codificar de forma rígida información confidencial, como credenciales (máquinas virtuales, contraseñas de usuario), certificados o claves.", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", + "severity": "Medio", + "text": "Use funcionalidades de copia de seguridad nativas de Azure o una solución de copia de seguridad de terceros compatible con Azure.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", "waf": "Operaciones" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", "severity": "Alto", - "text": "Habilitación de 2 réplicas para que tengan una disponibilidad del 99,9 % para las operaciones de lectura", - "waf": "Fiabilidad" + "text": "Agregue configuración de diagnóstico para guardar los registros de WAF de los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway. Revise periódicamente los registros para comprobar si hay ataques y detecciones de falsos positivos.", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", "severity": "Medio", - "text": "Habilitación de 3 réplicas para que tengan una disponibilidad del 99,9 % para las operaciones de lectura y escritura", - "waf": "Fiabilidad" + "text": "Envíe registros de WAF desde los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway, a Microsoft Sentinel. Detecte ataques e integre la telemetría de WAF en su entorno general de Azure.", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "severity": "Alto", - "text": "Aproveche las zonas de disponibilidad habilitando réplicas de lectura o escritura", - "waf": "Fiabilidad" + "text": "Use Azure Key Vault para almacenar sus secretos y credenciales.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", "severity": "Medio", - "text": "En el caso de la reincidencia regional, cree manualmente servicios en 2 o más regiones para la búsqueda, ya que no proporciona un método automatizado para replicar índices de búsqueda en regiones geográficas", - "waf": "Fiabilidad" + "text": "Use diferentes instancias de Azure Key Vaults para diferentes aplicaciones y regiones para evitar límites de escala de transacciones y restringir el acceso a los secretos.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medio", - "text": "Para sincronizar datos entre varios servicios, use indexadores para actualizar contenido en varios servicios o use las API de REST para insertar actualizaciones de contenido en varios servicios", - "waf": "Fiabilidad" + "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención para los objetos eliminados.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medio", - "text": "Uso de Azure Traffic Manager para coordinar solicitudes", - "waf": "Fiabilidad" + "text": "Siga un modelo de privilegios mínimos limitando la autorización para eliminar claves, secretos y certificados de forma permanente a roles de identificador personalizados especializados de Microsoft Entra.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", - "severity": "Alto", - "text": "Realice una copia de seguridad y restaure un índice de Azure Cognitive Search. Use este código de ejemplo para realizar una copia de seguridad de la definición del índice y la instantánea en una serie de archivos JSON", - "waf": "Fiabilidad" - }, - { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", - "severity": "Alto", - "text": "Habilite la redundancia de zona para Azure Cache for Redis. Azure Cache for Redis admite configuraciones con redundancia de zona en los niveles Premium y Enterprise. Una caché con redundancia de zona puede colocar sus nodos en diferentes zonas de disponibilidad de Azure en la misma región. Elimina la interrupción del centro de datos o de la zona de disponibilidad como único punto de error y aumenta la disponibilidad general de la memoria caché.", - "waf": "Fiabilidad" - }, - { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medio", - "text": "Configure la persistencia de datos para una instancia de Azure Cache for Redis. Dado que los datos de caché se almacenan en la memoria, un error poco frecuente y no planeado de varios nodos puede hacer que se eliminen todos los datos. Para evitar la pérdida completa de datos, la persistencia de Redis permite tomar instantáneas periódicas de los datos en memoria y almacenarlas en la cuenta de almacenamiento.", - "waf": "Fiabilidad" + "text": "Automatice el proceso de gestión y renovación de certificados con autoridades de certificación públicas para facilitar la administración.", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medio", - "text": "Use una cuenta de almacenamiento con redundancia geográfica para conservar los datos de Azure Cache for Redis o con redundancia zonal donde la redundancia geográfica no esté disponible", - "waf": "Fiabilidad" + "text": "Establezca un proceso automatizado para la rotación de claves y certificados.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Seguridad" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medio", - "text": "Configure la replicación geográfica pasiva para instancias de Azure Cache for Redis Premium. La replicación geográfica es un mecanismo para vincular dos o más instancias de Azure Cache for Redis, que normalmente abarcan dos regiones de Azure. La replicación geográfica está diseñada principalmente para la recuperación ante desastres entre regiones. Dos instancias de caché de nivel Premium se conectan a través de la replicación geográfica de una manera que proporciona lecturas y escrituras en la caché principal, y esos datos se replican en la caché secundaria.", - "waf": "Fiabilidad" + "text": "Habilite el firewall y el punto de conexión de servicio de red virtual o el punto de conexión privado en el almacén para controlar el acceso al almacén de claves.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Aplicación de las instrucciones de la prueba comparativa de seguridad en la nube de Microsoft relacionadas con el almacenamiento", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", "severity": "Medio", - "text": "Tenga en cuenta la \"línea base de seguridad de Azure para el almacenamiento\"", + "text": "Use el área de trabajo de Log Analytics de Azure Monitor central de la plataforma para auditar el uso de claves, certificados y secretos en cada instancia de Key Vault.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "De forma predeterminada, Azure Storage tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten exponer de forma segura Azure Storage solo a los recursos de proceso de Azure que necesitan acceso, lo que elimina la exposición a la Internet pública", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere la posibilidad de usar puntos de conexión privados para Azure Storage", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medio", + "text": "Delegue la creación de instancias de Key Vault y el acceso con privilegios, y use Azure Policy para aplicar una configuración coherente y conforme.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Las cuentas de almacenamiento recién creadas se crean mediante el modelo de implementación de ARM, de modo que RBAC, auditoría, etc. están habilitados. Asegúrese de que no hay cuentas de almacenamiento antiguas con el modelo de implementación clásica en una suscripción", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medio", - "text": "Asegúrese de que las cuentas de almacenamiento más antiguas no usan el \"modelo de implementación clásica\"", + "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Aproveche Microsoft Defender para obtener información sobre la actividad sospechosa y los errores de configuración.", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", - "severity": "Alto", - "text": "Habilitación de Microsoft Defender para todas las cuentas de almacenamiento", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Medio", + "text": "Si desea traer sus propias claves, es posible que esto no sea compatible con todos los servicios considerados. Implemente la mitigación pertinente para que las inconsistencias no obstaculicen los resultados deseados. Elija los pares de regiones y las regiones de recuperación ante desastres adecuados que minimicen la latencia.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "El mecanismo de eliminación temporal permite recuperar blobs eliminados accidentalmente.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", "severity": "Medio", - "text": "Habilitación de la \"eliminación temporal\" para blobs", + "text": "En el caso de la zona de aterrizaje soberana, use el HSM administrado de Azure Key Vault para almacenar los secretos y las credenciales.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", "severity": "Medio", - "text": "Deshabilitación de la \"eliminación temporal\" de blobs", + "text": "Use las capacidades de generación de informes de Microsoft Entra ID para generar informes de auditoría de control de acceso.", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "La eliminación temporal de contenedores permite recuperar un contenedor después de que se haya eliminado, por ejemplo, recuperarse de una operación de eliminación accidental.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", "severity": "Alto", - "text": "Habilitación de la \"eliminación temporal\" para los contenedores", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", - "severity": "Medio", - "text": "Deshabilitación de la \"eliminación temporal\" para contenedores", + "text": "Habilite la administración de la posición de seguridad en la nube de Defender para todas las suscripciones.", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Evita la eliminación accidental de una cuenta de almacenamiento, obligando al usuario a quitar primero el bloqueo de eliminación, antes de la eliminación", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", "severity": "Alto", - "text": "Habilitación de bloqueos de recursos en cuentas de almacenamiento", + "text": "Habilite un plan de protección de carga de trabajo en la nube de Defender para servidores en todas las suscripciones.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Considere la posibilidad de aplicar directivas de \"retención legal\" o \"retención basada en el tiempo\" para los blobs, de modo que sea imposible eliminar el blob, el contenedor o la cuenta de almacenamiento. Tenga en cuenta que 'imposible' en realidad significa 'imposible'; una vez que una cuenta de almacenamiento contiene un blob inmutable, la única manera de \"deshacerse\" de esa cuenta de almacenamiento es cancelando la suscripción de Azure.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", "severity": "Alto", - "text": "Considere la posibilidad de blobs inmutables", + "text": "Habilite los planes de protección de cargas de trabajo en la nube de Defender para recursos de Azure en todas las suscripciones.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Considere la posibilidad de deshabilitar el acceso HTTP/80 sin protección a la cuenta de almacenamiento, de modo que todas las transferencias de datos estén cifradas, protegidas por integridad y el servidor esté autenticado. ", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", "severity": "Alto", - "text": "Requerir HTTPS, es decir, deshabilitar el puerto 80 en la cuenta de almacenamiento", + "text": "Habilite la protección de puntos de conexión en servidores IaaS.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Al configurar un dominio personalizado (nombre de host) en una cuenta de almacenamiento, compruebe si necesita TLS/HTTPS; si es así, es posible que tenga que colocar Azure CDN delante de la cuenta de almacenamiento.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", - "severity": "Alto", - "text": "Al aplicar HTTPS (deshabilitar HTTP), compruebe que no usa dominios personalizados (CNAME) para la cuenta de almacenamiento.", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", + "severity": "Medio", + "text": "Supervise el desfase de revisiones del sistema operativo base a través de los registros de Azure Monitor y Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Requerir HTTPS cuando un cliente usa un token de SAS para acceder a los datos de blobs ayuda a minimizar el riesgo de pérdida de credenciales.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "Medio", - "text": "Limitar los tokens de firma de acceso compartido (SAS) solo a las conexiones HTTPS", + "text": "Conecte las configuraciones de recursos predeterminadas a un área de trabajo centralizada de Azure Monitor Log Analytics.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Los tokens de AAD deben favorecerse sobre las firmas de acceso compartido, siempre que sea posible", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", "severity": "Alto", - "text": "Uso de tokens de Azure Active Directory (Azure AD) para el acceso a blobs", + "text": "Detección centralizada de amenazas con registros correlacionados: consolide los datos de seguridad en una ubicación central donde se puedan correlacionar entre varios servicios a través de SIEM (información de seguridad y gestión de eventos)", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Al asignar un rol a un usuario, grupo o aplicación, conceda a esa entidad de seguridad solo los permisos necesarios para que pueda realizar sus tareas. Limitar el acceso a los recursos ayuda a evitar el uso indebido no intencionado y malintencionado de los datos.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "severity": "Medio", - "text": "Privilegios mínimos en los permisos de IaM", + "text": "Para Sovereign Landing Zone, habilite los registros de transparencia en el inquilino de Entra ID.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Una SAS de delegación de usuarios está protegida con credenciales de Azure Active Directory (Azure AD) y también con los permisos especificados para la SAS. Una SAS de delegación de usuarios es análoga a una SAS de servicio en cuanto a su ámbito y función, pero ofrece ventajas de seguridad sobre la SAS de servicio. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "Alto", - "text": "Al usar SAS, prefiera \"SAS de delegación de usuarios\" en lugar de SAS basada en claves de cuenta de almacenamiento.", + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", + "severity": "Medio", + "text": "Para Sovereign Landing Zone, habilite la caja de seguridad del cliente en el inquilino de Entra ID.", "waf": "Seguridad" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Las claves de la cuenta de almacenamiento (\"claves compartidas\") tienen muy pocas funcionalidades de auditoría. Si bien se puede monitorear quién o cuándo obtuvo una copia de las claves, una vez que las claves están en manos de varias personas, es imposible atribuir el uso a un usuario específico. Confiar únicamente en la autenticación de AAD facilita la vinculación del acceso al almacenamiento a un usuario. ", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", "severity": "Alto", - "text": "Considere la posibilidad de deshabilitar las claves de la cuenta de almacenamiento, de modo que solo se admita el acceso a AAD (y la SAS de delegación de usuarios).", + "text": "Habilite la transferencia segura a las cuentas de almacenamiento.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", "waf": "Seguridad" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Use los datos del registro de actividad para identificar \"cuándo\", \"quién\", \"qué\" y \"cómo\" se está viendo o cambiando la seguridad de la cuenta de almacenamiento (es decir, claves de cuenta de almacenamiento, directivas de acceso, etc.).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", "severity": "Alto", - "text": "Considere la posibilidad de usar Azure Monitor para auditar las operaciones del plano de control en la cuenta de almacenamiento", + "text": "Habilite la eliminación temporal de contenedor para que la cuenta de almacenamiento recupere un contenedor eliminado y su contenido.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Una directiva de expiración de claves le permite establecer un recordatorio para la rotación de las claves de acceso a la cuenta. El recordatorio se muestra si ha transcurrido el intervalo especificado y las teclas aún no se han girado.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", - "severity": "Medio", - "text": "Al usar claves de cuenta de almacenamiento, considere la posibilidad de habilitar una \"directiva de expiración de claves\"", - "waf": "Seguridad" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", + "severity": "Alto", + "text": "Use los secretos de Key Vault para evitar codificar de forma rígida información confidencial, como credenciales (máquinas virtuales, contraseñas de usuario), certificados o claves.", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Una directiva de expiración de SAS especifica un intervalo recomendado durante el cual la SAS es válida. Las directivas de expiración de SAS se aplican a una SAS de servicio o a una SAS de cuenta. Cuando un usuario genera una SAS de servicio o una SAS de cuenta con un intervalo de validez mayor que el intervalo recomendado, verá una advertencia.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", "severity": "Medio", - "text": "Considere la posibilidad de configurar una directiva de expiración de SAS", - "waf": "Seguridad" + "text": "Implementar una política de control de errores a nivel global", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Las directivas de acceso almacenadas ofrecen la opción de revocar los permisos de una SAS de servicio sin tener que volver a generar las claves de la cuenta de almacenamiento. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", "severity": "Medio", - "text": "Considere la posibilidad de vincular SAS a una directiva de acceso almacenada", - "waf": "Seguridad" + "text": "Asegúrese de que todas las políticas de API incluyan un elemento.", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", "severity": "Medio", - "text": "Considere la posibilidad de configurar el repositorio de código fuente de la aplicación para detectar cadenas de conexión protegidas y claves de cuenta de almacenamiento.", - "waf": "Seguridad" + "text": "Uso de fragmentos de políticas para evitar repetir las mismas definiciones de políticas en varias API", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Lo ideal es que la aplicación use una identidad administrada para autenticarse en Azure Storage. Si esto no es posible, considere la posibilidad de tener la credencial de almacenamiento (cadena de conexión, clave de cuenta de almacenamiento, SAS, credencial de entidad de servicio) en Azure KeyVault o un servicio equivalente.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere la posibilidad de almacenar cadenas de conexión en Azure KeyVault (en escenarios en los que las identidades administradas no son posibles)", - "waf": "Seguridad" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", + "severity": "Medio", + "text": "Si planeas monetizar tus API, revisa el artículo \"Soporte de monetización\" para conocer las prácticas recomendadas", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Use los tiempos de expiración a corto plazo en una SAS de servicio SAS ad hoc o en una SAS de cuenta. De esta manera, incluso si una SAS se ve comprometida, es válida solo por un corto tiempo. Esta práctica es especialmente importante si no puede hacer referencia a una directiva de acceso almacenada. Los tiempos de expiración a corto plazo también limitan la cantidad de datos que se pueden escribir en un blob al limitar el tiempo disponible para cargarlo.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", "severity": "Alto", - "text": "Esfuércese por obtener períodos de validez cortos para SAS ad-hoc", - "waf": "Seguridad" + "text": "Habilitación de la configuración de diagnóstico para exportar registros a Azure Monitor", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Al crear una SAS, sea lo más específico y restrictivo posible. Prefiera una SAS para un solo recurso y operación en lugar de una SAS que proporciona un acceso mucho más amplio.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "severity": "Medio", - "text": "Aplicación de un ámbito limitado a una SAS", - "waf": "Seguridad" + "text": "Habilitación de Application Insights para obtener telemetría más detallada", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Una SAS puede incluir parámetros en los que las direcciones IP de cliente o los intervalos de direcciones están autorizados a solicitar un recurso mediante la SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", - "severity": "Medio", - "text": "Considere la posibilidad de definir el ámbito de SAS en una dirección IP de cliente específica, siempre que sea posible", - "waf": "Seguridad" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", + "severity": "Alto", + "text": "Configurar alertas sobre las métricas más críticas", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Una SAS no puede restringir la cantidad de datos que carga un cliente; Dado el modelo de precios de la cantidad de almacenamiento a lo largo del tiempo, podría tener sentido validar si los clientes cargaron contenido de gran tamaño malintencionado.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "Bajo", - "text": "Considere la posibilidad de comprobar los datos cargados, después de que los clientes hayan usado una SAS para cargar un archivo. ", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", + "severity": "Alto", + "text": "Asegúrese de que los certificados SSL personalizados se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Al acceder a Blob Storage a través de SFTP mediante una \"cuenta de usuario local\", no se aplican los controles RBAC \"habituales\". El acceso a blobs a través de NFS o REST puede ser más restrictivo que el acceso SFTP. Desafortunadamente, a partir de principios de 2023, los usuarios locales son la única forma de administración de identidades que actualmente se admite para el punto de conexión SFTP", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", "severity": "Alto", - "text": "SFTP: Limite la cantidad de \"usuarios locales\" para el acceso SFTP y audite si el acceso es necesario a lo largo del tiempo.", + "text": "Protección de las solicitudes entrantes a las API (plano de datos) con Azure AD", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", "severity": "Medio", - "text": "SFTP: El punto de conexión SFTP no admite ACL similares a POSIX.", + "text": "Usar el identificador de Microsoft Entra para autenticar a los usuarios en el Portal para desarrolladores", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "El almacenamiento es compatible con CORS (Cross-Origin Resource Sharing), es decir, una función HTTP que permite a las aplicaciones web de un dominio diferente relajar la política del mismo origen. Al habilitar CORS, mantenga CorsRules con el mínimo privilegio.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", - "severity": "Alto", - "text": "Evite las políticas de CORS demasiado amplias", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", + "severity": "Medio", + "text": "Crear grupos adecuados para controlar la visibilidad de los productos", "waf": "Seguridad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Los datos en reposo siempre están cifrados en el lado del servidor y, además, también pueden estar cifrados en el lado del cliente. El cifrado del lado del servidor puede realizarse mediante una clave administrada por la plataforma (predeterminada) o una clave administrada por el cliente. El cifrado del lado cliente puede producirse haciendo que el cliente proporcione una clave de cifrado y descifrado por blob a Azure Storage o controlando completamente el cifrado en el lado cliente. por lo tanto, no depende en absoluto de Azure Storage para obtener garantías de confidencialidad.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", - "severity": "Alto", - "text": "Determine cómo se deben cifrar los datos en reposo. Comprender el modelo de subprocesos para los datos.", - "waf": "Seguridad" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", + "severity": "Medio", + "text": "Utilice la función Backends para eliminar las configuraciones redundantes de back-end de la API", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", "severity": "Medio", - "text": "Determine qué cifrado de plataforma se debe usar o si se debe usar.", - "waf": "Seguridad" + "text": "Usar valores con nombre para almacenar valores comunes que se pueden usar en directivas", + "waf": "Operaciones" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", "severity": "Medio", - "text": "Determine qué cifrado del lado del cliente se debe usar o si.", - "waf": "Seguridad" + "text": "En el caso de la recuperación ante desastres, aproveche el nivel premium con implementaciones escaladas en dos o más regiones para un acuerdo de nivel de servicio del 99,99 %", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Aproveche el Explorador de Resource Graph (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para buscar cuentas de almacenamiento que permitan el acceso anónimo a blobs.", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", + "severity": "Medio", + "text": "Implemente al menos una unidad en dos o más zonas de disponibilidad para obtener un SLA aumentado del 99,99 %", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", "severity": "Alto", - "text": "Considere si se necesita acceso público a blobs o si se puede deshabilitar para determinadas cuentas de almacenamiento. ", - "waf": "Seguridad" + "text": "Asegúrese de que haya una rutina de copia de seguridad automatizada", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", - "severity": "Bajo", - "text": "Si es necesario para las cargas de trabajo de Windows de AKS, se pueden usar contenedores HostProcess", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", + "severity": "Medio", + "text": "Use directivas para agregar una dirección URL de back-end de conmutación por error y el almacenamiento en caché para reducir las llamadas con errores.", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", "severity": "Bajo", - "text": "Utilice KEDA si ejecuta cargas de trabajo controladas por eventos", + "text": "Si necesita iniciar sesión en niveles de alto rendimiento, tenga en cuenta la directiva de Event Hubs", + "waf": "Operaciones" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", + "severity": "Medio", + "text": "Aplicación de directivas de limitación para controlar el número de solicitudes por segundo", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", - "severity": "Bajo", - "text": "Uso de Dapr para facilitar el desarrollo de microservicios", - "waf": "Operaciones" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", + "severity": "Medio", + "text": "Configurar el escalado automático para escalar horizontalmente el número de instancias cuando aumenta la carga", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", - "severity": "Alto", - "text": "Uso de la oferta de AKS respaldada por SLA", - "waf": "Fiabilidad" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", + "severity": "Medio", + "text": "Implemente puertas de enlace autohospedadas en las que Azure no tenga una región cercana a las API de back-end.", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "Bajo", - "text": "Uso de presupuestos de interrupción en el pod y las definiciones de implementación", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", + "severity": "Medio", + "text": "Use el nivel premium para las cargas de trabajo de producción.", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", - "severity": "Alto", - "text": "Si usa un registro privado, configure la replicación de regiones para almacenar imágenes en varias regiones", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", + "severity": "Medio", + "text": "En el modelo de varias regiones, use directivas para enrutar las solicitudes a los back-ends regionales en función de la disponibilidad o la latencia.", "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", - "severity": "Bajo", - "text": "Usar una aplicación externa como kubecost para asignar costos a diferentes usuarios", - "waf": "Costar" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", + "severity": "Alto", + "text": "Tenga en cuenta los límites de APIM", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", - "severity": "Bajo", - "text": "Usar el modo de reducción vertical para eliminar/desasignar nodos", - "waf": "Costar" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", + "severity": "Alto", + "text": "Asegúrese de que las implementaciones de puerta de enlace autohospedadas sean resistentes.", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", + "service": "APIM", "severity": "Medio", - "text": "Cuando sea necesario, use la GPU de partición de varias instancias en clústeres de AKS", - "waf": "Costar" + "text": "Uso de Azure Front Door delante de APIM para la implementación en varias regiones", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", - "severity": "Bajo", - "text": "Si se ejecuta un clúster de desarrollo y pruebas, use NodePool Start/Stop", - "waf": "Costar" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", + "service": "APIM", + "severity": "Medio", + "text": "Implementación del servicio dentro de una red virtual (VNet)", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", + "service": "APIM", "severity": "Medio", - "text": "Uso de Azure Policy para Kubernetes para garantizar el cumplimiento de clústeres", + "text": "Implemente grupos de seguridad de red (NSG) en las subredes para restringir o supervisar el tráfico hacia/desde APIM.", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", + "service": "APIM", "severity": "Medio", - "text": "Separe las aplicaciones del plano de control con grupos de nodos de usuario/sistema", + "text": "Implemente puntos de conexión privados para filtrar el tráfico entrante cuando APIM no se implemente en una red virtual.", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", - "severity": "Bajo", - "text": "Agregue taint a su grupo de nodos del sistema para que sea dedicado", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", + "service": "APIM", + "severity": "Alto", + "text": "Deshabilitar el acceso a la red pública", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", "severity": "Medio", - "text": "Utilice un registro privado para sus imágenes, como ACR", - "waf": "Seguridad" + "text": "Simplifique la administración con scripts de automatización de PowerShell", + "waf": "Operaciones" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", + "service": "APIM", "severity": "Medio", - "text": "Escanea tus imágenes en busca de vulnerabilidades", - "waf": "Seguridad" + "text": "Configure APIM a través de la infraestructura como código. Revise las prácticas recomendadas de DevOps desde el acelerador de zonas de aterrizaje de API de Cloud Adaption Framework", + "waf": "Operaciones" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", - "severity": "Alto", - "text": "Definición de los requisitos de separación de aplicaciones (espacio de nombres/grupo de nodos/clúster)", - "waf": "Seguridad" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", + "service": "APIM", + "severity": "Medio", + "text": "Promover el uso de la extensión APIM de Visual Studio Code para un desarrollo de API más rápido", + "waf": "Operaciones" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", + "service": "APIM", "severity": "Medio", - "text": "Almacenamiento de los secretos en Azure Key Vault con el controlador del almacén de secretos de CSI", - "waf": "Seguridad" + "text": "Implemente DevOps y CI/CD en su flujo de trabajo", + "waf": "Operaciones" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", - "severity": "Alto", - "text": "Si usa entidades de servicio para el clúster, actualice las credenciales periódicamente (por ejemplo, trimestralmente)", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", + "service": "APIM", + "severity": "Medio", + "text": "API seguras mediante la autenticación de certificados de cliente", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", + "service": "APIM", "severity": "Medio", - "text": "Si es necesario, agregue el servicio de administración de claves, etcd, cifrado", + "text": "Servicios de back-end seguros mediante la autenticación de certificados de cliente", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", - "severity": "Bajo", - "text": "Si es necesario, considere la posibilidad de usar Proceso confidencial para AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", + "service": "APIM", + "severity": "Medio", + "text": "Revise el artículo \"Recomendaciones para mitigar las 10 principales amenazas de seguridad de la API de OWASP\" y compruebe qué se aplica a sus API", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", + "service": "APIM", "severity": "Medio", - "text": "Considere la posibilidad de usar Defender para contenedores", + "text": "Utilice la función Autorizaciones para simplificar la administración del token de OAuth 2.0 para las API de back-end", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", "severity": "Alto", - "text": "Uso de identidades administradas en lugar de entidades de servicio", - "waf": "Seguridad" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", - "severity": "Medio", - "text": "Integración de la autenticación con AAD (mediante la integración administrada)", + "text": "Utilice la versión más reciente de TLS al cifrar la información en tránsito. Deshabilite los protocolos y cifrados obsoletos e innecesarios cuando sea posible.", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", - "severity": "Medio", - "text": "Limitar el acceso a admin kubeconfig (get-credentials --admin)", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", + "severity": "Alto", + "text": "Asegúrese de que los secretos (valores con nombre) se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", "severity": "Medio", - "text": "Integración de la autorización con RBAC de AAD", + "text": "Uso de identidades administradas para autenticarse en otros recursos de Azure siempre que sea posible", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", "severity": "Alto", - "text": "Uso de espacios de nombres para restringir el privilegio RBAC en Kubernetes", + "text": "Uso del firewall de aplicaciones web (WAF) mediante la implementación de Application Gateway delante de APIM", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", "severity": "Medio", - "text": "Para la administración de acceso a identidades de pods, use Azure AD Workload Identity (versión preliminar)", - "waf": "Seguridad" + "text": "Aproveche el servidor flexible", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", + "severity": "Alto", + "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", "severity": "Medio", - "text": "En el caso de los inicios de sesión no interactivos de AKS, use kubelogin (versión preliminar)", - "waf": "Seguridad" + "text": "Aproveche la replicación de entrada de datos para escenarios de recuperación ante desastres entre regiones", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Aplicación de las instrucciones de la prueba comparativa de seguridad en la nube de Microsoft relacionadas con el almacenamiento", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "severity": "Medio", - "text": "Deshabilitación de cuentas locales de AKS", + "text": "Tenga en cuenta la \"línea base de seguridad de Azure para el almacenamiento\"", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "Bajo", - "text": "Configure, si es necesario, el acceso al clúster Just-In-Time", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "De forma predeterminada, Azure Storage tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten exponer de forma segura Azure Storage solo a los recursos de proceso de Azure que necesitan acceso, lo que elimina la exposición a la Internet pública", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere la posibilidad de usar puntos de conexión privados para Azure Storage", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "Bajo", - "text": "Configure si es necesario el acceso condicional de AAD para AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Las cuentas de almacenamiento recién creadas se crean mediante el modelo de implementación de ARM, de modo que RBAC, auditoría, etc. están habilitados. Asegúrese de que no hay cuentas de almacenamiento antiguas con el modelo de implementación clásica en una suscripción", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", + "severity": "Medio", + "text": "Asegúrese de que las cuentas de almacenamiento más antiguas no usan el \"modelo de implementación clásica\"", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", - "severity": "Bajo", - "text": "Si es necesario para las cargas de trabajo de Windows AKS, configure gMSA ", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Aproveche Microsoft Defender para obtener información sobre la actividad sospechosa y los errores de configuración.", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", + "severity": "Alto", + "text": "Habilitación de Microsoft Defender para todas las cuentas de almacenamiento", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "El mecanismo de eliminación temporal permite recuperar blobs eliminados accidentalmente.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "severity": "Medio", - "text": "Para un control más preciso, considere la posibilidad de utilizar una identidad de Kubelet administrada", + "text": "Habilitación de la \"eliminación temporal\" para blobs", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "Medio", - "text": "Si utiliza AGIC, no comparta un AppGW entre clústeres", - "waf": "Fiabilidad" + "text": "Deshabilitación de la \"eliminación temporal\" de blobs", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "La eliminación temporal de contenedores permite recuperar un contenedor después de que se haya eliminado, por ejemplo, recuperarse de una operación de eliminación accidental.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "severity": "Alto", - "text": "No use el complemento de enrutamiento HTTP de AKS, use en su lugar la entrada NGINX administrada con el complemento de enrutamiento de aplicaciones.", - "waf": "Fiabilidad" + "text": "Habilitación de la \"eliminación temporal\" para los contenedores", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", "severity": "Medio", - "text": "En el caso de las cargas de trabajo de Windows, use las redes aceleradas", - "waf": "Rendimiento" + "text": "Deshabilitación de la \"eliminación temporal\" para contenedores", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Evita la eliminación accidental de una cuenta de almacenamiento, obligando al usuario a quitar primero el bloqueo de eliminación, antes de la eliminación", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "severity": "Alto", - "text": "Utilice el ALB estándar (en lugar del básico)", - "waf": "Fiabilidad" + "text": "Habilitación de bloqueos de recursos en cuentas de almacenamiento", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", - "severity": "Medio", - "text": "Si usa Azure CNI, considere la posibilidad de usar diferentes subredes para NodePools", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Considere la posibilidad de aplicar directivas de \"retención legal\" o \"retención basada en el tiempo\" para los blobs, de modo que sea imposible eliminar el blob, el contenedor o la cuenta de almacenamiento. Tenga en cuenta que 'imposible' en realidad significa 'imposible'; una vez que una cuenta de almacenamiento contiene un blob inmutable, la única manera de \"deshacerse\" de esa cuenta de almacenamiento es cancelando la suscripción de Azure.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere la posibilidad de blobs inmutables", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", - "severity": "Medio", - "text": "Use puntos de conexión privados (preferidos) o puntos de conexión de servicio de red virtual para acceder a los servicios PaaS desde el clúster", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Considere la posibilidad de deshabilitar el acceso HTTP/80 sin protección a la cuenta de almacenamiento, de modo que todas las transferencias de datos estén cifradas, protegidas por integridad y el servidor esté autenticado. ", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "Alto", + "text": "Requerir HTTPS, es decir, deshabilitar el puerto 80 en la cuenta de almacenamiento", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Al configurar un dominio personalizado (nombre de host) en una cuenta de almacenamiento, compruebe si necesita TLS/HTTPS; si es así, es posible que tenga que colocar Azure CDN delante de la cuenta de almacenamiento.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", "severity": "Alto", - "text": "Elija el mejor complemento de red de CNI para sus necesidades (se recomienda Azure CNI)", - "waf": "Fiabilidad" + "text": "Al aplicar HTTPS (deshabilitar HTTP), compruebe que no usa dominios personalizados (CNAME) para la cuenta de almacenamiento.", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "Alto", - "text": "Si usa CNI de Azure, ajuste el tamaño de la subred en consecuencia teniendo en cuenta el número máximo de pods por nodo", - "waf": "Rendimiento" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Requerir HTTPS cuando un cliente usa un token de SAS para acceder a los datos de blobs ayuda a minimizar el riesgo de pérdida de credenciales.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", + "severity": "Medio", + "text": "Limitar los tokens de firma de acceso compartido (SAS) solo a las conexiones HTTPS", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Los tokens de AAD deben favorecerse sobre las firmas de acceso compartido, siempre que sea posible", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", "severity": "Alto", - "text": "Si usa Azure CNI, compruebe el número máximo de pods o nodo (valor predeterminado 30)", - "waf": "Rendimiento" + "text": "Uso de tokens de Azure Active Directory (Azure AD) para el acceso a blobs", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "En el caso de las aplicaciones internas, las organizaciones suelen abrir toda la subred de AKS en sus firewalls. Esto también abre el acceso de red a los nodos y, potencialmente, también a los pods (si se usa Azure CNI). Si las direcciones IP de LoadBalancer están en una subred diferente, solo esta debe estar disponible para los clientes de la aplicación. Otra razón es que si las direcciones IP de la subred de AKS son un recurso escaso, el consumo de sus direcciones IP para los servicios reducirá la escalabilidad máxima del clúster.", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", - "severity": "Bajo", - "text": "Si usa servicios de LoadBalancer de dirección IP privada, use una subred dedicada (no la subred de AKS)", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Al asignar un rol a un usuario, grupo o aplicación, conceda a esa entidad de seguridad solo los permisos necesarios para que pueda realizar sus tareas. Limitar el acceso a los recursos ayuda a evitar el uso indebido no intencionado y malintencionado de los datos.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", + "severity": "Medio", + "text": "Privilegios mínimos en los permisos de IaM", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Una SAS de delegación de usuarios está protegida con credenciales de Azure Active Directory (Azure AD) y también con los permisos especificados para la SAS. Una SAS de delegación de usuarios es análoga a una SAS de servicio en cuanto a su ámbito y función, pero ofrece ventajas de seguridad sobre la SAS de servicio. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", "severity": "Alto", - "text": "Dimensione el rango de direcciones IP del servicio en consecuencia (limitará la escalabilidad del clúster)", - "waf": "Fiabilidad" + "text": "Al usar SAS, prefiera \"SAS de delegación de usuarios\" en lugar de SAS basada en claves de cuenta de almacenamiento.", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", - "severity": "Bajo", - "text": "Si es necesario, agregue su propio complemento CNI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Las claves de la cuenta de almacenamiento (\"claves compartidas\") tienen muy pocas funcionalidades de auditoría. Si bien se puede monitorear quién o cuándo obtuvo una copia de las claves, una vez que las claves están en manos de varias personas, es imposible atribuir el uso a un usuario específico. Confiar únicamente en la autenticación de AAD facilita la vinculación del acceso al almacenamiento a un usuario. ", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere la posibilidad de deshabilitar las claves de la cuenta de almacenamiento, de modo que solo se admita el acceso a AAD (y la SAS de delegación de usuarios).", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", - "severity": "Bajo", - "text": "Si es necesario, configure la dirección IP pública por nodo en AKS", - "waf": "Rendimiento" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Use los datos del registro de actividad para identificar \"cuándo\", \"quién\", \"qué\" y \"cómo\" se está viendo o cambiando la seguridad de la cuenta de almacenamiento (es decir, claves de cuenta de almacenamiento, directivas de acceso, etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere la posibilidad de usar Azure Monitor para auditar las operaciones del plano de control en la cuenta de almacenamiento", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Una directiva de expiración de claves le permite establecer un recordatorio para la rotación de las claves de acceso a la cuenta. El recordatorio se muestra si ha transcurrido el intervalo especificado y las teclas aún no se han girado.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "Medio", - "text": "Use un controlador de entrada para exponer aplicaciones basadas en web en lugar de exponerlas con servicios de tipo LoadBalancer", - "waf": "Fiabilidad" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", - "severity": "Bajo", - "text": "Uso de Azure NAT Gateway como outboundType para escalar el tráfico de salida", - "waf": "Fiabilidad" + "text": "Al usar claves de cuenta de almacenamiento, considere la posibilidad de habilitar una \"directiva de expiración de claves\"", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Una directiva de expiración de SAS especifica un intervalo recomendado durante el cual la SAS es válida. Las directivas de expiración de SAS se aplican a una SAS de servicio o a una SAS de cuenta. Cuando un usuario genera una SAS de servicio o una SAS de cuenta con un intervalo de validez mayor que el intervalo recomendado, verá una advertencia.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "severity": "Medio", - "text": "Uso de asignaciones dinámicas de direcciones IP para evitar el agotamiento de direcciones IP de Azure CNI", - "waf": "Fiabilidad" + "text": "Considere la posibilidad de configurar una directiva de expiración de SAS", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", - "severity": "Alto", - "text": "Filtre el tráfico de salida con AzFW/NVA si sus requisitos de seguridad lo exigen", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Las directivas de acceso almacenadas ofrecen la opción de revocar los permisos de una SAS de servicio sin tener que volver a generar las claves de la cuenta de almacenamiento. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", + "severity": "Medio", + "text": "Considere la posibilidad de vincular SAS a una directiva de acceso almacenada", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", "severity": "Medio", - "text": "Si utiliza un punto de conexión de API público, restrinja las direcciones IP que pueden acceder a él", + "text": "Considere la posibilidad de configurar el repositorio de código fuente de la aplicación para detectar cadenas de conexión protegidas y claves de cuenta de almacenamiento.", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Lo ideal es que la aplicación use una identidad administrada para autenticarse en Azure Storage. Si esto no es posible, considere la posibilidad de tener la credencial de almacenamiento (cadena de conexión, clave de cuenta de almacenamiento, SAS, credencial de entidad de servicio) en Azure KeyVault o un servicio equivalente.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", "severity": "Alto", - "text": "Utilice clústeres privados si sus requisitos lo exigen", + "text": "Considere la posibilidad de almacenar cadenas de conexión en Azure KeyVault (en escenarios en los que las identidades administradas no son posibles)", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", - "severity": "Medio", - "text": "Para los nodos de AKS de Windows 2019 y 2022, se pueden usar directivas de red de Calico ", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Use los tiempos de expiración a corto plazo en una SAS de servicio SAS ad hoc o en una SAS de cuenta. De esta manera, incluso si una SAS se ve comprometida, es válida solo por un corto tiempo. Esta práctica es especialmente importante si no puede hacer referencia a una directiva de acceso almacenada. Los tiempos de expiración a corto plazo también limitan la cantidad de datos que se pueden escribir en un blob al limitar el tiempo disponible para cargarlo.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "Alto", + "text": "Esfuércese por obtener períodos de validez cortos para SAS ad-hoc", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", - "severity": "Alto", - "text": "Habilitación de una opción de directiva de red de Kubernetes (Calico/Azure)", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Al crear una SAS, sea lo más específico y restrictivo posible. Prefiera una SAS para un solo recurso y operación en lugar de una SAS que proporciona un acceso mucho más amplio.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "Medio", + "text": "Aplicación de un ámbito limitado a una SAS", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "Alto", - "text": "Uso de directivas de red de Kubernetes para aumentar la seguridad dentro del clúster", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Una SAS puede incluir parámetros en los que las direcciones IP de cliente o los intervalos de direcciones están autorizados a solicitar un recurso mediante la SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", + "severity": "Medio", + "text": "Considere la posibilidad de definir el ámbito de SAS en una dirección IP de cliente específica, siempre que sea posible", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "Alto", - "text": "Uso de un WAF para cargas de trabajo web (interfaces de usuario o API)", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Una SAS no puede restringir la cantidad de datos que carga un cliente; Dado el modelo de precios de la cantidad de almacenamiento a lo largo del tiempo, podría tener sentido validar si los clientes cargaron contenido de gran tamaño malintencionado.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "Bajo", + "text": "Considere la posibilidad de comprobar los datos cargados, después de que los clientes hayan usado una SAS para cargar un archivo. ", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", - "severity": "Medio", - "text": "Uso de DDoS Standard en la red virtual de AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Al acceder a Blob Storage a través de SFTP mediante una \"cuenta de usuario local\", no se aplican los controles RBAC \"habituales\". El acceso a blobs a través de NFS o REST puede ser más restrictivo que el acceso SFTP. Desafortunadamente, a partir de principios de 2023, los usuarios locales son la única forma de administración de identidades que actualmente se admite para el punto de conexión SFTP", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", + "severity": "Alto", + "text": "SFTP: Limite la cantidad de \"usuarios locales\" para el acceso SFTP y audite si el acceso es necesario a lo largo del tiempo.", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", - "severity": "Bajo", - "text": "Si es necesario, agregue el proxy HTTP de la empresa", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", + "severity": "Medio", + "text": "SFTP: El punto de conexión SFTP no admite ACL similares a POSIX.", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", - "severity": "Medio", - "text": "Considere la posibilidad de usar una malla de servicios para la administración avanzada de comunicaciones de microservicios", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "El almacenamiento es compatible con CORS (Cross-Origin Resource Sharing), es decir, una función HTTP que permite a las aplicaciones web de un dominio diferente relajar la política del mismo origen. Al habilitar CORS, mantenga CorsRules con el mínimo privilegio.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", + "severity": "Alto", + "text": "Evite las políticas de CORS demasiado amplias", "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Los datos en reposo siempre están cifrados en el lado del servidor y, además, también pueden estar cifrados en el lado del cliente. El cifrado del lado del servidor puede realizarse mediante una clave administrada por la plataforma (predeterminada) o una clave administrada por el cliente. El cifrado del lado cliente puede producirse haciendo que el cliente proporcione una clave de cifrado y descifrado por blob a Azure Storage o controlando completamente el cifrado en el lado cliente. por lo tanto, no depende en absoluto de Azure Storage para obtener garantías de confidencialidad.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", "severity": "Alto", - "text": "Configurar alertas sobre las métricas más críticas (consulte Container Insights para obtener recomendaciones)", - "waf": "Operaciones" + "text": "Determine cómo se deben cifrar los datos en reposo. Comprender el modelo de subprocesos para los datos.", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", - "severity": "Bajo", - "text": "Consulte periódicamente Azure Advisor para obtener recomendaciones sobre el clúster", - "waf": "Operaciones" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", + "severity": "Medio", + "text": "Determine qué cifrado de plataforma se debe usar o si se debe usar.", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", - "severity": "Bajo", - "text": "Habilitación de la rotación automática de certificados de AKS", - "waf": "Operaciones" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", + "severity": "Medio", + "text": "Determine qué cifrado del lado del cliente se debe usar o si.", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Aproveche el Explorador de Resource Graph (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para buscar cuentas de almacenamiento que permitan el acceso anónimo a blobs.", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", "severity": "Alto", - "text": "Tenga un proceso regular para actualizar la versión de Kubernetes periódicamente (trimestralmente, por ejemplo) o use la característica de actualización automática de AKS", - "waf": "Operaciones" + "text": "Considere si se necesita acceso público a blobs o si se puede deshabilitar para determinadas cuentas de almacenamiento. ", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", - "severity": "Alto", - "text": "Utilice kured para las actualizaciones de nodos de Linux en caso de que no esté utilizando la actualización de imagen de nodo", - "waf": "Operaciones" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", + "text": "Reglas de recopilación de datos en Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Costar" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", - "severity": "Alto", - "text": "Disponer de un proceso regular para actualizar las imágenes de los nodos del clúster periódicamente (semanalmente, por ejemplo)", - "waf": "Operaciones" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", + "text": "Comprobar las instancias de copia de seguridad con la fuente de datos subyacente no encontrada", + "waf": "Costar" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", - "severity": "Bajo", - "text": "Considere la posibilidad de implementar aplicaciones o configuraciones de clústeres en varios clústeres", - "waf": "Operaciones" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", + "text": "Eliminar o archivar servicios no asociados (discos, NIC, direcciones IP, etc.)", + "waf": "Costar" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", - "severity": "Bajo", - "text": "Considere la posibilidad de usar la invocación de comandos de AKS en clústeres privados", - "waf": "Operaciones" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", + "text": "Considere un buen equilibrio entre el almacenamiento de recuperación del sitio y la copia de seguridad para aplicaciones que no son críticas", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", + "text": "Compruebe las oportunidades de gasto y ahorro entre las 40 áreas de trabajo de Log Analytics diferentes: use diferentes retenciones y recopilación de datos para áreas de trabajo que no sean de producción: cree un límite diario para el reconocimiento y el tamaño de los niveles: si establece un límite diario, además de crear una alerta cuando se alcance el límite, asegúrese de crear también una regla de alerta para que se le notifique cuando se alcance algún porcentaje (90 %, por ejemplo). - Considere la posibilidad de transformar el espacio de trabajo si es posible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", + "text": "Aplique una política de purga de registros y automatización (si es necesario, los registros se pueden mover al almacenamiento en frío)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", + "text": "Compruebe que los discos son realmente necesarios, si no: eliminar. Si son necesarios, busque niveles de almacenamiento más bajos o use una copia de seguridad:", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", + "text": "Considere la posibilidad de mover el almacenamiento no utilizado al nivel inferior, con reglas personalizadas: https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", + "text": "Asegúrese de que el asesor está configurado para el tamaño correcto de la máquina virtual ", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "description": "comprobando la búsqueda de las licencias de categoría de contador en el análisis de costes", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", + "text": "ejecutar el script en todas las máquinas virtuales de Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server: considere la posibilidad de implementar una directiva si las máquinas virtuales de Windows se crean con frecuencia", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", + "text": " esto también se puede poner bajo AHUB si ya tiene licencias https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", + "text": "Consolide familias de máquinas virtuales reservadas con la opción de flexibilidad (no más de 4-5 familias)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", + "text": "Uso de Azure Reserved Instances: esta característica le permite reservar máquinas virtuales durante un período de 1 o 3 años, lo que proporciona un importante ahorro de costos en comparación con los precios de pago por uso.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", + "text": "Solo se pueden reservar discos más grandes => 1 TiB -", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", + "text": "Después de la optimización del tamaño correcto", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", + "text": "Compruebe si corresponde y aplique la política/cambio https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", + "text": "El descuento de la parte de la licencia VM + (ahub + 3YRI) es de alrededor del 70% de descuento", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", + "text": "Considere la posibilidad de utilizar un VMSS para satisfacer la demanda en lugar de un tamaño fijo", + "waf": "Costar" }, { "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", "service": "AKS", - "severity": "Bajo", - "text": "En el caso de los eventos planeados, considere la posibilidad de utilizar el drenaje automático de nodos", - "waf": "Operaciones" + "text": "Use el escalador automático de AKS para que coincida con el uso de los clústeres (asegúrese de que los requisitos de los pods coincidan con el escalador)", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", + "text": "Mover los puntos de recuperación al archivo de almacén cuando corresponda (Validar)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", + "text": "Considere la posibilidad de usar máquinas virtuales de acceso puntual con reserva siempre que sea posible. Considere la posibilidad de la terminación automática de clústeres.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", + "text": "Funciones - Reutilizar conexiones", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", + "text": "Funciones: almacenar datos en caché localmente", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", + "text": "Funciones - Arranques en frío: utilice la funcionalidad 'Ejecutar desde el paquete'. De esta manera, el código se descarga como un único archivo zip. Esto puede, por ejemplo, resultar en mejoras significativas con las funciones de Javascript, que tienen muchos módulos de nodos. Utilice herramientas específicas del lenguaje para reducir el tamaño del paquete, por ejemplo, aplicaciones Javascript que sacuden el árbol.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", + "text": "Funciones - Mantén tus funciones calientes", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", + "text": "Al usar el escalado automático con diferentes funciones, es posible que haya uno que controle todo el escalado automático para todos los recursos: considere la posibilidad de moverlo a un plan de consumo independiente (y considere un plan superior para la CPU)", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", + "text": "Las aplicaciones de funciones de un plan determinado se escalan juntas, por lo que cualquier problema con el escalado puede afectar a todas las aplicaciones del plan.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", + "text": "¿Se me factura por el \"tiempo de espera\"? Esta pregunta se suele formular en el contexto de una función de C# que realiza una operación asincrónica y espera el resultado, por ejemplo, await Task.Delay(1000) o await client. GetAsync('http://google.com'). La respuesta es sí: el segundo cálculo de GB se basa en la hora de inicio y finalización de la función y el uso de memoria durante ese período. Lo que realmente sucede durante ese tiempo en términos de actividad de la CPU no se tiene en cuenta en el cálculo. Una excepción a esta regla es si está utilizando funciones duraderas. No se le facturará por el tiempo empleado en las esperas en las funciones de orquestador.aplique técnicas de modelado de la demanda siempre que sea posible (¿entornos de desarrollo?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "Costar" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", + "text": "Frontdoor: desactivar la página principal predeterminadaEn la configuración de la aplicación de la aplicación, establezca AzureWebJobsDisableHomepage en true. Esto devolverá un 204 (sin contenido) al PoP para que solo se devuelvan los datos del encabezado.", + "waf": "Costar" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", + "text": "Frontdoor: ruta a algo que no devuelve nada. Configure una función, un proxy de función o agregue una ruta en la aplicación web que devuelva 200 (correctamente) y envíe contenido mínimo o nulo. La ventaja de esto es que podrá cerrar la sesión cuando se llame.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", + "text": "Considere la posibilidad de archivar niveles para los datos menos utilizados", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", + "text": "Compruebe los tamaños de disco en los que el tamaño no coincida con el nivel (es decir, un disco de 513 GiB pagará un P30 (1 TiB) y considere la posibilidad de cambiar el tamaño", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", + "text": "Considere la posibilidad de utilizar un SSD estándar en lugar de Premium o Ultra siempre que sea posible", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", + "text": "En el caso de las cuentas de almacenamiento, asegúrese de que el nivel elegido no suma cargos por transacción (puede ser más barato pasar al siguiente nivel)", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", + "text": "Para ASR, considere la posibilidad de usar discos SSD estándar si el RPO/RTO y el rendimiento de replicación lo permiten", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", + "text": "Cuentas de almacenamiento: compruebe el nivel de acceso frecuente o GRS necesario", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", + "text": "Discos: valide el uso de discos SSD Premium en todas partes: por ejemplo, los que no son de producción podrían cambiar a SSD estándar o SSD Premium bajo demanda ", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", + "text": "Cree presupuestos para administrar los costos y cree alertas que notifiquen automáticamente a las partes interesadas sobre anomalías en el gasto y riesgos de gasto excesivo.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", + "text": "Exporte los datos de costos a una cuenta de almacenamiento para realizar análisis de datos adicionales.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", + "text": "Controle los costos de un grupo de SQL dedicado pausando el recurso cuando no esté en uso.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", + "text": "Habilite la función de pausa automática de Apache Spark sin servidor y establezca el valor de tiempo de espera en consecuencia.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", + "text": "Cree varias definiciones de grupo de Apache Spark de varios tamaños.", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", + "text": "Compre unidades de confirmación (SCU) de Azure Synapse durante un año con un plan de compra anticipada para ahorrar en los costos de Azure Synapse Analytics.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", + "text": "Uso de máquinas virtuales de acceso puntual para trabajos interrumpibles: se trata de máquinas virtuales por las que se puede pujar y comprar a un precio reducido, lo que proporciona una solución rentable para cargas de trabajo no críticas.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", + "text": "Ajustar el tamaño de todas las máquinas virtuales", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", + "text": "Intercambiar el tamaño de la máquina virtual con los tamaños normalizados y más recientes", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "Ajustar el tamaño de las máquinas virtuales: comience con la supervisión del uso por debajo del 5 % y, a continuación, trabaje hasta el 40 %", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Costar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "La inclusión de una aplicación en contenedores puede mejorar la densidad de la máquina virtual y ahorrar dinero en su escalado", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Costar" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Desarrollar sus propias prácticas de gobernanza para asegurarse de que los operadores no realicen cambios en el nodo RG (también conocido como 'infra RG')", - "waf": "Operaciones" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "Bajo", - "text": "Usar el nombre personalizado de Node RG (también conocido como 'Infra RG')", - "waf": "Operaciones" + "text": "Siga las barreras de seguridad de Metaprompting para una IA responsable", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", - "severity": "Medio", - "text": "No use API de Kubernetes obsoletas en los manifiestos de YAML", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Considere la posibilidad de crear patrones de puerta de enlace con APIM o soluciones como AI Central para mejorar la limitación de velocidad, el equilibrio de carga, la autenticación y el registro", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", - "severity": "Bajo", - "text": "Nodos de Windows de Taint", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Habilitación de la supervisión para las instancias de AOAI", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", - "severity": "Bajo", - "text": "Mantener el nivel de revisión de los contenedores de Windows sincronizado con el nivel de revisión del host", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Cree alertas para notificar a los equipos de eventos, como una entrada en el registro de actividad creada por una acción realizada en el recurso, como la regeneración de sus claves de suscripción, o un umbral de métrica, como el número de errores que superan los 10 en una hora", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "A través de la configuración de diagnóstico en el nivel de clúster", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", - "severity": "Bajo", - "text": "Envío de registros maestros (también conocidos como registros de API) a Azure Monitor o a la solución de administración de registros que prefiera", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Supervise el uso de tokens para evitar interrupciones del servicio debido a la capacidad", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", - "severity": "Bajo", - "text": "Si es necesario, utilice instantáneas de nodePool", - "waf": "Costar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", + "severity": "Medio", + "text": "Observe métricas como tokens de inferencia procesados, tokens de finalización generados, monitoree el límite de velocidad", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "Azure OpenAI", "severity": "Bajo", - "text": "Considere la posibilidad de crear grupos de nodos de acceso puntual para cargas de trabajo no urgentes", - "waf": "Operaciones" + "text": "Si los diagnósticos no son suficientes para usted, considere la posibilidad de usar una puerta de enlace como Azure API Managements frente a Azure OpenAI para registrar tanto los mensajes entrantes como las respuestas salientes, cuando esté permitido", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "Bajo", - "text": "Considere la posibilidad de utilizar el nodo virtual de AKS para una ráfaga rápida", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Use la infraestructura como código para implementar el servicio Azure OpenAI, las implementaciones de modelos y todos los recursos relacionados", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Supervise las métricas de clúster con Container Insights (u otras herramientas como Prometheus)", - "waf": "Operaciones" + "text": "Uso de la autenticación de Microsoft Entra con identidad administrada en lugar de clave de API", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Almacene y analice los registros del clúster con Container Insights (u otras herramientas como Telegraf/ElasticSearch)", - "waf": "Operaciones" + "text": "Evalúe el rendimiento/precisión del sistema con un conjunto de datos dorado conocido que tenga las entradas y las respuestas correctas. Aproveche las capacidades de PromptFlow para la evaluación.", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", - "severity": "Medio", - "text": "Supervisar el uso de la CPU y la memoria de los nodos", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Evaluación del uso del modelo de rendimiento aprovisionado ", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "Medio", - "text": "Si usa Azure CNI, supervise el porcentaje de direcciones IP de pod consumidas por nodo", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Revisión e implementación de la seguridad del contenido de Azure AI", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "La E/S en el disco del sistema operativo es un recurso crítico. Si el sistema operativo de los nodos se limita en la E/S, esto podría dar lugar a un comportamiento impredecible, que normalmente terminaría en que el nodo se declarara NotReady", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", - "severity": "Medio", - "text": "Supervisión de la profundidad de la cola de disco del sistema operativo en los nodos", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Defina y evalúe el rendimiento del sistema en función de los tokens y la respuesta por minuto y alinee con los requisitos", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Si no usa el filtrado de salida con AzFW/NVA, supervise los puertos SNAT asignados por ALB estándar", - "waf": "Operaciones" + "text": "Mejore la latencia del sistema limitando el tamaño de los tokens, las opciones de transmisión", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Suscríbase a las notificaciones de estado de los recursos para el clúster de AKS", - "waf": "Operaciones" + "text": "Calcule las demandas de elasticidad para determinar la segregación de solicitudes sincrónicas y por lotes en función de la prioridad. Para la prioridad alta, utilice el enfoque sincrónico y para la prioridad baja, se prefiere el procesamiento por lotes asincrónico con cola", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Configurar solicitudes y límites en las especificaciones del pod", - "waf": "Operaciones" + "text": "Compare los requisitos de consumo de tokens en función de las demandas estimadas de los consumidores. Considere la posibilidad de usar la herramienta de pruebas comparativas de Azure OpenAI para ayudarle a validar el rendimiento si usa implementaciones de unidades de rendimiento aprovisionadas", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Aplicación de cuotas de recursos para espacios de nombres", - "waf": "Operaciones" + "text": "Si usa unidades de rendimiento aprovisionadas (PTU), considere la posibilidad de implementar una implementación de token por minuto (TPM) para las solicitudes de desbordamiento. Use una puerta de enlace para enrutar las solicitudes a la implementación de TPM cuando se alcancen los límites de PTU.", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Asegúrese de que la suscripción tiene suficiente cuota para escalar horizontalmente los grupos de nodos", - "waf": "Operaciones" + "text": "Elija el modelo adecuado para la tarea correcta. Elija modelos con el equilibrio adecuado entre velocidad, calidad de respuesta y complejidad de salida", + "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Uso del escalador automático de clústeres", + "text": "Tener una línea de base para el rendimiento sin ajuste fino para saber si el ajuste fino ha mejorado o no el rendimiento del modelo", "waf": "Rendimiento" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", "severity": "Bajo", - "text": "Personalización de la configuración de nodos para grupos de nodos de AKS", - "waf": "Rendimiento" + "text": "Implementación de varias instancias de OAI en todas las regiones", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Implemente reintentos y comprobaciones de estado con el patrón de puerta de enlace como APIM", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Usar el escalador automático horizontal de pods cuando sea necesario", - "waf": "Rendimiento" + "text": "Asegúrese de tener cuotas adecuadas de TPM y RPM para la carga de trabajo", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "Los nodos más grandes aportarán un mayor rendimiento y características como discos efímeros y redes aceleradas, pero aumentarán el radio de explosión y disminuirán la granularidad de escalado", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", - "service": "AKS", - "severity": "Alto", - "text": "Considere un tamaño de nodo adecuado, ni demasiado grande ni demasiado pequeño", - "waf": "Rendimiento" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "Azure OpenAI", + "severity": "Medio", + "text": "Revise las consideraciones de la guía del kit de herramientas de HAI y aplique esas prácticas de interacción para el slution", + "waf": "Excelencia Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", - "service": "AKS", - "severity": "Bajo", - "text": "Si se requieren más de 5000 nodos para la escalabilidad, considere la posibilidad de usar un clúster de AKS adicional", - "waf": "Rendimiento" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Azure OpenAI", + "severity": "Medio", + "text": "Implemente modelos de ajuste de precisión independientes en todas las regiones si se emplea el ajuste de precisión", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", - "service": "AKS", - "severity": "Bajo", - "text": "Considere la posibilidad de suscribirse a eventos de EventGrid para la automatización de AKS", - "waf": "Rendimiento" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "Azure OpenAI", + "severity": "Medio", + "text": "Realice copias de seguridad y replique regularmente los datos críticos para garantizar la disponibilidad y la capacidad de recuperación de los datos en caso de pérdida de datos o fallos del sistema. Aproveche los servicios de copia de seguridad y recuperación ante desastres de Azure para proteger sus datos.", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", - "service": "AKS", - "severity": "Bajo", - "text": "Para una operación de ejecución prolongada en un clúster de AKS, considere la finalización de eventos", - "waf": "Rendimiento" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Los niveles de servicio de búsqueda de Azure AI deben elegirse para tener un Acuerdo de Nivel de Servicio ", + "waf": "Fiabilidad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "Azure OpenAI", "severity": "Bajo", - "text": "Si es necesario, considere la posibilidad de usar Azure Dedicated Hosts para nodos de AKS", - "waf": "Rendimiento" + "text": "Clasifique los datos y la confidencialidad, etiquetando con Microsoft Purview antes de generar las incrustaciones y asegúrese de tratar las incrustaciones generadas con la misma confidencialidad y clasificación", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Usar discos de sistema operativo efímeros", - "waf": "Rendimiento" + "text": "Cifre los datos utilizados para RAG con cifrado SSE/Disk con BYOK opcional", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "Azure OpenAI", "severity": "Alto", - "text": "En el caso de los discos no efímeros, use IOPS altas y discos de sistema operativo más grandes para los nodos cuando ejecute muchos pods o nodos, ya que requiere un alto rendimiento para ejecutar varios pods y generará registros enormes con umbrales de rotación de registros de AKS predeterminados", - "waf": "Rendimiento" + "text": "Asegúrese de que TLS se aplica a los datos en tránsito a través de fuentes de datos, la búsqueda de IA utilizada para la generación aumentada de recuperación (RAG) y la comunicación de LLM", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", - "severity": "Bajo", - "text": "Para la opción de almacenamiento de hiperrendimiento, use discos Ultra en AKS", - "waf": "Rendimiento" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Use RBAC para administrar el acceso a los servicios de Azure OpenAI. Asigne los permisos adecuados a los usuarios y restrinja el acceso en función de sus funciones y responsabilidades", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Evite mantener el estado en el clúster y almacene los datos fuera (AzStorage, AzSQL, Cosmos, etc.)", - "waf": "Rendimiento" + "text": "Implemente técnicas de cifrado, enmascaramiento o redacción de datos para ocultar datos confidenciales o reemplazarlos con valores ofuscados en entornos que no sean de producción o al compartir datos con fines de prueba o solución de problemas", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", - "severity": "Medio", - "text": "Si usa AzFiles Standard, considere AzFiles Premium o ANF por motivos de rendimiento", - "waf": "Rendimiento" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Use Azure Defender para detectar y responder a las amenazas de seguridad y configurar mecanismos de supervisión y alerta para identificar actividades sospechosas o infracciones. Aproveche Azure Sentinel para la detección y respuesta a amenazas avanzadas", + "waf": "Seguridad" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Si usa Azure Disks y AZ, considere la posibilidad de tener grupos de nodos dentro de una zona para el disco LRS con VolumeBindingMode:WaitForFirstConsumer para aprovisionar el almacenamiento en la zona correcta o use el disco ZRS para los grupos de nodos que abarquen varias zonas", - "waf": "Rendimiento" + "text": "Establezca políticas de retención y eliminación de datos para cumplir con las regulaciones de cumplimiento. Implemente métodos de eliminación seguros para los datos que ya no son necesarios y mantenga un registro de auditoría de las actividades de retención y eliminación de datos", + "waf": "Seguridad" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Implemente los escudos de aviso y la detección de conexión a tierra mediante Content Safety ", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Familiarícese con los procedimientos recomendados de Key Vault, como las recomendaciones de aislamiento, el control de acceso, la protección de datos, la copia de seguridad y el registro.", - "waf": "Fiabilidad" + "text": "Garantice el cumplimiento de las normativas de protección de datos pertinentes, como el RGPD o la HIPAA, mediante la implementación de controles de privacidad y la obtención de los consentimientos o permisos necesarios para las actividades de tratamiento de datos.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Key Vault es un servicio administrado y Microsoft se encargará de la conmutación por error dentro de la región y entre ellas. Familiarícese con la disponibilidad y la redundancia de Key Vault.", - "waf": "Fiabilidad" + "text": "Eduque a sus empleados sobre las mejores prácticas de seguridad de datos, la importancia de manejar los datos de forma segura y los riesgos potenciales asociados con las violaciones de datos. Anímelos a seguir diligentemente los protocolos de seguridad de datos.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", - "service": "Key Vault", - "severity": "Medio", - "text": "El contenido del almacén de claves se replica dentro de la región y en una región secundaria a una distancia mínima de 150 millas, pero dentro de la misma geografía para mantener una alta durabilidad de las claves y los secretos. Familiarícese con la replicación de datos de Key Vault.", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Mantenga los datos de producción separados de los datos de desarrollo y pruebas. Utilice únicamente datos confidenciales reales en producción y utilice datos anónimos o sintéticos en entornos de desarrollo y prueba.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Durante la conmutación por error, no se pueden cambiar las configuraciones y valores de la directiva de acceso o del firewall. El almacén de claves estará en modo de solo lectura durante la conmutación por error. Familiarícese con las instrucciones de conmutación por error de Key Vault.", - "waf": "Fiabilidad" + "text": "Si tiene distintos niveles de confidencialidad de datos, considere la posibilidad de crear índices independientes para cada nivel. Por ejemplo, podría tener un índice para los datos generales y otro para los datos confidenciales, cada uno gobernado por diferentes protocolos de acceso", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Al realizar una copia de seguridad de un objeto de almacén de claves, como un secreto, una clave o un certificado, la operación de copia de seguridad descargará el objeto como un blob cifrado. Este blob no se puede descifrar fuera de Azure. Para obtener datos utilizables de este blob, debe restaurar el blob en un almacén de claves dentro de la misma suscripción de Azure y la misma geografía de Azure. Familiarícese con las instrucciones de copia de seguridad y restauración de Key Vault.", - "waf": "Fiabilidad" + "text": "Lleve la segregación un paso más allá colocando conjuntos de datos confidenciales en diferentes instancias del servicio. Cada instancia se puede controlar con su propio conjunto específico de políticas RBAC", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Si desea protegerse contra la eliminación accidental o malintencionada de los secretos, configure las características de protección contra eliminación temporal y purga en el almacén de claves.", - "waf": "Fiabilidad" + "text": "Reconozca que las incrustaciones y los vectores generados a partir de información confidencial son en sí mismos confidenciales. Estos datos deben recibir las mismas medidas de protección que el material de origen", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", - "severity": "Bajo", - "text": "Los recursos eliminados temporalmente de Key Vault se conservan durante un período establecido de 90 días naturales. Familiarícese con las instrucciones de eliminación temporal de Key Vault.", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Aplique RBAC a los almacenes de datos que tienen incrustaciones y vectores y alcance el acceso en función de los requisitos de acceso del rol", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "Bajo", - "text": "Descripción de las limitaciones de la copia de seguridad de Key Vault. Key Vault no admite la capacidad de realizar copias de seguridad de más de 500 versiones anteriores de un objeto de clave, secreto o certificado. Al intentar hacer una copia de seguridad de una clave, un secreto o un objeto de certificado, es posible que se produzca un error. No es posible eliminar versiones anteriores de una clave, un secreto o un certificado.", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Configure un punto de conexión privado para que los servicios de IA restrinjan el acceso al servicio dentro de su red", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "Bajo", - "text": "Actualmente, Key Vault no proporciona una manera de realizar una copia de seguridad de un almacén de claves completo en una sola operación y las claves, los secretos y los certificados deben respaldarse de forma individual. Familiarícese con las instrucciones de copia de seguridad y restauración de Key Vault.", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Aplique un estricto control del tráfico entrante y saliente con Azure Firewall y UDR, y limite los puntos de integración externos", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", - "service": "Key Vault", - "severity": "Medio", - "text": "Se recomienda la protección de purga cuando se utilizan claves para el cifrado para evitar la pérdida de datos. La protección de purga es un comportamiento opcional de Key Vault y no está habilitada de forma predeterminada. La protección de purga solo se puede habilitar una vez que se habilita la eliminación temporal. Se puede activar a través de CLI, PowerShell o Portal.", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Implemente la segmentación de la red y los controles de acceso para restringir el acceso a la aplicación LLM solo a los usuarios y sistemas autorizados y evitar el movimiento lateral", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", - "guid": "d0642c1c-312b-4116-94ab-439e1c836819", - "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Se recomienda RBAC para controlar el acceso al almacén de claves. Familiarícese con las instrucciones de control de acceso de Key Vault.", - "waf": "Seguridad" + "text": "Utilice herramientas de compresión rápida como LLMLingua o gprtrim", + "waf": "Optimización de costes" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", - "service": "APIM", - "severity": "Medio", - "text": "Implementar una política de control de errores a nivel global", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Asegúrese de que las API y los puntos finales utilizados por la aplicación LLM estén correctamente protegidos con mecanismos de autenticación y autorización, como identidades administradas, claves de API u OAuth, para evitar el acceso no autorizado.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Asegúrese de que todas las políticas de API incluyan un elemento.", - "waf": "Operaciones" + "text": "Aplique mecanismos sólidos de autenticación de usuario final, como la autenticación multifactor, para evitar el acceso no autorizado a la aplicación LLM y a los recursos de red asociados", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Uso de fragmentos de políticas para evitar repetir las mismas definiciones de políticas en varias API", - "waf": "Operaciones" + "text": "Implemente herramientas de monitoreo de red para detectar y analizar el tráfico de red en busca de actividades sospechosas o maliciosas. Habilite el registro para capturar eventos de red y facilitar el análisis forense en caso de incidentes de seguridad", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Si planeas monetizar tus API, revisa el artículo \"Soporte de monetización\" para conocer las prácticas recomendadas", - "waf": "Operaciones" + "text": "Realizar auditorías de seguridad y pruebas de penetración para identificar y abordar cualquier debilidad o vulnerabilidad de seguridad de red en la infraestructura de red de la aplicación LLM", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", - "service": "APIM", - "severity": "Alto", - "text": "Habilitación de la configuración de diagnóstico para exportar registros a Azure Monitor", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "Azure OpenAI", + "severity": "Bajo", + "text": "Los servicios de Azure AI están etiquetados correctamente para una mejor administración", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", - "service": "APIM", - "severity": "Medio", - "text": "Habilitación de Application Insights para obtener telemetría más detallada", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "Azure OpenAI", + "severity": "Bajo", + "text": "Las cuentas de Azure AI Service siguen las convenciones de nomenclatura de la organización", + "waf": "Excelencia Operacional" }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", - "service": "APIM", + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Configurar alertas sobre las métricas más críticas", - "waf": "Operaciones" + "text": "Los registros de diagnóstico en los recursos de servicios de Azure AI deben estar habilitados", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Asegúrese de que los certificados SSL personalizados se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura", + "text": "Se recomienda deshabilitar el acceso a claves (autenticación local) por seguridad. Después de deshabilitar el acceso basado en claves, el identificador de Microsoft Entra se convierte en el único método de acceso, lo que permite mantener el principio de privilegio mínimo y el control granular. ", "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Protección de las solicitudes entrantes a las API (plano de datos) con Azure AD", + "text": "Almacene y administre claves de forma segura con Azure Key Vault. Evite codificar de forma rígida o incrustar claves confidenciales en el código de la aplicación de LLM y recupérelas de forma segura de Azure Key Vault mediante identidades administradas", "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", - "service": "APIM", - "severity": "Medio", - "text": "Usar el identificador de Microsoft Entra para autenticar a los usuarios en el Portal para desarrolladores", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Rotar y expirar periódicamente las claves almacenadas en Azure Key Vault para minimizar el riesgo de acceso no autorizado.", "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", - "service": "APIM", - "severity": "Medio", - "text": "Crear grupos adecuados para controlar la visibilidad de los productos", - "waf": "Seguridad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Use tiktoken para comprender los tamaños de los tokens para las optimizaciones de tokens en el modo conversacional", + "waf": "Optimización de costes" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", - "service": "APIM", - "severity": "Medio", - "text": "Utilice la función Backends para eliminar las configuraciones redundantes de back-end de la API", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Siga prácticas de codificación seguras para evitar vulnerabilidades comunes, como ataques de inyección, secuencias de comandos entre sitios (XSS) o errores de configuración de seguridad.", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", - "service": "APIM", - "severity": "Medio", - "text": "Usar valores con nombre para almacenar valores comunes que se pueden usar en directivas", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Configurar un proceso para actualizar y parchear regularmente las bibliotecas de LLM y otros componentes del sistema", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", - "service": "APIM", - "severity": "Medio", - "text": "En el caso de la recuperación ante desastres, aproveche el nivel premium con implementaciones escaladas en dos o más regiones para un acuerdo de nivel de servicio del 99,99 %", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Cumplir con los términos de uso, las directivas y las directrices de Azure OpenAI u otros LLM, así como con los casos de uso permitidos.", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Implemente al menos una unidad en dos o más zonas de disponibilidad para obtener un SLA aumentado del 99,99 %", - "waf": "Fiabilidad" + "text": "Comprenda la diferencia en el costo de los modelos base y los modelos ajustados y los tamaños de paso de token", + "waf": "Optimización de costes" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Asegúrese de que haya una rutina de copia de seguridad automatizada", - "waf": "Fiabilidad" + "text": "Solicitudes por lotes, siempre que sea posible, para minimizar la sobrecarga por llamada, lo que puede reducir los costos generales. Asegúrese de optimizar el tamaño del lote", + "waf": "Optimización de costes" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Use directivas para agregar una dirección URL de back-end de conmutación por error y el almacenamiento en caché para reducir las llamadas con errores.", - "waf": "Fiabilidad" + "text": "Configure un sistema de seguimiento de costos que supervise el uso del modelo y use esa información para ayudar a informar las opciones de modelos y los tamaños indicados", + "waf": "Optimización de costes" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", - "severity": "Bajo", - "text": "Si necesita iniciar sesión en niveles de alto rendimiento, tenga en cuenta la directiva de Event Hubs", - "waf": "Operaciones" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "Azure OpenAI", + "severity": "Medio", + "text": "Establezca un límite máximo en el número de tokens por respuesta de modelo. Optimice el tamaño para asegurarse de que sea lo suficientemente grande para una respuesta válida", + "waf": "Optimización de costes" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Aplicación de directivas de limitación para controlar el número de solicitudes por segundo", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", - "waf": "Rendimiento" + "text": "Revise las instrucciones proporcionadas sobre la configuración de la búsqueda de IA para la confiabilidad", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Configurar el escalado automático para escalar horizontalmente el número de instancias cuando aumenta la carga", - "waf": "Rendimiento" + "text": "Planifique y administre el almacenamiento de vectores de búsqueda de IA", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Implemente puertas de enlace autohospedadas en las que Azure no tenga una región cercana a las API de back-end.", - "waf": "Rendimiento" + "text": "Aplique prácticas de LLMOps para automatizar la gestión del ciclo de vida de sus aplicaciones GenAI", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", - "severity": "Medio", - "text": "Use el nivel premium para las cargas de trabajo de producción.", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Evalúe el uso de los modelos de facturación: PAYG frente a PTU", + "waf": "Optimización de costes" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "Azure OpenAI", "severity": "Medio", - "text": "En el modelo de varias regiones, use directivas para enrutar las solicitudes a los back-ends regionales en función de la disponibilidad o la latencia.", - "waf": "Fiabilidad" + "text": "Evalúe la calidad de los mensajes y las aplicaciones al cambiar entre versiones de modelo", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", - "severity": "Alto", - "text": "Tenga en cuenta los límites de APIM", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "Medio", + "text": "Evalúe, supervise y perfeccione sus aplicaciones GenAI para características como la fundamentación, la relevancia, la precisión, la coherencia, la fluidez,", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", - "severity": "Alto", - "text": "Asegúrese de que las implementaciones de puerta de enlace autohospedadas sean resistentes.", - "waf": "Fiabilidad" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "Azure OpenAI", + "severity": "Medio", + "text": "Evalúe los resultados de búsqueda de Azure AI en función de diferentes parámetros de búsqueda", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Uso de Azure Front Door delante de APIM para la implementación en varias regiones", - "waf": "Rendimiento" + "text": "Considere los modelos de ajuste fino como una forma de aumentar la precisión solo cuando haya probado otros enfoques básicos como la ingeniería de avisos y RAG con sus datos", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Implementación del servicio dentro de una red virtual (VNet)", - "waf": "Seguridad" + "text": "Utilice técnicas de ingeniería rápida para mejorar la precisión de las respuestas de LLM", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Implemente grupos de seguridad de red (NSG) en las subredes para restringir o supervisar el tráfico hacia/desde APIM.", + "text": "Equipo rojo con sus aplicaciones GenAI", "waf": "Seguridad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Implemente puntos de conexión privados para filtrar el tráfico entrante cuando APIM no se implemente en una red virtual.", - "waf": "Seguridad" + "text": "Proporcione a los usuarios finales opciones de puntuación para las respuestas de LLM y realice un seguimiento de estas puntuaciones. ", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Deshabilitar el acceso a la red pública", - "waf": "Seguridad" + "text": "Considere las prácticas de administración de cuotas", + "waf": "Optimización de costes" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", - "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "Azure OpenAI", "severity": "Medio", - "text": "Simplifique la administración con scripts de automatización de PowerShell", - "waf": "Operaciones" + "text": "Utilice soluciones de equilibrador de carga, como la puerta de enlace basada en APIM, para equilibrar la carga y la capacidad entre servicios y regiones", + "waf": "Excelencia Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", - "service": "APIM", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", "severity": "Medio", - "text": "Configure APIM a través de la infraestructura como código. Revise las prácticas recomendadas de DevOps desde el acelerador de zonas de aterrizaje de API de Cloud Adaption Framework", - "waf": "Operaciones" + "text": "Aproveche el cuaderno de estrategias de resistencia de FTA para Azure Data Factory", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", - "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", - "service": "APIM", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "Alto", + "text": "Uso de canalizaciones con redundancia de zona en regiones que admiten zonas de disponibilidad", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", "severity": "Medio", - "text": "Promover el uso de la extensión APIM de Visual Studio Code para un desarrollo de API más rápido", - "waf": "Operaciones" + "text": "Uso de DevOps para realizar copias de seguridad de las plantillas de ARM con la integración de Github/Azure DevOps ", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "354f1c03-8112-4965-85ad-c0074bddf231", - "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", - "service": "APIM", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "Medio", - "text": "Implemente DevOps y CI/CD en su flujo de trabajo", - "waf": "Operaciones" + "text": "Asegúrese de replicar las máquinas virtuales de Integration Runtime autohospedadas en otra región ", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "b6439493-426a-45f3-9697-cf65baee208d", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", - "service": "APIM", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "Medio", - "text": "API seguras mediante la autenticación de certificados de cliente", - "waf": "Seguridad" + "text": "Asegúrese de replicar o duplicar la red en la región hermana. Tiene que hacer una copia de la red virtual en otra región", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2a67d143-1033-4c0a-8732-680896478f08", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", - "service": "APIM", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "description": "Si las canalizaciones de ADF usan Key Vault, no tiene que hacer nada para replicar Key Vault. Key Vault es un servicio administrado y Microsoft se encarga de ello por ti", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", + "severity": "Bajo", + "text": "Si utiliza la integración de Keyvault, utilice el Acuerdo de Nivel de Servicio de Keyvault para comprender su disponibilidad", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", "severity": "Medio", - "text": "Servicios de back-end seguros mediante la autenticación de certificados de cliente", - "waf": "Seguridad" + "text": "Azure Spring Apps permite dos implementaciones para cada aplicación, de las cuales solo una recibe tráfico de producción. Puede lograr cero tiempo de inactividad con estrategias de implementación azul verde. La implementación azul verde solo está disponible en los niveles Estándar y Enterprise. Puede automatizar la implementación mediante CI/CD con acciones de ADO/GitHub", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", - "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", - "service": "APIM", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", "severity": "Medio", - "text": "Revise el artículo \"Recomendaciones para mitigar las 10 principales amenazas de seguridad de la API de OWASP\" y compruebe qué se aplica a sus API", - "waf": "Seguridad" + "text": "Las instancias de Azure Spring Apps se pueden crear en varias regiones para las aplicaciones y el tráfico se puede enrutar mediante Traffic Manager o Front Door.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", - "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", "severity": "Medio", - "text": "Utilice la función Autorizaciones para simplificar la administración del token de OAuth 2.0 para las API de back-end", - "waf": "Seguridad" + "text": "En la región admitida, Azure Spring Apps se puede implementar como zona redundante, lo que significa que las instancias se distribuyen automáticamente entre las zonas de disponibilidad. Esta función solo está disponible en los niveles Standard y Enterprise.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", - "severity": "Alto", - "text": "Utilice la versión más reciente de TLS al cifrar la información en tránsito. Deshabilite los protocolos y cifrados obsoletos e innecesarios cuando sea posible.", - "waf": "Seguridad" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", + "severity": "Medio", + "text": "Usar más de 1 instancia de aplicación para las aplicaciones", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", - "severity": "Alto", - "text": "Asegúrese de que los secretos (valores con nombre) se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura", - "waf": "Seguridad" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", + "severity": "Medio", + "text": "Supervise Azure Spring Apps con registros, métricas y seguimiento. Integre ASA con la información de las aplicaciones, realice un seguimiento de los errores y cree libros de trabajo.", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", + "severity": "Medio", + "text": "Configuración del escalado automático en Spring Cloud Gateway", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", + "severity": "Bajo", + "text": "Habilite el escalado automático para las aplicaciones con el consumo estándar y el plan dedicado.", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", "severity": "Medio", - "text": "Uso de identidades administradas para autenticarse en otros recursos de Azure siempre que sea posible", - "waf": "Seguridad" + "text": "Use el plan Enterprise para obtener soporte comercial de Spring Boot para aplicaciones de misión crítica. Con otros niveles, obtienes soporte OSS.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Alto", - "text": "Uso del firewall de aplicaciones web (WAF) mediante la implementación de Application Gateway delante de APIM", - "waf": "Seguridad" + "text": "Familiarícese con los procedimientos recomendados de Key Vault, como las recomendaciones de aislamiento, el control de acceso, la protección de datos, la copia de seguridad y el registro.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus Premium proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", - "severity": "Bajo", - "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Seguridad" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", + "severity": "Medio", + "text": "Key Vault es un servicio administrado y Microsoft se encargará de la conmutación por error dentro de la región y entre ellas. Familiarícese con la disponibilidad y la redundancia de Key Vault.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "La comunicación entre una aplicación cliente y un espacio de nombres de Azure Service Bus se cifra mediante la seguridad de la capa de transporte (TLS). Los espacios de nombres de Azure Service Bus permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Service Bus para que requiera que los clientes envíen y reciban datos con una versión más reciente de TLS.", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", "severity": "Medio", - "text": "Aplicar una versión mínima requerida de la seguridad de la capa de transporte (TLS) para las solicitudes ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Seguridad" + "text": "El contenido del almacén de claves se replica dentro de la región y en una región secundaria a una distancia mínima de 150 millas, pero dentro de la misma geografía para mantener una alta durabilidad de las claves y los secretos. Familiarícese con la replicación de datos de Key Vault.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Al crear un espacio de nombres de Service Bus, se crea automáticamente una regla de SAS denominada RootManageSharedAccessKey para el espacio de nombres. Esta política tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", "severity": "Medio", - "text": "Evite usar la cuenta root cuando no sea necesario", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Seguridad" + "text": "Durante la conmutación por error, no se pueden cambiar las configuraciones y valores de la directiva de acceso o del firewall. El almacén de claves estará en modo de solo lectura durante la conmutación por error. Familiarícese con las instrucciones de conmutación por error de Key Vault.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Una aplicación cliente de Service Bus que se ejecuta dentro de una aplicación de Azure App Service o en una máquina virtual con entidades administradas habilitadas para la compatibilidad con recursos de Azure no necesita controlar reglas y claves de SAS, ni ningún otro token de acceso. La aplicación cliente solo necesita la dirección del punto de conexión del espacio de nombres de mensajería de Service Bus. ", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", - "service": "Service Bus", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", "severity": "Medio", - "text": "Cuando sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Service Bus. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Seguridad" + "text": "Al realizar una copia de seguridad de un objeto de almacén de claves, como un secreto, una clave o un certificado, la operación de copia de seguridad descargará el objeto como un blob cifrado. Este blob no se puede descifrar fuera de Azure. Para obtener datos utilizables de este blob, debe restaurar el blob en un almacén de claves dentro de la misma suscripción de Azure y la misma geografía de Azure. Familiarícese con las instrucciones de copia de seguridad y restauración de Key Vault.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Al crear permisos, proporcione un control detallado sobre el acceso de un cliente a Azure Service Bus. Los permisos de Azure Service Bus pueden y deben limitarse al nivel de recurso individual, por ejemplo, cola, tema o suscripción. ", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", "severity": "Alto", - "text": "Usar RBAC del plano de datos con privilegios mínimos", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Seguridad" + "text": "Si desea protegerse contra la eliminación accidental o malintencionada de los secretos, configure las características de protección contra eliminación temporal y purga en el almacén de claves.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Los registros de recursos de Azure Service Bus incluyen registros operativos, redes virtuales y registros de filtrado de IP. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para varias operaciones de acceso al plano de datos (como enviar o recibir mensajes) en Service Bus.", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", - "severity": "Medio", - "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para realizar un seguimiento de los registros de recursos y los registros de auditoría en tiempo de ejecución (actualmente solo disponible en el nivel Premium)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Seguridad" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "Bajo", + "text": "Los recursos eliminados temporalmente de Key Vault se conservan durante un período establecido de 90 días naturales. Familiarícese con las instrucciones de eliminación temporal de Key Vault.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "De forma predeterminada, Azure Service Bus tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y los recorridos de Azure Service Bus a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se utilizan. ", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Bajo", + "text": "Descripción de las limitaciones de la copia de seguridad de Key Vault. Key Vault no admite la capacidad de realizar copias de seguridad de más de 500 versiones anteriores de un objeto de clave, secreto o certificado. Al intentar hacer una copia de seguridad de una clave, un secreto o un objeto de certificado, es posible que se produzca un error. No es posible eliminar versiones anteriores de una clave, un secreto o un certificado.", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Bajo", + "text": "Actualmente, Key Vault no proporciona una manera de realizar una copia de seguridad de un almacén de claves completo en una sola operación y las claves, los secretos y los certificados deben respaldarse de forma individual. Familiarícese con las instrucciones de copia de seguridad y restauración de Key Vault.", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", "severity": "Medio", - "text": "Considere la posibilidad de usar puntos de conexión privados para acceder a Azure Service Bus y deshabilitar el acceso a la red pública cuando corresponda.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Seguridad" + "text": "Se recomienda la protección de purga cuando se utilizan claves para el cifrado para evitar la pérdida de datos. La protección de purga es un comportamiento opcional de Key Vault y no está habilitada de forma predeterminada. La protección de purga solo se puede habilitar una vez que se habilita la eliminación temporal. Se puede activar a través de CLI, PowerShell o Portal.", + "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Con el firewall de IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", + "guid": "d0642c1c-312b-4116-94ab-439e1c836819", + "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", + "service": "Key Vault", "severity": "Medio", - "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres de Azure Service Bus desde direcciones IP o intervalos específicos", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "text": "Se recomienda RBAC para controlar el acceso al almacén de claves. Familiarícese con las instrucciones de control de acceso de Key Vault.", "waf": "Seguridad" }, { @@ -7903,102 +8239,41 @@ "arm-service": "microsoft.network/applicationGateways", "checklist": "Azure Application Delivery Networking", "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", - "severity": "Medio", - "text": "Usar el equilibrio de carga de la capa de transporte", - "waf": "Rendimiento" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", - "severity": "Medio", - "text": "Configure el enrutamiento basado en el host o el nombre de dominio para varias aplicaciones web en una sola puerta de enlace", - "waf": "Seguridad" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", - "severity": "Medio", - "text": "Centralice la administración de certificados SSL para reducir la sobrecarga de cifrado y descifrado de una granja de servidores back-end", - "waf": "Seguridad" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", - "severity": "Bajo", - "text": "Use Application Gateway para obtener compatibilidad nativa con los protocolos WebSocket y HTTP/2", - "waf": "Seguridad" - }, - { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", - "service": "Azure Data Factory", - "severity": "Medio", - "text": "Aproveche el cuaderno de estrategias de resistencia de FTA para Azure Data Factory", - "waf": "Fiabilidad" - }, - { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", - "severity": "Alto", - "text": "Uso de canalizaciones con redundancia de zona en regiones que admiten zonas de disponibilidad", - "waf": "Fiabilidad" - }, - { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", - "service": "Azure Data Factory", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", "severity": "Medio", - "text": "Uso de DevOps para realizar copias de seguridad de las plantillas de ARM con la integración de Github/Azure DevOps ", - "waf": "Fiabilidad" + "text": "Usar el equilibrio de carga de la capa de transporte", + "waf": "Rendimiento" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", "severity": "Medio", - "text": "Asegúrese de replicar las máquinas virtuales de Integration Runtime autohospedadas en otra región ", - "waf": "Fiabilidad" + "text": "Configure el enrutamiento basado en el host o el nombre de dominio para varias aplicaciones web en una sola puerta de enlace", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", "severity": "Medio", - "text": "Asegúrese de replicar o duplicar la red en la región hermana. Tiene que hacer una copia de la red virtual en otra región", - "waf": "Fiabilidad" + "text": "Centralice la administración de certificados SSL para reducir la sobrecarga de cifrado y descifrado de una granja de servidores back-end", + "waf": "Seguridad" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "description": "Si las canalizaciones de ADF usan Key Vault, no tiene que hacer nada para replicar Key Vault. Key Vault es un servicio administrado y Microsoft se encarga de ello por ti", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Azure Data Factory", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", "severity": "Bajo", - "text": "Si utiliza la integración de Keyvault, utilice el Acuerdo de Nivel de Servicio de Keyvault para comprender su disponibilidad", - "waf": "Fiabilidad" + "text": "Use Application Gateway para obtener compatibilidad nativa con los protocolos WebSocket y HTTP/2", + "waf": "Seguridad" }, { "arm-service": "microsoft.network/frontdoors", @@ -8405,6 +8680,76 @@ "text": "Al usar Front Door con origen como servicios de aplicación, considere la posibilidad de bloquear el tráfico a los servicios de aplicaciones solo a través de Azure Front Door mediante restricciones de acceso. ", "waf": "Seguridad" }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "severity": "Alto", + "text": "Habilitación de 2 réplicas para que tengan una disponibilidad del 99,9 % para las operaciones de lectura", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "severity": "Medio", + "text": "Habilitación de 3 réplicas para que tengan una disponibilidad del 99,9 % para las operaciones de lectura y escritura", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", + "severity": "Alto", + "text": "Aproveche las zonas de disponibilidad habilitando réplicas de lectura o escritura", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", + "severity": "Medio", + "text": "En el caso de la reincidencia regional, cree manualmente servicios en 2 o más regiones para la búsqueda, ya que no proporciona un método automatizado para replicar índices de búsqueda en regiones geográficas", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", + "severity": "Medio", + "text": "Para sincronizar datos entre varios servicios, use indexadores para actualizar contenido en varios servicios o use las API de REST para insertar actualizaciones de contenido en varios servicios", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", + "severity": "Medio", + "text": "Uso de Azure Traffic Manager para coordinar solicitudes", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", + "severity": "Alto", + "text": "Realice una copia de seguridad y restaure un índice de Azure Cognitive Search. Use este código de ejemplo para realizar una copia de seguridad de la definición del índice y la instantánea en una serie de archivos JSON", + "waf": "Fiabilidad" + }, { "arm-service": "Microsoft.BotService/botServices", "checklist": "Azure Bot Service", @@ -8436,1551 +8781,1794 @@ "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", "severity": "Alto", - "text": "Seleccione el plan de hospedaje de funciones adecuado en función de los requisitos de su empresa y SLO", + "text": "Aproveche las zonas de disponibilidad si corresponden regionalmente (esto se habilita automáticamente)", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", - "severity": "Alto", - "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (no disponible para el nivel de consumo)", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "severity": "Medio", + "text": "Tenga en cuenta las conmutaciones por error iniciadas por Microsoft. Microsoft los ejerce en situaciones excepcionales para conmutar por error todos los centros de IoT de una región afectada a la región emparejada geográficamente correspondiente.", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", - "severity": "Medio", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", + "severity": "Alto", "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "severity": "Alto", - "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3", + "text": "Obtenga información sobre cómo desencadenar una conmutación por error manual.", + "waf": "Fiabilidad" + }, + { + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", + "severity": "Alto", + "text": "Obtenga información sobre cómo conmutar por recuperación después de una conmutación por error.", + "waf": "Fiabilidad" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", + "severity": "Bajo", + "text": "Si es necesario para las cargas de trabajo de Windows de AKS, se pueden usar contenedores HostProcess", + "waf": "Fiabilidad" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", + "severity": "Bajo", + "text": "Utilice KEDA si ejecuta cargas de trabajo controladas por eventos", + "waf": "Rendimiento" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", + "severity": "Bajo", + "text": "Uso de Dapr para facilitar el desarrollo de microservicios", + "waf": "Operaciones" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", + "severity": "Alto", + "text": "Uso de la oferta de AKS respaldada por SLA", + "waf": "Fiabilidad" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "Bajo", + "text": "Uso de presupuestos de interrupción en el pod y las definiciones de implementación", + "waf": "Fiabilidad" + }, + { + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", + "severity": "Alto", + "text": "Si usa un registro privado, configure la replicación de regiones para almacenar imágenes en varias regiones", "waf": "Fiabilidad" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "Azure Functions", - "severity": "Alto", - "text": "Asegúrese de que \"Siempre activado\" esté habilitado para todas las aplicaciones de funciones que se ejecutan en el plan de App Service", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", + "severity": "Bajo", + "text": "Usar una aplicación externa como kubecost para asignar costos a diferentes usuarios", + "waf": "Costar" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", + "severity": "Bajo", + "text": "Usar el modo de reducción vertical para eliminar/desasignar nodos", + "waf": "Costar" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", + "severity": "Medio", + "text": "Cuando sea necesario, use la GPU de partición de varias instancias en clústeres de AKS", + "waf": "Costar" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", - "severity": "Medio", - "text": "Empareje una aplicación de funciones con su propia cuenta de almacenamiento. Intente no volver a usar las cuentas de almacenamiento para las aplicaciones de funciones a menos que estén estrechamente acopladas", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", + "severity": "Bajo", + "text": "Si se ejecuta un clúster de desarrollo y pruebas, use NodePool Start/Stop", + "waf": "Costar" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", "severity": "Medio", - "text": "Aproveche Azure DevOps o GitHub para optimizar la CI/CD y proteger el código de la aplicación de funciones", - "waf": "Operaciones" + "text": "Uso de Azure Policy para Kubernetes para garantizar el cumplimiento de clústeres", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "severity": "Medio", - "text": "Azure Center for SAP solutions (ACSS) es una oferta de Azure que convierte a SAP en una carga de trabajo de nivel superior en Azure. ACSS es una solución integral que permite crear y ejecutar sistemas SAP como una carga de trabajo unificada en Azure y proporciona una base más fluida para la innovación. Puede aprovechar las capacidades de administración de los sistemas SAP basados en Azure nuevos y existentes.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "Operaciones" + "text": "Separe las aplicaciones del plano de control con grupos de nodos de usuario/sistema", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", - "severity": "Medio", - "text": "Azure admite la automatización de implementaciones de SAP en Linux y Windows. SAP Deployment Automation Framework es una herramienta de orquestación de código abierto que puede implementar, instalar y mantener entornos SAP.", - "training": "https://github.com/Azure/sap-automation", - "waf": "Operaciones" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "Bajo", + "text": "Agregue taint a su grupo de nodos del sistema para que sea dedicado", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", "severity": "Medio", - "text": "Realice una recuperación a un momento dado para sus bases de datos de producción en cualquier momento y en un período de tiempo que cumpla con su RTO; La recuperación a un momento dado suele incluir errores del operador que eliminan datos en la capa DBMS o a través de SAP, por cierto", - "waf": "Fiabilidad" + "text": "Utilice un registro privado para sus imágenes, como ACR", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", "severity": "Medio", - "text": "Pruebe los tiempos de copia de seguridad y recuperación para verificar que cumplan con los requisitos de RTO para restaurar todos los sistemas simultáneamente después de un desastre.", - "waf": "Fiabilidad" + "text": "Escanea tus imágenes en busca de vulnerabilidades", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", "severity": "Alto", - "text": "Puede replicar el almacenamiento estándar entre regiones emparejadas, pero no puede usar el almacenamiento estándar para almacenar sus bases de datos o discos duros virtuales. Solo puede replicar copias de seguridad entre las regiones emparejadas que utilice. Para todos los demás datos, ejecute la replicación mediante características nativas de DBMS, como SQL Server Always On o SAP HANA System Replication. Utilice una combinación de Site Recovery, rsync o robocopy y otro software de terceros para la capa de aplicación de SAP.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Fiabilidad" + "text": "Definición de los requisitos de separación de aplicaciones (espacio de nombres/grupo de nodos/clúster)", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", "severity": "Medio", - "text": "Al usar Azure Availability Zones para lograr una alta disponibilidad, debe tener en cuenta la latencia entre los servidores de aplicaciones SAP y los servidores de bases de datos. En el caso de las zonas con latencias altas, es necesario implementar procedimientos operativos para garantizar que los servidores de aplicaciones SAP y los servidores de bases de datos se ejecuten en la misma zona en todo momento.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Fiabilidad" + "text": "Almacenamiento de los secretos en Azure Key Vault con el controlador del almacén de secretos de CSI", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", "severity": "Alto", - "text": "Configure las conexiones de ExpressRoute desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria. Además, como alternativa al uso de ExpressRoute, considere la posibilidad de configurar conexiones VPN desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria.", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "Fiabilidad" - }, - { - "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", - "severity": "Bajo", - "text": "Replique el contenido del almacén de claves, como certificados, secretos o claves, en todas las regiones para poder descifrar los datos de la región de recuperación ante desastres.", - "waf": "Fiabilidad" + "text": "Si usa entidades de servicio para el clúster, actualice las credenciales periódicamente (por ejemplo, trimestralmente)", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", "severity": "Medio", - "text": "Empareje las redes virtuales principal y de recuperación ante desastres. Por ejemplo, para la replicación del sistema HANA, una red virtual de base de datos de SAP HANA debe estar emparejada con la red virtual de base de datos de SAP HANA del sitio de recuperación ante desastres.", - "waf": "Fiabilidad" + "text": "Si es necesario, agregue el servicio de administración de claves, etcd, cifrado", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", "severity": "Bajo", - "text": "Si usa el almacenamiento de Azure NetApp Files para las implementaciones de SAP, como mínimo, cree dos cuentas de Azure NetApp Files en el nivel Premium, en dos regiones.", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "Fiabilidad" - }, - { - "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "Alto", - "text": "Se debe usar la tecnología de replicación de base de datos nativa para sincronizar la base de datos en un par de alta disponibilidad.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", - "waf": "Fiabilidad" + "text": "Si es necesario, considere la posibilidad de usar Proceso confidencial para AKS", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", - "severity": "Alto", - "text": "El CIDR de la red virtual (VNet) principal no debe entrar en conflicto ni superponerse con el CIDR de la red virtual del sitio de recuperación ante desastres", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", + "severity": "Medio", + "text": "Considere la posibilidad de usar Defender para contenedores", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", "severity": "Alto", - "text": "Use Site Recovery para replicar un servidor de aplicaciones en un sitio de recuperación ante desastres. Site Recovery también puede ayudar a replicar máquinas virtuales de clúster de servicios centrales en el sitio de recuperación ante desastres. Al invocar la recuperación ante desastres, deberá volver a configurar el clúster de Linux Pacemaker en el sitio de recuperación ante desastres (por ejemplo, reemplazar el VIP o el SBD, ejecutar corosync.conf, etc.).", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Fiabilidad" + "text": "Uso de identidades administradas en lugar de entidades de servicio", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "Alto", - "text": "Considere la disponibilidad del software de SAP frente a puntos únicos de fallo. Esto incluye puntos únicos de falla dentro de aplicaciones como DBMS utilizados en las arquitecturas SAP NetWeaver y SAP S/4HANA, SAP ABAP y ASCS + SCS. También, otras herramientas como SAP Web Dispatcher.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", + "severity": "Medio", + "text": "Integración de la autenticación con AAD (mediante la integración administrada)", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", - "severity": "Alto", - "text": "En el caso de SAP y bases de datos de SAP, considere la posibilidad de implementar clústeres de conmutación por error automática. En Windows, los clústeres de conmutación por error de Windows Server admiten la conmutación por error. En Linux, Linux Pacemaker o herramientas de terceros, como SIOS Protection Suite y Veritas InfoScale, admiten la conmutación por error.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", + "severity": "Medio", + "text": "Limitar el acceso a admin kubeconfig (get-credentials --admin)", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "Alto", - "text": "Azure no admite arquitecturas en las que las máquinas virtuales principal y secundaria compartan almacenamiento para los datos de DBMS. Para la capa DBMS, el patrón de arquitectura común es replicar bases de datos al mismo tiempo y con pilas de almacenamiento diferentes a las que usan las máquinas virtuales principales y secundarias.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", + "severity": "Medio", + "text": "Integración de la autorización con RBAC de AAD", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", "severity": "Alto", - "text": "Los datos de DBMS y los archivos de registro de transacciones/puesta al día se almacenan en el almacenamiento en bloque compatible con Azure o en Azure NetApp Files. Azure Files o Azure Premium Files no se admiten como almacenamiento para datos de DBMS ni archivos de registro de puesta al día con la carga de trabajo de SAP.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", - "waf": "Fiabilidad" + "text": "Uso de espacios de nombres para restringir el privilegio RBAC en Kubernetes", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", - "severity": "Alto", - "text": "Puede usar discos compartidos de Azure en Windows para componentes ASCS + SCS y escenarios específicos de alta disponibilidad. Configure los clústeres de conmutación por error por separado para los componentes de la capa de aplicación de SAP y la capa de DBMS. Actualmente, Azure no admite arquitecturas de alta disponibilidad que combinen los componentes de la capa de aplicación de SAP y la capa de DBMS en un clúster de conmutación por error.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", + "severity": "Medio", + "text": "Para la administración de acceso a identidades de pods, use Azure AD Workload Identity (versión preliminar)", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", - "severity": "Alto", - "text": "La mayoría de los clústeres de conmutación por error para los componentes de la capa de aplicación (ASCS) de SAP y la capa de DBMS requieren una dirección IP virtual para un clúster de conmutación por error. Azure Load Balancer debe controlar la dirección IP virtual para todos los demás casos. Un principio de diseño es usar un equilibrador de carga por configuración de clúster. Te recomendamos que utilices la versión estándar del equilibrador de carga (SKU de Standard Load Balancer).", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", + "severity": "Medio", + "text": "En el caso de los inicios de sesión no interactivos de AKS, use kubelogin (versión preliminar)", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", - "severity": "Alto", - "text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", + "severity": "Medio", + "text": "Deshabilitación de cuentas locales de AKS", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", - "severity": "Alto", - "text": "Antes de implementar la infraestructura de alta disponibilidad, y en función de la región que elija, determine si desea implementar con un conjunto de disponibilidad de Azure o con una zona de disponibilidad.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Bajo", + "text": "Configure, si es necesario, el acceso al clúster Just-In-Time", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", - "severity": "Alto", - "text": "Si desea cumplir los acuerdos de nivel de servicio de infraestructura para sus aplicaciones para componentes de SAP (servicios centrales, servidores de aplicaciones y bases de datos), debe elegir las mismas opciones de alta disponibilidad (máquinas virtuales, conjuntos de disponibilidad, zonas de disponibilidad) para todos los componentes.", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Bajo", + "text": "Configure si es necesario el acceso condicional de AAD para AKS", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", - "severity": "Alto", - "text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de bases de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", + "severity": "Bajo", + "text": "Si es necesario para las cargas de trabajo de Windows AKS, configure gMSA ", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", "severity": "Medio", - "text": "No se pueden implementar conjuntos de disponibilidad de Azure en una zona de disponibilidad de Azure a menos que se usen grupos de selección de ubicación por proximidad.", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "Fiabilidad" + "text": "Para un control más preciso, considere la posibilidad de utilizar una identidad de Kubelet administrada", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", - "severity": "Alto", - "text": "Al crear conjuntos de disponibilidad, use el número máximo de dominios de error y dominios de actualización disponibles. Por ejemplo, si implementa más de dos máquinas virtuales en un conjunto de disponibilidad, use el número máximo de dominios de error (tres) y suficientes dominios de actualización para limitar el efecto de posibles errores de hardware físico, interrupciones de red o interrupciones de energía, además del mantenimiento planeado de Azure. El número predeterminado de dominios de error es dos y no se puede cambiar en línea más adelante.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", + "severity": "Medio", + "text": "Si utiliza AGIC, no comparta un AppGW entre clústeres", "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", "severity": "Alto", - "text": "Cuando se usan grupos de selección de ubicación de proximidad de Azure en una implementación de conjunto de disponibilidad, los tres componentes de SAP (servicios centrales, servidor de aplicaciones y base de datos) deben estar en el mismo grupo de selección de ubicación por proximidad.", + "text": "No use el complemento de enrutamiento HTTP de AKS, use en su lugar la entrada NGINX administrada con el complemento de enrutamiento de aplicaciones.", "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", - "severity": "Alto", - "text": "Utilice un grupo de ubicación de proximidad por SID de SAP. Los grupos no se extienden entre zonas de disponibilidad ni regiones de Azure", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", + "severity": "Medio", + "text": "En el caso de las cargas de trabajo de Windows, use las redes aceleradas", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "severity": "Alto", - "text": "Utilice uno de los siguientes servicios para ejecutar clústeres de servicios centrales de SAP, en función del sistema operativo.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "Utilice el ALB estándar (en lugar del básico)", "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", "severity": "Medio", - "text": "Actualmente, Azure no admite la combinación de ASCS y DB HA en el mismo clúster de Linux Pacemaker; sepárelos en grupos individuales. Sin embargo, puede combinar hasta cinco clústeres de servicios centrales en un par de máquinas virtuales.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Fiabilidad" + "text": "Si usa Azure CNI, considere la posibilidad de usar diferentes subredes para NodePools", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", "severity": "Medio", - "text": "Implemente ambas máquinas virtuales en el par de alta disponibilidad en un conjunto de disponibilidad o en zonas de disponibilidad. Estas máquinas virtuales deben tener el mismo tamaño y la misma configuración de almacenamiento.", - "waf": "Fiabilidad" + "text": "Use puntos de conexión privados (preferidos) o puntos de conexión de servicio de red virtual para acceder a los servicios PaaS desde el clúster", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", - "severity": "Medio", - "text": "Azure admite la instalación y configuración de SAP HANA, ASCS/SCS e instancias de ERS en el mismo clúster de alta disponibilidad que se ejecuta en Red Hat Enterprise Linux (RHEL).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "Alto", + "text": "Elija el mejor complemento de red de CNI para sus necesidades (se recomienda Azure CNI)", "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", - "severity": "Alto", - "text": "Ejecute todos los sistemas de producción en SSD administradas Premium y use Azure NetApp Files o Ultra Disk Storage. Al menos el disco del sistema operativo debe estar en el nivel Premium para que pueda lograr un mejor rendimiento y el mejor Acuerdo de Nivel de Servicio.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "Alto", + "text": "Si usa CNI de Azure, ajuste el tamaño de la subred en consecuencia teniendo en cuenta el número máximo de pods por nodo", + "waf": "Rendimiento" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "Alto", + "text": "Si usa Azure CNI, compruebe el número máximo de pods o nodo (valor predeterminado 30)", + "waf": "Rendimiento" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "En el caso de las aplicaciones internas, las organizaciones suelen abrir toda la subred de AKS en sus firewalls. Esto también abre el acceso de red a los nodos y, potencialmente, también a los pods (si se usa Azure CNI). Si las direcciones IP de LoadBalancer están en una subred diferente, solo esta debe estar disponible para los clientes de la aplicación. Otra razón es que si las direcciones IP de la subred de AKS son un recurso escaso, el consumo de sus direcciones IP para los servicios reducirá la escalabilidad máxima del clúster.", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "severity": "Bajo", + "text": "Si usa servicios de LoadBalancer de dirección IP privada, use una subred dedicada (no la subred de AKS)", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "Alto", - "text": "Debe ejecutar SAP HANA en Azure solo en los tipos de almacenamiento certificados por SAP. Tenga en cuenta que ciertos volúmenes deben ejecutarse en ciertas configuraciones de disco, cuando corresponda. Estas configuraciones incluyen la habilitación del Acelerador de escritura y el uso del almacenamiento Premium. También debe asegurarse de que el sistema de archivos que se ejecuta en el almacenamiento sea compatible con el DBMS que se ejecuta en la máquina.", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "text": "Dimensione el rango de direcciones IP del servicio en consecuencia (limitará la escalabilidad del clúster)", "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", - "severity": "Alto", - "text": "Considere la posibilidad de configurar la alta disponibilidad en función del tipo de almacenamiento que utilice para las cargas de trabajo de SAP. Algunos servicios de almacenamiento disponibles en Azure no son compatibles con Azure Site Recovery, por lo que la configuración de alta disponibilidad puede diferir.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", + "severity": "Bajo", + "text": "Si es necesario, agregue su propio complemento CNI", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", - "severity": "Alto", - "text": "Es posible que los diferentes servicios de almacenamiento nativo de Azure (como Azure Files, Azure NetApp Files, Azure Shared Disk) no estén disponibles en todas las regiones. Por lo tanto, para tener una configuración de SAP similar en la región de recuperación ante desastres después de la conmutación por error, asegúrese de que el servicio de almacenamiento correspondiente se ofrezca en el sitio de recuperación ante desastres.", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", + "severity": "Bajo", + "text": "Si es necesario, configure la dirección IP pública por nodo en AKS", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", "severity": "Medio", - "text": "Automatice SAP System Start-Stop para gestionar los costes.", - "waf": "Costar" + "text": "Use un controlador de entrada para exponer aplicaciones basadas en web en lugar de exponerlas con servicios de tipo LoadBalancer", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", "severity": "Bajo", - "text": "En el caso de usar Azure Premium Storage con SAP HANA, el almacenamiento SSD estándar de Azure se puede usar para seleccionar una solución de almacenamiento económica en cuanto a costos. Sin embargo, tenga en cuenta que la elección del almacenamiento SSD estándar o HDD estándar de Azure afectará al Acuerdo de Nivel de Servicio de las máquinas virtuales individuales. Además, para sistemas con menor rendimiento de E/S y baja latencia, como entornos que no son de producción, se pueden usar máquinas virtuales de series inferiores.", - "waf": "Costar" + "text": "Uso de Azure NAT Gateway como outboundType para escalar el tráfico de salida", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "Bajo", - "text": "Como configuración alternativa de menor costo (multipropósito), puede elegir una SKU de bajo rendimiento para las máquinas virtuales de servidor de base de datos HANA que no son de producción. Sin embargo, es importante tener en cuenta que algunos tipos de máquinas virtuales, como la serie E, no están certificadas por HANA (directorio de hardware de SAP HANA) o no pueden alcanzar una latencia de almacenamiento inferior a 1 ms.", - "waf": "Costar" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", + "severity": "Medio", + "text": "Uso de asignaciones dinámicas de direcciones IP para evitar el agotamiento de direcciones IP de Azure CNI", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", "severity": "Alto", - "text": "Aplicación de un modelo RBAC para grupos de administración, suscripciones, grupos de recursos y recursos", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "Filtre el tráfico de salida con AzFW/NVA si sus requisitos de seguridad lo exigen", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", "severity": "Medio", - "text": "Aplicación de la propagación de la entidad de seguridad para reenviar la identidad de la aplicación en la nube de SAP a SAP local (incluida la IaaS) a través del conector en la nube", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "text": "Si utiliza un punto de conexión de API público, restrinja las direcciones IP que pueden acceder a él", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", - "severity": "Medio", - "text": "Implemente SSO en aplicaciones SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics y SAP C4C con Azure AD mediante SAML.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", + "severity": "Alto", + "text": "Utilice clústeres privados si sus requisitos lo exigen", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "Medio", - "text": "Implemente SSO en aplicaciones web basadas en SAP NetWeaver, como SAP Fiori y SAP Web GUI, mediante SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "text": "Para los nodos de AKS de Windows 2019 y 2022, se pueden usar directivas de red de Calico ", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", - "severity": "Medio", - "text": "Implemente SSO en aplicaciones web basadas en SAP NetWeaver, como SAP Fiori y SAP Web GUI, mediante SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", + "severity": "Alto", + "text": "Habilitación de una opción de directiva de red de Kubernetes (Calico/Azure)", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", - "severity": "Medio", - "text": "Puede implementar el inicio de sesión único en la interfaz gráfica de usuario de SAP mediante el inicio de sesión único de SAP NetWeaver o una solución de socio.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "Alto", + "text": "Uso de directivas de red de Kubernetes para aumentar la seguridad dentro del clúster", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", - "severity": "Medio", - "text": "Para SSO para SAP GUI y acceso al navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociación GSSAPI simple y protegido) debido a su facilidad de configuración y mantenimiento. Para SSO con certificados de cliente X.509, considere la posibilidad de utilizar SAP Secure Login Server, que es un componente de la solución SAP SSO.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "Alto", + "text": "Uso de un WAF para cargas de trabajo web (interfaces de usuario o API)", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", "severity": "Medio", - "text": "Para SSO para SAP GUI y acceso al navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociación GSSAPI simple y protegido) debido a su facilidad de configuración y mantenimiento. Para SSO con certificados de cliente X.509, considere la posibilidad de utilizar SAP Secure Login Server, que es un componente de la solución SAP SSO.", + "text": "Uso de DDoS Standard en la red virtual de AKS", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", + "severity": "Bajo", + "text": "Si es necesario, agregue el proxy HTTP de la empresa", + "waf": "Seguridad" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", "severity": "Medio", - "text": "Implemente el inicio de sesión único mediante OAuth para SAP NetWeaver a fin de permitir que aplicaciones personalizadas o de terceros accedan a los servicios OData de SAP NetWeaver.", + "text": "Considere la posibilidad de usar una malla de servicios para la administración avanzada de comunicaciones de microservicios", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", - "severity": "Medio", - "text": "Implementación de SSO en SAP HANA", - "waf": "Seguridad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", + "severity": "Alto", + "text": "Configurar alertas sobre las métricas más críticas (consulte Container Insights para obtener recomendaciones)", + "waf": "Operaciones" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", + "severity": "Bajo", + "text": "Consulte periódicamente Azure Advisor para obtener recomendaciones sobre el clúster", + "waf": "Operaciones" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", + "severity": "Bajo", + "text": "Habilitación de la rotación automática de certificados de AKS", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", - "severity": "Medio", - "text": "Considere Azure AD como un proveedor de identidades para sistemas SAP hospedados en RISE. Para obtener más información, consulte Integración del servicio con Azure AD.", - "waf": "Seguridad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", + "severity": "Alto", + "text": "Tenga un proceso regular para actualizar la versión de Kubernetes periódicamente (trimestralmente, por ejemplo) o use la característica de actualización automática de AKS", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", - "severity": "Medio", - "text": "En el caso de las aplicaciones que acceden a SAP, es posible que desee utilizar la propagación de entidades de seguridad para establecer el inicio de sesión único.", - "waf": "Seguridad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", + "severity": "Alto", + "text": "Utilice kured para las actualizaciones de nodos de Linux en caso de que no esté utilizando la actualización de imagen de nodo", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", - "severity": "Medio", - "text": "Si usa servicios BTP de SAP o soluciones SaaS que requieren SAP Identity Authentication Service (IAS), considere la posibilidad de implementar SSO entre SAP Cloud Identity Authentication Services y Azure AD para acceder a esos servicios de SAP. Esta integración permite a SAP IAS actuar como proveedor de identidades de proxy y reenvía las solicitudes de autenticación a Azure AD como almacén de usuarios central y proveedor de identidades.", - "waf": "Seguridad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", + "severity": "Alto", + "text": "Disponer de un proceso regular para actualizar las imágenes de los nodos del clúster periódicamente (semanalmente, por ejemplo)", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", - "severity": "Medio", - "text": "Implementación de SSO en SAP BTP", - "waf": "Seguridad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", + "severity": "Bajo", + "text": "Considere la posibilidad de implementar aplicaciones o configuraciones de clústeres en varios clústeres", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", - "severity": "Medio", - "text": "Si usa SAP SuccessFactors, considere la posibilidad de usar el aprovisionamiento automatizado de usuarios de Azure AD. Con esta integración, a medida que agregue nuevos empleados a SAP SuccessFactors, puede crear automáticamente sus cuentas de usuario en Azure AD. Opcionalmente, puede crear cuentas de usuario en Microsoft 365 u otras aplicaciones SaaS compatibles con Azure AD. Utilice la reescritura de la dirección de correo electrónico en SAP SuccessFactors.", - "waf": "Seguridad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", + "severity": "Bajo", + "text": "Considere la posibilidad de usar la invocación de comandos de AKS en clústeres privados", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "description": "Mantenga la jerarquía del grupo de administración razonablemente plana, no más de cuatro.", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", - "severity": "Medio", - "text": "aplicar las directivas de grupo de administración existentes a las suscripciones de SAP", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", + "severity": "Bajo", + "text": "En el caso de los eventos planeados, considere la posibilidad de utilizar el drenaje automático de nodos", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", "severity": "Alto", - "text": "Integre aplicaciones estrechamente acopladas en la misma suscripción de SAP para evitar la complejidad adicional del enrutamiento y la administración", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "text": "Desarrollar sus propias prácticas de gobernanza para asegurarse de que los operadores no realicen cambios en el nodo RG (también conocido como 'infra RG')", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "Alto", - "text": "Aprovechar la suscripción como unidad de escala y escalar nuestros recursos, considere implementar la suscripción por entorno, por ejemplo. Sandbox, no prod, prod ", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "Bajo", + "text": "Usar el nombre personalizado de Node RG (también conocido como 'Infra RG')", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", - "severity": "Alto", - "text": "Garantizar el aumento de la cuota como parte del aprovisionamiento de suscripciones (por ejemplo, el total de núcleos de máquina virtual disponibles dentro de una suscripción)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", + "severity": "Medio", + "text": "No use API de Kubernetes obsoletas en los manifiestos de YAML", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", "severity": "Bajo", - "text": "La API de cuota es una API de REST que puede usar para ver y administrar las cuotas de los servicios de Azure. Considere usarlo si es necesario.", + "text": "Nodos de Windows de Taint", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", - "severity": "Alto", - "text": "Si se implementa en una zona de disponibilidad, asegúrese de que la implementación de zona de la máquina virtual esté disponible una vez que se haya aprobado la cuota. Envíe una solicitud de soporte técnico con la suscripción, la serie de máquinas virtuales, el número de CPU y la zona de disponibilidad necesarias.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", + "severity": "Bajo", + "text": "Mantener el nivel de revisión de los contenedores de Windows sincronizado con el nivel de revisión del host", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", - "severity": "Alto", - "text": "Asegúrese de que los servicios y funciones necesarios estén disponibles dentro de las regiones de implementación elegidas, por ejemplo. ANF, Zona, etc.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "A través de la configuración de diagnóstico en el nivel de clúster", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", + "severity": "Bajo", + "text": "Envío de registros maestros (también conocidos como registros de API) a Azure Monitor o a la solución de administración de registros que prefiera", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", - "severity": "Medio", - "text": "Aproveche la etiqueta de recurso de Azure para la categorización de costos y la agrupación de recursos (: BillTo, Departamento (o unidad de negocio), Medio ambiente (producción, Fase, Desarrollo), Nivel (nivel web, nivel de aplicación), Propietario de la aplicación, Nombre del proyecto)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", + "severity": "Bajo", + "text": "Si es necesario, utilice instantáneas de nodePool", + "waf": "Costar" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", + "severity": "Bajo", + "text": "Considere la posibilidad de crear grupos de nodos de acceso puntual para cargas de trabajo no urgentes", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "Alto", - "text": "Ayude a proteger la base de datos de HANA mediante el servicio Azure Backup.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "Bajo", + "text": "Considere la posibilidad de utilizar el nodo virtual de AKS para una ráfaga rápida", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", - "severity": "Medio", - "text": "Si implementa Azure NetApp Files para la base de datos HANA, Oracle o DB2, use la herramienta Azure Application Consistent Snapshot (AzAcSnap) para tomar instantáneas coherentes con la aplicación. AzAcSnap también es compatible con bases de datos de Oracle. Considere la posibilidad de usar AzAcSnap en una máquina virtual central en lugar de en máquinas virtuales individuales.", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "Alto", + "text": "Supervise las métricas de clúster con Container Insights (u otras herramientas como Prometheus)", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", "severity": "Alto", - "text": "Asegúrese de que las zonas horarias coincidan entre el sistema operativo y el sistema SAP.", + "text": "Almacene y analice los registros del clúster con Container Insights (u otras herramientas como Telegraf/ElasticSearch)", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", "severity": "Medio", - "text": "No agrupe diferentes servicios de aplicaciones en el mismo clúster. Por ejemplo, no combine DRBD y clústeres de servicios centrales en el mismo clúster. Sin embargo, puede usar el mismo clúster de Pacemaker para administrar aproximadamente cinco servicios centrales diferentes (clúster de varios SID).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Fiabilidad" - }, - { - "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", - "severity": "Bajo", - "text": "Considere la posibilidad de ejecutar sistemas de desarrollo y pruebas en un modelo de repetición para ahorrar y optimizar los costos de ejecución de Azure.", - "waf": "Costar" + "text": "Supervisar el uso de la CPU y la memoria de los nodos", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "Medio", - "text": "Si se asocia con los clientes mediante la administración de sus propiedades de SAP, considere la posibilidad de Azure Lighthouse. Azure Lighthouse permite a los proveedores de servicios administrados usar los servicios de identidad nativos de Azure para autenticarse en el entorno de los clientes. Pone el control en manos de los clientes, ya que pueden revocar el acceso en cualquier momento y auditar las acciones de los proveedores de servicios.", + "text": "Si usa Azure CNI, supervise el porcentaje de direcciones IP de pod consumidas por nodo", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "La E/S en el disco del sistema operativo es un recurso crítico. Si el sistema operativo de los nodos se limita en la E/S, esto podría dar lugar a un comportamiento impredecible, que normalmente terminaría en que el nodo se declarara NotReady", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", "severity": "Medio", - "text": "Use Azure Update Manager para comprobar el estado de las actualizaciones disponibles para una sola máquina virtual o varias máquinas virtuales y considere la posibilidad de programar la aplicación periódica de revisiones.", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "text": "Supervisión de la profundidad de la cola de disco del sistema operativo en los nodos", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", - "severity": "Bajo", - "text": "Optimice y gestione las operaciones de SAP Basis mediante SAP Landscape Management (LaMa). Use el conector de SAP LaMa para Azure para reubicar, copiar, clonar y actualizar sistemas SAP.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "severity": "Medio", + "text": "Si no usa el filtrado de salida con AzFW/NVA, supervise los puertos SNAT asignados por ALB estándar", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", "severity": "Medio", - "text": "Use las soluciones de Azure Monitor para SAP para supervisar las cargas de trabajo de SAP (SAP HANA, clústeres de SUSE de alta disponibilidad y sistemas SQL) en Azure. Considere la posibilidad de complementar las soluciones de Azure Monitor para SAP con SAP Solution Manager.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "Suscríbase a las notificaciones de estado de los recursos para el clúster de AKS", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "Alto", - "text": "Ejecute una extensión de máquina virtual para la comprobación de SAP. VM Extension for SAP usa la identidad administrada asignada de una máquina virtual (VM) para acceder a los datos de configuración y supervisión de VM. La comprobación garantiza que todas las métricas de rendimiento de la aplicación SAP procedan de la extensión de Azure para SAP subyacente.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "text": "Configurar solicitudes y límites en las especificaciones del pod", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "Medio", - "text": "Use Azure Policy para el control de acceso y los informes de cumplimiento. Azure Policy proporciona la capacidad de aplicar la configuración de toda la organización para garantizar el cumplimiento coherente de las directivas y la detección rápida de infracciones. ", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "text": "Aplicación de cuotas de recursos para espacios de nombres", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", - "severity": "Medio", - "text": "Use el Monitor de conexión en Azure Network Watcher para supervisar las métricas de latencia de las bases de datos y los servidores de aplicaciones de SAP. O bien, recopile y muestre medidas de latencia de red mediante Azure Monitor.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", + "severity": "Alto", + "text": "Asegúrese de que la suscripción tiene suficiente cuota para escalar horizontalmente los grupos de nodos", "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "Medio", - "text": "Realice una comprobación de calidad de SAP HANA en la infraestructura de Azure aprovisionada para comprobar que las máquinas virtuales aprovisionadas cumplen con los procedimientos recomendados de SAP HANA en Azure.", - "waf": "Operaciones" + "text": "Uso del escalador automático de clústeres", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", - "severity": "Alto", - "text": "Para cada suscripción de Azure, ejecute una prueba de latencia en las zonas de disponibilidad de Azure antes de la implementación zonal para elegir zonas de baja latencia para la implementación de SAP en Azure.", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", + "severity": "Bajo", + "text": "Personalización de la configuración de nodos para grupos de nodos de AKS", "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "Medio", - "text": "Ejecute el informe de resistencia para asegurarse de que la configuración de toda la infraestructura de Azure aprovisionada (proceso, base de datos, redes, almacenamiento, Site Recovery) cumpla con la configuración definida por Cloud Adaption Framework para Azure.", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", - "waf": "Fiabilidad" + "text": "Usar el escalador automático horizontal de pods cuando sea necesario", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", - "severity": "Medio", - "text": "Implemente la protección contra amenazas mediante la solución Microsoft Sentinel para SAP. Utilice esta solución para supervisar sus sistemas SAP y detectar amenazas sofisticadas en toda la lógica empresarial y las capas de aplicación.", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", - "waf": "Seguridad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Los nodos más grandes aportarán un mayor rendimiento y características como discos efímeros y redes aceleradas, pero aumentarán el radio de explosión y disminuirán la granularidad de escalado", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", + "severity": "Alto", + "text": "Considere un tamaño de nodo adecuado, ni demasiado grande ni demasiado pequeño", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", - "severity": "Medio", - "text": "El etiquetado de Azure se puede aprovechar para agrupar y realizar un seguimiento lógicos de los recursos, automatizar sus implementaciones y, lo que es más importante, proporcionar visibilidad de los costos incurridos.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", - "waf": "Operaciones" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", + "severity": "Bajo", + "text": "Si se requieren más de 5000 nodos para la escalabilidad, considere la posibilidad de usar un clúster de AKS adicional", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", "severity": "Bajo", - "text": "Utilice la supervisión de latencia entre máquinas virtuales para aplicaciones sensibles a la latencia.", + "text": "Considere la posibilidad de suscribirse a eventos de EventGrid para la automatización de AKS", "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", - "severity": "Medio", - "text": "Use la supervisión de Azure Site Recovery para mantener el estado del servicio de recuperación ante desastres para los servidores de aplicaciones de SAP.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Fiabilidad" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", + "severity": "Bajo", + "text": "Para una operación de ejecución prolongada en un clúster de AKS, considere la finalización de eventos", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", - "severity": "Medio", - "text": "Excluya todos los sistemas de archivos de bases de datos y programas ejecutables de los análisis antivirus. Incluirlos podría provocar problemas de rendimiento. Consulte con los proveedores de bases de datos para obtener detalles prescriptivos sobre la lista de exclusión. Por ejemplo, Oracle recomienda excluir /oracle//sapdata de los análisis antivirus.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", + "severity": "Bajo", + "text": "Si es necesario, considere la posibilidad de usar Azure Dedicated Hosts para nodos de AKS", "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "Alto", + "text": "Usar discos de sistema operativo efímeros", + "waf": "Rendimiento" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", + "severity": "Alto", + "text": "En el caso de los discos no efímeros, use IOPS altas y discos de sistema operativo más grandes para los nodos cuando ejecute muchos pods o nodos, ya que requiere un alto rendimiento para ejecutar varios pods y generará registros enormes con umbrales de rotación de registros de AKS predeterminados", + "waf": "Rendimiento" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", "severity": "Bajo", - "text": "Considere la posibilidad de recopilar estadísticas completas de bases de datos que no sean de HANA después de la migración. Por ejemplo, implemente la nota de SAP 1020260 - Entrega de estadísticas de Oracle.", + "text": "Para la opción de almacenamiento de hiperrendimiento, use discos Ultra en AKS", "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", "severity": "Medio", - "text": "Considere la posibilidad de usar Oracle Automatic Storage Management (ASM) para todas las implementaciones de Oracle que utilicen SAP en Azure.", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "text": "Evite mantener el estado en el clúster y almacene los datos fuera (AzStorage, AzSQL, Cosmos, etc.)", "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", "severity": "Medio", - "text": "En el caso de SAP en Azure que ejecuta Oracle, una colección de scripts SQL puede ayudarle a diagnosticar problemas de rendimiento. Los informes de Automatic Workload Repository (AWR) contienen información valiosa para diagnosticar problemas en el sistema Oracle. Le recomendamos que ejecute un informe de AWR durante varias sesiones y elija las horas punta para él, a fin de garantizar una amplia cobertura del análisis.", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "text": "Si usa AzFiles Standard, considere AzFiles Premium o ANF por motivos de rendimiento", "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", - "severity": "Alto", - "text": "Use la supervisión de Azure Site Recovery para mantener el estado del servicio de recuperación ante desastres para los servidores de aplicaciones de SAP.", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "waf": "Operaciones" - }, - { - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", "severity": "Medio", - "text": "Para la entrega segura de aplicaciones HTTP/S, use Application Gateway v2 y asegúrese de que la protección y las directivas de WAF estén habilitadas.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", - "waf": "Seguridad" + "text": "Si usa Azure Disks y AZ, considere la posibilidad de tener grupos de nodos dentro de una zona para el disco LRS con VolumeBindingMode:WaitForFirstConsumer para aprovisionar el almacenamiento en la zona correcta o use el disco ZRS para los grupos de nodos que abarquen varias zonas", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Aplicación de las instrucciones del banco de pruebas de seguridad en la nube de Microsoft relacionadas con el almacenamiento", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "severity": "Medio", - "text": "Si el DNS o el nombre virtual de la máquina virtual no se cambia durante la migración a Azure, el DNS en segundo plano y los nombres virtuales conectan muchas interfaces del sistema en el entorno de SAP, y los clientes solo a veces son conscientes de las interfaces que los desarrolladores definen a lo largo del tiempo. Surgen desafíos de conexión entre varios sistemas cuando los nombres virtuales o de DNS cambian después de las migraciones, y se recomienda conservar los alias de DNS para evitar este tipo de dificultades.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operaciones" + "text": "Tenga en cuenta la \"Línea base de seguridad de Azure para el almacenamiento\"", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", - "severity": "Medio", - "text": "Utilice diferentes zonas DNS para distinguir cada entorno (espacio aislado, desarrollo, preproducción y producción) entre sí. La excepción es para las implementaciones de SAP con su propia red virtual; aquí, es posible que las zonas DNS privadas no sean necesarias.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operaciones" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "De forma predeterminada, Azure Storage tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten exponer de forma segura Azure Storage solo a los recursos de Azure Compute que necesitan acceso, lo que elimina la exposición a la Internet pública", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere la posibilidad de usar puntos de conexión privados para Azure Storage", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "description": "Al configurar el emparejamiento de red virtual, use la opción Permitir tráfico a redes virtuales remotas.", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Las cuentas de almacenamiento recién creadas se crean mediante el modelo de implementación de ARM, de modo que RBAC, etcétera de auditoría, estén habilitados. Asegúrese de que no haya cuentas de almacenamiento antiguas con el modelo de implementación clásico en una suscripción", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", "severity": "Medio", - "text": "El emparejamiento de red virtual local y global proporciona conectividad y son los enfoques preferidos para garantizar la conectividad entre las zonas de aterrizaje para las implementaciones de SAP en varias regiones de Azure", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "Fiabilidad" + "text": "Asegúrese de que las cuentas de almacenamiento más antiguas no usen el \"modelo de implementación clásica\"", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Aproveche Microsoft Defender para obtener información sobre actividades sospechosas y configuraciones incorrectas.", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", "severity": "Alto", - "text": "No se admite la implementación de ninguna NVA entre la aplicación SAP y el servidor de base de datos SAP", - "training": "https://me.sap.com/notes/2731110", - "waf": "Rendimiento" + "text": "Habilitación de Microsoft Defender para todas las cuentas de almacenamiento", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "El mecanismo de eliminación temporal permite recuperar blobs eliminados accidentalmente.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "severity": "Medio", - "text": "Use Virtual WAN para implementaciones de Azure en redes nuevas, grandes o globales en las que necesite conectividad de tránsito global entre regiones de Azure y ubicaciones locales. Con este enfoque, no tendrá que configurar manualmente el enrutamiento transitivo para las redes de Azure y puede seguir un estándar para las implementaciones de SAP en Azure.", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "waf": "Operaciones" + "text": "Habilitación de la \"eliminación temporal\" para blobs", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Considere la posibilidad de deshabilitar selectivamente la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimine inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "Medio", - "text": "Considere la posibilidad de implementar aplicaciones virtuales de red (NVA) entre regiones solo si se usan NVA de asociados. Las aplicaciones virtuales de red entre regiones o redes virtuales no son necesarias si hay aplicaciones virtuales de red nativas. Al implementar tecnologías de redes de asociados y NVA, siga las instrucciones del proveedor para comprobar las configuraciones conflictivas con las redes de Azure.", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "Operaciones" + "text": "Deshabilitación de la \"eliminación temporal\" para blobs", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", - "severity": "Medio", - "text": "Virtual WAN administra la conectividad entre redes virtuales de radio para topologías basadas en WAN virtuales (sin necesidad de configurar el enrutamiento definido por el usuario [UDR] o NVA) y el rendimiento máximo de red para el tráfico de red virtual a red virtual en el mismo centro virtual es de 50 gigabits por segundo. Si es necesario, las zonas de aterrizaje de SAP pueden usar el emparejamiento de red virtual para conectarse a otras zonas de aterrizaje y superar esta limitación de ancho de banda.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", - "waf": "Operaciones" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "La eliminación temporal de contenedores permite recuperar un contenedor después de que se haya eliminado, por ejemplo, recuperarse de una operación de eliminación accidental.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", + "severity": "Alto", + "text": "Habilitación de la \"eliminación temporal\" para contenedores", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "severity": "Alto", - "text": "No se recomienda la asignación de direcciones IP públicas a la máquina virtual que ejecuta SAP Workload.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Considere la posibilidad de deshabilitar selectivamente la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimine inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "Medio", + "text": "Deshabilitar la \"eliminación temporal\" para contenedores", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Evita la eliminación accidental de una cuenta de almacenamiento, obligando al usuario a quitar primero el bloqueo de eliminación, antes de la eliminación", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "severity": "Alto", - "text": "Considere la posibilidad de reservar la dirección IP en el lado de la recuperación ante desastres al configurar ASR", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Operaciones" + "text": "Habilitación de bloqueos de recursos en cuentas de almacenamiento", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Considere la posibilidad de aplicar directivas de \"retención legal\" o \"retención basada en tiempo\" para los blobs, de modo que sea imposible eliminar el blob, el contenedor o la cuenta de almacenamiento. Tenga en cuenta que 'imposible' en realidad significa 'imposible'; una vez que una cuenta de almacenamiento contiene un blob inmutable, la única manera de \"deshacerse\" de esa cuenta de almacenamiento es cancelando la suscripción de Azure.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", "severity": "Alto", - "text": "Evite el uso de intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "Operaciones" + "text": "Considere la posibilidad de blobs inmutables", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", - "severity": "Medio", - "text": "Aunque Azure le ayuda a crear varias subredes delegadas en una red virtual, solo puede existir una subred delegada en una red virtual para Azure NetApp Files. Se producirá un error al intentar crear un nuevo volumen si se utiliza más de una subred delegada para Azure NetApp Files.", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "Operaciones" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Considere la posibilidad de deshabilitar el acceso HTTP/80 no protegido a la cuenta de almacenamiento, de modo que todas las transferencias de datos estén cifradas, protegidas contra la integridad y el servidor esté autenticado. ", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "Alto", + "text": "Requerir HTTPS, es decir, deshabilitar el puerto 80 en la cuenta de almacenamiento", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", - "severity": "Medio", - "text": "Use Azure Firewall para controlar el tráfico de salida de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado de tráfico este/oeste (si la organización lo requiere)", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Al configurar un dominio personalizado (nombre de host) en una cuenta de almacenamiento, compruebe si necesita TLS/HTTPS; si es así, es posible que tenga que colocar Azure CDN delante de la cuenta de almacenamiento.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", + "severity": "Alto", + "text": "Al aplicar HTTPS (deshabilitar HTTP), compruebe que no usa dominios personalizados (CNAME) para la cuenta de almacenamiento.", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Requerir HTTPS cuando un cliente usa un token de SAS para acceder a los datos de blob ayuda a minimizar el riesgo de pérdida de credenciales.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "severity": "Medio", - "text": "Application Gateway y Web Application Firewall tienen limitaciones cuando Application Gateway actúa como proxy inverso para aplicaciones web de SAP, como se muestra en la comparación entre Application Gateway, SAP Web Dispatcher y otros servicios de terceros.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "text": "Limitar los tokens de firma de acceso compartido (SAS) solo a las conexiones HTTPS", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", - "severity": "Medio", - "text": "Use las directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": ". Al aplicar la versión más reciente de TLS, se rechazarán las solicitudes de los clientes que utilicen la versión anterior. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Azure Storage", + "severity": "Alto", + "text": "Aplicación de la versión más reciente de TLS para una cuenta de almacenamiento", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", - "severity": "Medio", - "text": "Aproveche las directivas de firewall de aplicaciones web de Azure Front Door cuando use Azure Front Door y Application Gateway para proteger las aplicaciones HTTP/S. Bloquee Application Gateway para recibir tráfico solo desde Azure Front Door.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Los tokens de identificador de Microsoft Entra deben favorecerse sobre las firmas de acceso compartido, siempre que sea posible", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "Alto", + "text": "Uso de tokens de identificador de Microsoft Entra para el acceso a blobs", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Al asignar un rol a un usuario, grupo o aplicación, conceda a esa entidad de seguridad solo los permisos necesarios para que pueda realizar sus tareas. Limitar el acceso a los recursos ayuda a evitar el uso indebido no intencionado y malintencionado de los datos.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "Medio", - "text": "Utilice un firewall de aplicaciones web para analizar su tráfico cuando esté expuesto a Internet. Otra opción es usarlo con el equilibrador de carga o con recursos que tengan funcionalidades de firewall integradas, como Application Gateway o soluciones de terceros.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "text": "Privilegio mínimo en los permisos de IaM", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", - "severity": "Medio", - "text": "Use Virtual WAN para implementaciones de Azure en redes nuevas, grandes o globales en las que necesite conectividad de tránsito global entre regiones de Azure y ubicaciones locales. Con este enfoque, no tendrá que configurar manualmente el enrutamiento transitivo para las redes de Azure y puede seguir un estándar para las implementaciones de SAP en Azure.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "Rendimiento" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Una SAS de delegación de usuarios está protegida con credenciales de Azure Active Directory (Azure AD) y también con los permisos especificados para la SAS. Una SAS de delegación de usuarios es análoga a una SAS de servicio en cuanto a su ámbito y función, pero ofrece ventajas de seguridad con respecto a la SAS de servicio. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", + "severity": "Alto", + "text": "Al usar SAS, prefiera \"SAS de delegación de usuarios\" en lugar de SAS basada en clave de cuenta de almacenamiento.", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", - "severity": "Medio", - "text": "Para evitar la pérdida de datos, use Azure Private Link para acceder de forma segura a los recursos de la plataforma como servicio, como Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, etc. Azure Private Endpoint también puede ayudar a proteger el tráfico entre redes virtuales y servicios como Azure Storage, Azure Backup, etc. El tráfico entre la red virtual y el servicio habilitado para el punto de conexión privado viaja a través de la red global de Microsoft, lo que impide su exposición a la red pública de Internet.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Las claves de la cuenta de almacenamiento ('claves compartidas') tienen muy pocas capacidades de auditoría. Si bien se puede monitorear quién o cuándo obtuvo una copia de las claves, una vez que las claves están en manos de varias personas, es imposible atribuir el uso a un usuario específico. Confiar únicamente en la autenticación de ID de Entra facilita la vinculación del acceso al almacenamiento de un usuario. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere la posibilidad de deshabilitar las claves de la cuenta de almacenamiento, de modo que solo se admita el acceso a Microsoft Entra ID (y SAS de delegación de usuarios).", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Utilice los datos del registro de actividad para identificar \"cuándo\", \"quién\", \"qué\" y \"cómo\" se está viendo o cambiando la seguridad de la cuenta de almacenamiento (es decir, claves de cuenta de almacenamiento, directivas de acceso, etcétera).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", "severity": "Alto", - "text": "Asegúrese de que las redes aceleradas de Azure estén habilitadas en las máquinas virtuales usadas en las capas de aplicación SAP y DBMS.", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Rendimiento" + "text": "Considere la posibilidad de usar Azure Monitor para auditar las operaciones del plano de control en la cuenta de almacenamiento", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Una política de caducidad de claves le permite establecer un recordatorio para la rotación de las claves de acceso de la cuenta. El recordatorio se muestra si ha transcurrido el intervalo especificado y las teclas aún no se han girado.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "Medio", - "text": "Asegúrese de que las implementaciones internas de Azure Load Balancer están configuradas para usar Direct Server Return (DSR). Esta configuración (Habilitación de IP flotante) reducirá la latencia cuando se utilicen configuraciones de equilibrador de carga internas para configuraciones de alta disponibilidad en la capa DBMS.", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "text": "Al usar claves de cuenta de almacenamiento, considere la posibilidad de habilitar una \"directiva de expiración de claves\"", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Una directiva de expiración de SAS especifica un intervalo recomendado durante el cual la SAS es válida. Las directivas de caducidad de SAS se aplican a una SAS de servicio o a una SAS de cuenta. Cuando un usuario genera una SAS de servicio o una SAS de cuenta con un intervalo de validez mayor que el intervalo recomendado, verá una advertencia.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "severity": "Medio", - "text": "Puede usar el grupo de seguridad de aplicaciones (ASG) y las reglas de NSG para definir listas de control de acceso de seguridad de red entre la aplicación SAP y las capas de DBMS. Los ASG agrupan las máquinas virtuales para ayudar a administrar su seguridad.", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "text": "Considere la posibilidad de configurar una directiva de expiración de SAS", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "severity": "Alto", - "text": "No se admite la colocación de la capa de aplicación de SAP y DBMS de SAP en diferentes redes virtuales de Azure que no están emparejadas.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Rendimiento" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Las directivas de acceso almacenadas ofrecen la opción de revocar los permisos de una SAS de servicio sin tener que volver a generar las claves de la cuenta de almacenamiento. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", + "severity": "Medio", + "text": "Considere la posibilidad de vincular SAS a una directiva de acceso almacenada", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", "severity": "Medio", - "text": "Para obtener una latencia de red óptima con aplicaciones SAP, considere la posibilidad de usar grupos de selección de ubicación por proximidad de Azure.", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "Rendimiento" + "text": "Considere la posibilidad de configurar el repositorio de código fuente de la aplicación para detectar cadenas de conexión protegidas y claves de cuenta de almacenamiento.", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Lo ideal es que la aplicación use una identidad administrada para autenticarse en Azure Storage. Si eso no es posible, considere la posibilidad de tener la credencial de almacenamiento (cadena de conexión, clave de cuenta de almacenamiento, SAS, credencial de entidad de servicio) en Azure KeyVault o un servicio equivalente.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", "severity": "Alto", - "text": "NO se admite en absoluto la ejecución de una capa de servidor de aplicaciones SAP y una capa de DBMS dividida entre local y Azure. Ambas capas deben residir completamente en el entorno local o en Azure.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Rendimiento" + "text": "Considere la posibilidad de almacenar cadenas de conexión en Azure KeyVault (en escenarios en los que las identidades administradas no son posibles)", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Utilice los tiempos de caducidad a corto plazo en una SAS de servicio SAS ad hoc o en una SAS de cuenta. De esta manera, incluso si una SAS se ve comprometida, solo es válida durante un corto período de tiempo. Esta práctica es especialmente importante si no puede hacer referencia a una política de acceso almacenada. Los tiempos de expiración a corto plazo también limitan la cantidad de datos que se pueden escribir en un blob al limitar el tiempo disponible para cargarlos en él.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "Alto", - "text": "No se recomienda hospedar el sistema de administración de bases de datos (DBMS) y las capas de aplicación de los sistemas SAP en diferentes redes virtuales y conectarlas con el emparejamiento de redes virtuales debido a los costos sustanciales que puede producir un tráfico de red excesivo entre las capas. Se recomienda usar subredes dentro de la red virtual de Azure para separar la capa de aplicación de SAP y la capa de DBMS.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Costar" + "text": "Esfuércese por períodos de validez cortos para SAS ad-hoc", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", - "severity": "Alto", - "text": "Si utiliza Load Balancer con sistemas operativos invitados Linux, compruebe que el parámetro de red de Linux net.ipv4.tcp_timestamps esté establecido en 0.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Rendimiento" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Al crear una SAS, sea lo más específico y restrictivo posible. Prefiera una SAS para un solo recurso y operación en lugar de una SAS que proporciona un acceso mucho más amplio.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "Medio", + "text": "Aplicación de un ámbito limitado a una SAS", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Una SAS puede incluir parámetros sobre las direcciones IP de cliente o los intervalos de direcciones que están autorizados a solicitar un recurso mediante la SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", "severity": "Medio", - "text": "En el caso de las implementaciones de SAP RISE/ECS, el emparejamiento virtual es la forma preferida de establecer la conectividad con el entorno de Azure existente del cliente. Tanto la red virtual de SAP como las redes virtuales del cliente están protegidas con grupos de seguridad de red (NSG), lo que permite la comunicación en SAP y los puertos de base de datos a través del emparejamiento de redes virtuales", + "text": "Considere la posibilidad de definir el ámbito de SAS a una dirección IP de cliente específica, siempre que sea posible", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Una SAS no puede restringir la cantidad de datos que carga un cliente; Dado el modelo de precios de la cantidad de almacenamiento a lo largo del tiempo, podría tener sentido validar si los clientes cargaron contenidos malintencionados de gran tamaño.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "Bajo", + "text": "Considere la posibilidad de comprobar los datos cargados, después de que los clientes hayan utilizado una SAS para cargar un archivo. ", + "waf": "Seguridad" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Al acceder al almacenamiento de blobs a través de SFTP mediante una \"cuenta de usuario local\", no se aplican los controles RBAC \"habituales\". El acceso a blobs a través de NFS o REST puede ser más restrictivo que el acceso SFTP. Desafortunadamente, a partir de principios de 2023, los usuarios locales son la única forma de administración de identidades que actualmente es compatible con el punto de conexión SFTP", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "severity": "Alto", - "text": "Revise las copias de seguridad de bases de datos de SAP HANA para máquinas virtuales de Azure.", - "waf": "Costar" + "text": "SFTP: Limite la cantidad de \"usuarios locales\" para el acceso SFTP y audite si el acceso es necesario a lo largo del tiempo.", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "severity": "Medio", - "text": "Revise la supervisión integrada de Site Recovery, donde se use para SAP.", - "waf": "Costar" + "text": "SFTP: El punto de conexión SFTP no admite ACL similares a POSIX.", + "waf": "Seguridad" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "El almacenamiento es compatible con CORS (Cross-Origin Resource Sharing), es decir, una función HTTP que permite a las aplicaciones web de un dominio diferente aflojar la política del mismo origen. Al habilitar CORS, mantenga CorsRules con el mínimo privilegio.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", + "severity": "Alto", + "text": "Evite las políticas de CORS demasiado amplias", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Los datos en reposo siempre se cifran en el lado del servidor y, además, también pueden estar cifrados en el lado del cliente. El cifrado del lado del servidor puede producirse mediante una clave administrada por la plataforma (valor predeterminado) o una clave administrada por el cliente. El cifrado del lado cliente puede producirse haciendo que el cliente proporcione una clave de cifrado y descifrado por blob al almacenamiento de Azure o controlando completamente el cifrado en el lado cliente. por lo tanto, no depende en absoluto de Azure Storage para obtener garantías de confidencialidad.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", "severity": "Alto", - "text": "Revise la guía Supervisión del panorama del sistema SAP HANA.", - "waf": "Operaciones" + "text": "Determine cómo se deben cifrar los datos en reposo. Comprender el modelo de subprocesos para los datos.", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", "severity": "Medio", - "text": "Revise las estrategias de copia de seguridad de Oracle Database en máquinas virtuales Linux de Azure.", - "waf": "Operaciones" + "text": "Determine cuál o si se debe utilizar el cifrado de la plataforma.", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", "severity": "Medio", - "text": "Revise el uso de Azure Blob Storage con SQL Server 2016.", - "waf": "Operaciones" + "text": "Determine qué cifrado del lado del cliente se debe usar, si se debe usar.", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", - "severity": "Medio", - "text": "Revise el uso de Copia de seguridad automatizada v2 para máquinas virtuales de Azure.", - "waf": "Operaciones" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Aproveche el Explorador de Resource Graph (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para buscar cuentas de almacenamiento que permitan el acceso anónimo a blobs.", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere si es necesario el acceso anónimo de blob público o si se puede deshabilitar para determinadas cuentas de almacenamiento. ", + "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", "severity": "Alto", - "text": "Habilitación del acelerador de escritura para la serie M cuando se utilizan discos premium (V1)", - "waf": "Operaciones" + "text": "Aproveche un tipo de cuenta storagev2 para mejorar el rendimiento y la confiabilidad", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", - "severity": "Medio", - "text": "Pruebe la latencia de la zona de disponibilidad.", - "waf": "Rendimiento" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", + "severity": "Alto", + "text": "Aproveche el almacenamiento GRS, ZRS o GZRS para obtener la máxima disponibilidad", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Azure Storage", "severity": "Medio", - "text": "Active SAP EarlyWatch Alert para todos los componentes de SAP.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "Rendimiento" + "text": "Para la operación de escritura después de la conmutación por error, use la conmutación por error administrada por el cliente ", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Azure Storage", "severity": "Medio", - "text": "Revise la latencia del servidor de aplicaciones SAP al servidor de bases de datos mediante el informe ABAPMeter de SAP /SSA/CAT.", - "training": "https://me.sap.com/notes/0002879613", - "waf": "Rendimiento" + "text": "Descripción de los detalles de la conmutación por error administrada por Microsoft", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Azure Storage", "severity": "Medio", - "text": "Revise la supervisión del rendimiento de SQL Server mediante CCMS.", - "waf": "Rendimiento" + "text": "Habilitar eliminación temporal", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", - "severity": "Medio", - "text": "Pruebe la latencia de red entre las máquinas virtuales de la capa de aplicación de SAP y las máquinas virtuales de DBMS (NIPING).", - "training": "https://me.sap.com/notes/1100926/E", - "waf": "Rendimiento" + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", + "severity": "Alto", + "text": "Habilite la redundancia de zona para Azure Cache for Redis. Azure Cache for Redis admite configuraciones con redundancia de zona en los niveles Premium y Enterprise. Una caché con redundancia de zona puede colocar sus nodos en diferentes zonas de disponibilidad de Azure en la misma región. Elimina la interrupción del centro de datos o de la zona de disponibilidad como único punto de error y aumenta la disponibilidad general de la memoria caché.", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", "severity": "Medio", - "text": "Revise las alertas de SAP HANA Studio.", - "waf": "Rendimiento" + "text": "Configure la persistencia de datos para una instancia de Azure Cache for Redis. Dado que los datos de caché se almacenan en la memoria, un error poco frecuente y no planeado de varios nodos puede hacer que se eliminen todos los datos. Para evitar la pérdida completa de datos, la persistencia de Redis permite tomar instantáneas periódicas de los datos en memoria y almacenarlas en la cuenta de almacenamiento.", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", "severity": "Medio", - "text": "Realice comprobaciones de estado de SAP HANA mediante HANA_Configuration_Minichecks.", - "waf": "Rendimiento" + "text": "Use una cuenta de almacenamiento con redundancia geográfica para conservar los datos de Azure Cache for Redis o con redundancia zonal donde la redundancia geográfica no esté disponible", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "severity": "Medio", - "text": "Si ejecuta máquinas virtuales Windows y Linux en Azure, en el entorno local o en otros entornos en la nube, puede usar el Centro de administración de actualizaciones de Azure Automation para administrar las actualizaciones del sistema operativo, incluidas las revisiones de seguridad.", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", - "waf": "Seguridad" + "text": "Configure la replicación geográfica pasiva para instancias de Azure Cache for Redis Premium. La replicación geográfica es un mecanismo para vincular dos o más instancias de Azure Cache for Redis, que normalmente abarcan dos regiones de Azure. La replicación geográfica está diseñada principalmente para la recuperación ante desastres entre regiones. Dos instancias de caché de nivel Premium se conectan a través de la replicación geográfica de una manera que proporciona lecturas y escrituras en la caché principal, y esos datos se replican en la caché secundaria.", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", - "severity": "Medio", - "text": "Revise de forma rutinaria las notas del OSS de seguridad de SAP, ya que SAP publica parches de seguridad muy críticos, o correcciones en caliente, que requieren una acción inmediata para proteger sus sistemas SAP.", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", - "waf": "Seguridad" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", + "severity": "Alto", + "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", - "severity": "Bajo", - "text": "En el caso de SAP en SQL Server, puede deshabilitar la cuenta de administrador del sistema de SQL Server porque los sistemas SAP en SQL Server no usan la cuenta. Asegúrese de que otro usuario con derechos de administrador del sistema pueda acceder al servidor antes de deshabilitar la cuenta de administrador del sistema original.", - "waf": "Seguridad" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", + "severity": "Alto", + "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", "severity": "Alto", - "text": "Deshabilite xp_cmdshell. La característica SQL Server xp_cmdshell habilita un shell de comandos del sistema operativo interno de SQL Server. Es un riesgo potencial en las auditorías de seguridad.", - "training": "https://me.sap.com/notes/3019299/E", - "waf": "Seguridad" + "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", "severity": "Alto", - "text": "El cifrado de servidores de base de datos de SAP HANA en Azure usa la tecnología de cifrado nativa de SAP HANA. Además, si usa SQL Server en Azure, use el cifrado de datos transparente (TDE) para proteger los datos y los archivos de registro y asegurarse de que las copias de seguridad también estén cifradas.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "waf": "Seguridad" + "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", "severity": "Medio", - "text": "El cifrado de Azure Storage está habilitado para todas las cuentas de Azure Resource Manager y de almacenamiento clásico, y no se puede deshabilitar. Dado que los datos están cifrados de forma predeterminada, no es necesario modificar el código ni las aplicaciones para usar el cifrado de Azure Storage.", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", - "waf": "Seguridad" + "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica", + "waf": "Operaciones" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", - "severity": "Alto", - "text": "Uso de Azure Key Vault para almacenar los secretos y las credenciales", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus Premium proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", + "severity": "Bajo", + "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "La comunicación entre una aplicación cliente y un espacio de nombres de Azure Service Bus se cifra mediante la seguridad de la capa de transporte (TLS). Los espacios de nombres de Azure Service Bus permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Service Bus para que requiera que los clientes envíen y reciban datos con una versión más reciente de TLS.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", "severity": "Medio", - "text": "Se recomienda bloquear los recursos de Azure después de la implementación correcta para protegerse contra cambios no autorizados. También puede aplicar restricciones y reglas de LOCK por suscripción mediante directivas de Azure personalizadas (rol Custome).", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", + "text": "Aplicar una versión mínima requerida de la seguridad de la capa de transporte (TLS) para las solicitudes ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Al crear un espacio de nombres de Service Bus, se crea automáticamente una regla de SAS denominada RootManageSharedAccessKey para el espacio de nombres. Esta política tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", "severity": "Medio", - "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención para los objetos eliminados.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Evite usar la cuenta root cuando no sea necesario", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", - "severity": "Alto", - "text": "En función de los requisitos existentes, controles normativos y de cumplimiento (internos y externos): determine qué rol de Azure Policies y Azure RBAC son necesarios", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Una aplicación cliente de Service Bus que se ejecuta dentro de una aplicación de Azure App Service o en una máquina virtual con entidades administradas habilitadas para la compatibilidad con recursos de Azure no necesita controlar reglas y claves de SAS, ni ningún otro token de acceso. La aplicación cliente solo necesita la dirección del punto de conexión del espacio de nombres de mensajería de Service Bus. ", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", + "service": "Service Bus", + "severity": "Medio", + "text": "Cuando sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Service Bus. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Al crear permisos, proporcione un control detallado sobre el acceso de un cliente a Azure Service Bus. Los permisos de Azure Service Bus pueden y deben limitarse al nivel de recurso individual, por ejemplo, cola, tema o suscripción. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", "severity": "Alto", - "text": "Al habilitar Microsoft Defender para punto de conexión en el entorno de SAP, se recomienda excluir los archivos de datos y registros en servidores DBMS en lugar de dirigirse a todos los servidores. Siga las recomendaciones de su proveedor de DBMS al excluir archivos de destino.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "text": "Usar RBAC del plano de datos con privilegios mínimos", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", - "severity": "Alto", - "text": "Delegue un rol personalizado de administrador de SAP con acceso Just-In-Time de Microsoft Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Los registros de recursos de Azure Service Bus incluyen registros operativos, redes virtuales y registros de filtrado de IP. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para varias operaciones de acceso al plano de datos (como enviar o recibir mensajes) en Service Bus.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", + "severity": "Medio", + "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para realizar un seguimiento de los registros de recursos y los registros de auditoría en tiempo de ejecución (actualmente solo disponible en el nivel Premium)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Bajo", - "text": "cifre los datos en tránsito integrando el producto de seguridad de terceros con comunicaciones de red seguras (SNC) para DIAG (SAP GUI), RFC y SPNEGO para HTTPS", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "De forma predeterminada, Azure Service Bus tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y los recorridos de Azure Service Bus a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se utilizan. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", + "severity": "Medio", + "text": "Considere la posibilidad de usar puntos de conexión privados para acceder a Azure Service Bus y deshabilitar el acceso a la red pública cuando corresponda.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Con el firewall de IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", "severity": "Medio", - "text": "De forma predeterminada, use claves administradas por Microsoft para la funcionalidad de cifrado principal y use claves administradas por el cliente cuando sea necesario.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres de Azure Service Bus desde direcciones IP o intervalos específicos", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "Seguridad" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", - "severity": "Alto", - "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Seguridad" + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", + "severity": "Medio", + "text": "Use el token revocable de larga duración, almacene en caché el token y adquiera el token de forma silenciosa mediante la biblioteca de identidades de Microsoft", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", - "severity": "Alto", - "text": "Para controlar y administrar las claves y los secretos de cifrado de disco para sistemas operativos Windows y Windows que no son de HANA, use Azure Key Vault. SAP HANA no es compatible con Azure Key Vault, por lo que debe usar métodos alternativos como SAP ABAP o claves SSH.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", - "waf": "Seguridad" + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", + "severity": "Medio", + "text": "Asegúrese de que los flujos de usuario de inicio de sesión estén respaldados y sean resistentes. Asegúrese de que se ha realizado una copia de seguridad del código que usa para iniciar sesión en los usuarios y se puede recuperar. Interfaces resilientes con procesos externos", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", - "severity": "Alto", - "text": "Personalice los roles de control de acceso basado en roles (RBAC) para las suscripciones de SAP en Azure spoke para evitar cambios accidentales relacionados con la red", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", - "waf": "Seguridad" + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", + "severity": "Medio", + "text": "Los activos de marca personalizados deben estar alojados en una CDN", + "waf": "Rendimiento" }, { - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", - "severity": "Alto", - "text": "Aísle las DMZ y las NVA del resto del patrimonio de SAP, configure Azure Private Link y administre y controle de forma segura los recursos de SAP en Azure", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "waf": "Seguridad" + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", + "severity": "Bajo", + "text": "Tener varios proveedores de identidad (es decir, iniciar sesión con sus cuentas de Microsoft, Google, Facebook)", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "severity": "Bajo", - "text": "Considere la posibilidad de usar el software antimalware de Microsoft en Azure para proteger sus máquinas virtuales de archivos malintencionados, adware y otras amenazas.", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", - "waf": "Seguridad" + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Medio", + "text": "Siga las reglas de la máquina virtual para la alta disponibilidad en el nivel de máquina virtual (discos premium, dos o más en una región, en diferentes zonas de disponibilidad)", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", - "severity": "Bajo", - "text": "Para una protección aún más eficaz, considere la posibilidad de usar Microsoft Defender para punto de conexión.", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", - "waf": "Seguridad" + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Medio", + "text": "¡No repliques! La replicación puede crear problemas con la sincronización de directorios", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "Alto", - "text": "Aísle los servidores de bases de datos y aplicaciones de SAP de Internet o de la red local pasando todo el tráfico a través de la red virtual del concentrador, que está conectada a la red radial mediante el emparejamiento de red virtual. Las redes virtuales emparejadas garantizan que la solución de SAP en Azure esté aislada de la red pública de Internet.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", - "waf": "Seguridad" + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Medio", + "text": "Tener activo-activo para varias regiones", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Bajo", - "text": "En el caso de las aplicaciones orientadas a Internet, como SAP Fiori, asegúrese de distribuir la carga según los requisitos de la aplicación mientras se mantienen los niveles de seguridad. Para la seguridad de nivel 7, puede usar un firewall de aplicaciones web (WAF) de terceros disponible en Azure Marketplace.", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", - "waf": "Seguridad" + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", + "severity": "Medio", + "text": "Adición de stamps de servicio de dominio de Azure AD a regiones y ubicaciones adicionales", + "waf": "Fiabilidad" }, { - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "Medio", - "text": "Para habilitar la comunicación segura en las soluciones de Azure Monitor para SAP, puede optar por usar un certificado raíz o un certificado de servidor. Le recomendamos encarecidamente que utilice certificados raíz.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Seguridad" + "text": "Uso de conjuntos de réplicas para recuperación ante desastres", + "waf": "Fiabilidad" } ], "metadata": { "name": "WAF checklist", - "timestamp": "October 02, 2024" + "timestamp": "October 21, 2024" }, "severities": [ { @@ -10007,7 +10595,7 @@ "name": "Cumplido" }, { - "description": "Recomendación comprendida, pero no necesaria por los requisitos actuales", + "description": "Recomendación entendida, pero no necesaria por los requisitos actuales", "name": "No es necesario" }, { diff --git a/checklists/waf_checklist.ja.json b/checklists/waf_checklist.ja.json index feba01088..60e36bcdf 100644 --- a/checklists/waf_checklist.ja.json +++ b/checklists/waf_checklist.ja.json @@ -1,6024 +1,5255 @@ { "items": [ { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub は、保存データの暗号化を提供します。独自のキーを使用する場合、データは引き続き Microsoft マネージド キーを使用して暗号化されますが、さらに Microsoft マネージド キーはカスタマー マネージド キーを使用して暗号化されます。", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", - "severity": "低い", - "text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "安全" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hubs 名前空間を使用すると、クライアントは TLS 1.0 以降でデータを送受信できます。より厳格なセキュリティ対策を適用するには、クライアントが新しいバージョンの TLS を使用してデータを送受信するように Event Hubs 名前空間を構成できます。Event Hubs 名前空間で TLS の最小バージョンが必要な場合、古いバージョンで行われた要求はすべて失敗します。", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", - "severity": "中程度", - "text": "要求に最低限必要なバージョンのトランスポート層セキュリティ (TLS) を適用する", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "安全" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Event Hubs 名前空間を作成すると、名前空間に対して RootManageSharedAccessKey という名前のポリシー規則が自動的に作成されます。このポリシーには、名前空間全体に対する管理アクセス許可があります。このルールは、管理ルートアカウントのように扱い、アプリケーションでは使用しないことをお勧めします。RBAC で認証プロバイダーとして AAD を使用することをお勧めします。", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", - "severity": "中程度", - "text": "必要のない場合はrootアカウントの使用を避けてください", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "安全" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure リソースのマネージド ID は、Azure Virtual Machines (VM)、関数アプリ、Virtual Machine Scale Sets、その他のサービスで実行されているアプリケーションから Azure AD 資格情報を使用して、Event Hubs リソースへのアクセスを承認できます。Azure リソースのマネージド ID を Azure AD 認証と共に使用することで、クラウドで実行されるアプリケーションに資格情報を格納することを回避できます。", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", "severity": "中程度", - "text": "可能な場合は、アプリケーションでマネージド ID を使用して Azure Event Hub に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに用意することを検討してください", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "アクセス許可を作成するときは、Azure Event Hub へのクライアントのアクセスをきめ細かく制御します。Azure Event Hub のアクセス許可は、個々のリソース レベル (コンシューマー グループ、イベント ハブ エンティティ、イベント ハブ名前空間など) にスコープを設定する必要があり、またそうする必要があります。", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", - "severity": "高い", - "text": "最小特権データ プレーン RBAC を使用する", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "安全" + "text": "有効期間の長い取り消し可能なトークンを使用し、トークンをキャッシュし、Microsoft ID ライブラリを使用してサイレントに取得します", + "waf": "確実" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub リソース ログには、操作ログ、仮想ネットワーク、Kafka ログが含まれます。ランタイム監査ログは、Event Hubs のすべてのデータ プレーン アクセス操作 (イベントの送受信など) に関する集計された診断情報をキャプチャします。", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", "severity": "中程度", - "text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用して、リソース ログ、ランタイム監査ログ、Kafka ログなどのメトリックとログをキャプチャします", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "安全" + "text": "サインイン ユーザー フローがバックアップされ、回復性があることを確認します。ユーザーのサインインに使用するコードがバックアップされ、回復可能であることを確認します。外部プロセスとの回復力のあるインターフェース", + "waf": "確実" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "既定では、Azure Event Hub にはパブリック IP アドレスがあり、インターネットに到達できます。プライベート エンドポイントを使用すると、仮想ネットワークと Azure Event Hub の間のトラフィックが Microsoft のバックボーン ネットワークを経由するようになります。それに加えて、パブリックエンドポイントを使用しない場合は無効にする必要があります。", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", "severity": "中程度", - "text": "プライベート エンドポイントを使用して Azure Event Hub にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" + "text": "カスタムブランドアセットはCDNでホストする必要がある", + "waf": "パフォーマンス" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "IP ファイアウォールを使用すると、パブリック エンドポイントを、CIDR (Classless Inter-Domain Routing) 表記の一連の IPv4 アドレスまたは IPv4 アドレス範囲のみに制限できます。", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", - "severity": "中程度", - "text": "特定の IP アドレスまたは範囲からの Azure Event Hub 名前空間へのアクセスのみを許可することを検討してください", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "安全" + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", + "severity": "低い", + "text": "複数のIDプロバイダーを持っている(つまり、Microsoft、Google、Facebookアカウントでログインする)", + "waf": "確実" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "中程度", - "text": "FTAレジリエンシーハンドブックの活用", + "text": "VM レベルでの高可用性に関する VM ルールに従う (Premium ディスク、リージョン内の 2 つ以上、異なる可用性ゾーン内)", "waf": "確実" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "これは、ゾーン対応リージョンの Premium、Dedicated、または Standard SKU を使用してポータルから作成された新しい EH 名前空間に対して自動的にオンになります。EH メタデータとイベント データ自体の両方がゾーン間でレプリケートされます", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", - "severity": "高い", - "text": "Availability Zones の活用 (地域的に適用可能な場合)", + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "中程度", + "text": "複製しないでください!レプリケーションにより、ディレクトリ同期に関する問題が発生する可能性があります", "waf": "確実" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "中程度", - "text": "予測可能なパフォーマンスのために Premium または Dedicated SKU を使用する", + "text": "マルチリージョンのアクティブ/アクティブを持つ", "waf": "確実" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "組み込みの geo ディザスター リカバリー機能を有効にすると、名前空間の構成全体 (Event Hubs、コンシューマー グループ、設定) がプライマリ名前空間からセカンダリ名前空間に継続的にレプリケートされ、プライマリからセカンダリへのフェールオーバーをいつでも 1 回だけ行うことができます。アクティブ/パッシブ機能は、アプリケーション構成を変更することなく、障害が発生した Azure リージョンからの復旧と破棄を容易にするように設計されています", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", - "severity": "高い", - "text": "アクティブ パッシブ構成を使用した Geo ディザスター リカバリーの計画", + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", + "severity": "中程度", + "text": "Azure AD Domain Service スタンプを追加のリージョンと場所に追加する", "waf": "確実" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "ダウンしたリージョンでのイベントデータの停止または損失を許容できない DR 構成に使用する必要があります。このような場合は、レプリケーションのガイダンスに従い、組み込みの geo ディザスター リカバリー機能 (アクティブ/パッシブ) を使用しないでください。アクティブ/アクティブでは、異なるリージョンと名前空間で複数の Event Hubs を保持し、イベントはハブ間でレプリケートされます", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "中程度", - "text": "ビジネス クリティカルなアプリケーションの場合は、アクティブ アクティブ構成を使用します", + "text": "DR にレプリカ セットを使用する", "waf": "確実" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", - "severity": "中程度", - "text": "回復力のある Event Hubs の設計", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", + "severity": "低い", + "text": "AKS Windows ワークロードで必要な場合は、HostProcess コンテナーを使用できます", "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", - "severity": "中程度", - "text": "Azure Center for SAP solutions (ACSS) は、SAP を Azure 上の最上位のワークロードにする Azure オファリングです。ACSS は、Azure 上の統合ワークロードとして SAP システムを作成および実行し、イノベーションのためのよりシームレスな基盤を提供するエンドツーエンドのソリューションです。新しい Azure ベースの SAP システムと既存の SAP システムの両方の管理機能を利用できます。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "オペレーションズ" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", + "severity": "低い", + "text": "イベント ドリブン ワークロードを実行する場合は KEDA を使用します", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", - "severity": "中程度", - "text": "Azure では、Linux と Windows での SAP デプロイの自動化がサポートされています。SAP Deployment Automation Framework は、SAP 環境をデプロイ、インストール、保守できるオープンソースのオーケストレーションツールです。", - "training": "https://github.com/Azure/sap-automation", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", + "severity": "低い", + "text": "Dapr を使用してマイクロサービス開発を容易にする", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", - "severity": "中程度", - "text": "運用データベースのポイントインタイムリカバリを、RTOを満たす任意の時点と時間枠で実行します。ポイントインタイムリカバリには、通常、DBMSレイヤーまたはSAPを介してデータを削除するオペレーターのエラーが含まれます", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", + "severity": "高い", + "text": "SLA でサポートされる AKS オファリングを使用する", "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", - "severity": "中程度", - "text": "バックアップ時間とリカバリ時間をテストして、災害後にすべてのシステムを同時にリストアするための RTO 要件を満たしていることを確認します。", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "低い", + "text": "ポッドとデプロイ定義でのディスラプション バジェットの使用", "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", "severity": "高い", - "text": "ペアになっているリージョン間で標準ストレージをレプリケートすることはできますが、データベースや仮想ハード ディスクの保存に標準ストレージを使用することはできません。バックアップをレプリケートできるのは、使用するペアのリージョン間でのみです。他のすべてのデータについては、SQL Server Always On や SAP HANA システム レプリケーションなどのネイティブ DBMS 機能を使用してレプリケーションを実行します。SAP アプリケーション層には、Site Recovery、rsync または robocopy、およびその他のサードパーティ ソフトウェアを組み合わせて使用します。", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "text": "プライベート レジストリを使用する場合は、複数のリージョンにイメージを格納するようにリージョン レプリケーションを構成します", "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", - "severity": "中程度", - "text": "Azure Availability Zones を使用して高可用性を実現する場合は、SAP アプリケーション サーバーとデータベース サーバー間の待機時間を考慮する必要があります。レイテンシーの高いゾーンでは、SAP アプリケーション・サーバーとデータベース・サーバーが常に同じゾーンで実行されていることを確認するための運用手順を整備する必要があります。", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "確実" - }, - { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", - "severity": "高い", - "text": "オンプレミスからプライマリおよびセカンダリの Azure ディザスター リカバリー リージョンへの ExpressRoute 接続を設定します。また、ExpressRoute を使用する代わりに、オンプレミスからプライマリおよびセカンダリの Azure ディザスター リカバリー リージョンへの VPN 接続を設定することを検討してください。", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", + "severity": "低い", + "text": "kubecost などの外部アプリケーションを使用して、さまざまなユーザーにコストを割り当てます", + "waf": "費用" }, { - "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", "severity": "低い", - "text": "証明書、シークレット、キーなどのキー コンテナーの内容をリージョン間でレプリケートして、DR リージョンのデータを復号化できるようにします。", - "waf": "確実" + "text": "スケールダウンモードを使用してノードを削除/割り当て解除する", + "waf": "費用" }, { - "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", "severity": "中程度", - "text": "プライマリ仮想ネットワークとディザスター リカバリー仮想ネットワークをピアリングします。たとえば、HANA システム レプリケーションの場合、SAP HANA DB 仮想ネットワークをディザスター リカバリー サイトの SAP HANA DB 仮想ネットワークにピアリングする必要があります。", - "waf": "確実" + "text": "必要に応じて、AKS クラスターで複数インスタンスの分割 GPU を使用する", + "waf": "費用" }, { - "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", "severity": "低い", - "text": "SAP デプロイに Azure NetApp Files ストレージを使用する場合は、少なくとも Premium レベルの 2 つのリージョンに 2 つの Azure NetApp Files アカウントを作成します。", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "確実" + "text": "Dev/Test クラスターを実行している場合は、NodePool Start/Stop を使用します。", + "waf": "費用" }, { - "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "高い", - "text": "ネイティブ・データベース・レプリケーション・テクノロジーを使用して、HAペアのデータベースを同期する必要があります。", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", + "severity": "中程度", + "text": "Azure Policy for Kubernetes を使用してクラスターのコンプライアンスを確保する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", - "severity": "高い", - "text": "プライマリ仮想ネットワーク (VNet) の CIDR は、DR サイトの VNet の CIDR と競合したり、重複したりしないようにする必要があります", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "中程度", + "text": "ユーザー/システムノードプールを使用してコントロールプレーンからアプリケーションを分離する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", - "severity": "高い", - "text": "Site Recovery を使用して、アプリケーション サーバーを DR サイトにレプリケートします。Site Recovery は、セントラル サービス クラスター VM を DR サイトにレプリケートするのにも役立ちます。DR を呼び出すときは、DR サイトで Linux Pacemaker クラスターを再構成する必要があります (たとえば、VIP または SBD の置き換え、corosync.conf の実行など)。", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "低い", + "text": "システム ノードプールにテイントを追加して専用にする", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "高い", - "text": "単一障害点に対する SAP ソフトウェアの可用性を検討します。これには、SAP NetWeaver や SAP S/4HANA アーキテクチャ、SAP ABAP や ASCS + SCS で使用される DBMS などのアプリケーション内の単一障害点が含まれます。また、SAP Web Dispatcher などの他のツールも含みます。", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", + "severity": "中程度", + "text": "イメージにはプライベート レジストリ (ACR など) を使用する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", - "severity": "高い", - "text": "SAP および SAP データベースの場合は、自動フェールオーバー クラスターの実装を検討してください。Windows では、Windows Server フェールオーバー クラスタリングはフェールオーバーをサポートします。Linux では、Linux Pacemaker や SIOS Protection Suite や Veritas InfoScale などのサードパーティツールがフェイルオーバーをサポートしています。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", + "severity": "中程度", + "text": "イメージをスキャンして脆弱性を検出する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", "severity": "高い", - "text": "Azure では、プライマリ VM とセカンダリ VM が DBMS データのストレージを共有するアーキテクチャはサポートされていません。DBMS レイヤーの一般的なアーキテクチャ パターンは、プライマリ VM とセカンダリ VM が使用するものとは異なるストレージ スタックを使用して、データベースを同時にレプリケートすることです。", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "確実" + "text": "アプリの分離要件を定義する (名前空間/ノードプール/クラスター)", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", - "severity": "高い", - "text": "DBMS データとトランザクション/再実行ログ ファイルは、Azure でサポートされているブロック ストレージまたは Azure NetApp Files に格納されます。Azure Files または Azure Premium Files は、SAP ワークロードでの DBMS データや再実行ログ ファイルのストレージとしてサポートされていません。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", + "severity": "中程度", + "text": "CSI シークレット ストア ドライバーを使用して Azure Key Vault にシークレットを格納する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", "severity": "高い", - "text": "Windows の Azure 共有ディスクは、ASCS + SCS コンポーネントと特定の高可用性シナリオに使用できます。フェールオーバー クラスターは、SAP アプリケーション レイヤー コンポーネントと DBMS レイヤー用に別々に設定します。Azure では現在、SAP アプリケーション レイヤー コンポーネントと DBMS レイヤーを 1 つのフェールオーバー クラスターに結合する高可用性アーキテクチャはサポートされていません。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "確実" + "text": "クラスターにサービス プリンシパルを使用する場合は、資格情報を定期的に (四半期ごとなど) 更新します", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", - "severity": "高い", - "text": "SAP アプリケーション レイヤー コンポーネント (ASCS) と DBMS レイヤーのほとんどのフェールオーバー クラスターには、フェールオーバー クラスターの仮想 IP アドレスが必要です。 Azure Load Balancer は、他のすべてのケースで仮想 IP アドレスを処理する必要があります。設計原則の 1 つは、クラスター構成ごとに 1 つのロード バランサーを使用することです。ロード バランサーの Standard バージョン (Standard Load Balancer SKU) を使用することをお勧めします。", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", + "severity": "中程度", + "text": "必要に応じて、キー管理サービスの etcd 暗号化を追加します", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", - "severity": "高い", - "text": "フローティング IP がロードバランサーで有効になっていることを確認します", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", + "severity": "低い", + "text": "必要に応じて、Confidential Compute for AKS の使用を検討してください", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", - "severity": "高い", - "text": "高可用性インフラストラクチャをデプロイする前に、選択したリージョンに応じて、Azure 可用性セットと可用性ゾーンのどちらを使用してデプロイするかを決定します。", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", + "severity": "中程度", + "text": "Defender for Containers の使用を検討する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", "severity": "高い", - "text": "SAP コンポーネント (セントラル サービス、アプリケーション サーバー、データベース) のアプリケーションのインフラストラクチャ SLA を満たす場合は、すべてのコンポーネントに対して同じ高可用性オプション (VM、可用性セット、可用性ゾーン) を選択する必要があります。", - "waf": "確実" + "text": "サービス プリンシパルの代わりにマネージド ID を使用するUse managed identities instead of Service Principals", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", - "severity": "高い", - "text": "同じ可用性セットに異なる役割のサーバーを混在させないでください。中央サービス VM、データベース VM、アプリケーション VM を独自の可用性セットに保持します", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", + "severity": "中程度", + "text": "認証と AAD の統合 (マネージド統合を使用)", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", "severity": "中程度", - "text": "近接配置グループを使用しない限り、Azure 可用性ゾーン内に Azure 可用性セットをデプロイすることはできません。", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "確実" + "text": "管理者 kubeconfig へのアクセスを制限する (get-credentials --admin)", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", - "severity": "高い", - "text": "可用性セットを作成するときは、使用可能な障害ドメインと更新ドメインの最大数を使用します。たとえば、1 つの可用性セットに 2 つ以上の VM をデプロイする場合は、Azure の計画メンテナンスに加えて、潜在的な物理ハードウェア障害、ネットワーク停止、または電源中断の影響を制限するために、最大数の障害ドメイン (3) と十分な更新ドメインを使用します。障害ドメインのデフォルトの数は 2 で、後でオンラインで変更することはできません。", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", + "severity": "中程度", + "text": "承認と AAD RBAC の統合", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", "severity": "高い", - "text": "可用性セットのデプロイで Azure 近接配置グループを使用する場合、3 つの SAP コンポーネント (中央サービス、アプリケーション サーバー、データベース) すべてが同じ近接配置グループに存在する必要があります。", - "waf": "確実" + "text": "Kubernetes で RBAC 特権を制限するために名前空間を使用する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", - "severity": "高い", - "text": "SAP SID ごとに 1 つの近接配置グループを使用します。グループは Availability Zones または Azure リージョンにまたがっていません", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", + "severity": "中程度", + "text": "ポッド ID アクセス管理の場合は、Azure AD ワークロード ID (プレビュー) を使用します", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "高い", - "text": "次のいずれかのサービスを使用して、オペレーティング システムに応じて SAP セントラル サービス クラスターを実行します。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", + "severity": "中程度", + "text": "AKS 非対話型ログインの場合は、kubelogin (プレビュー) を使用します", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", "severity": "中程度", - "text": "現在、Azure では、同じ Linux Pacemaker クラスターでの ASCS と DB HA の組み合わせはサポートされていません。それらを個々のクラスターに分割します。ただし、最大 5 つの複数の中央サービス クラスターを 1 つの VM のペアに結合できます。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "確実" + "text": "AKS ローカル アカウントを無効にする", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "中程度", - "text": "両方の VM を高可用性ペア、可用性セット、または可用性ゾーンにデプロイします。これらの VM は、同じサイズで、同じストレージ構成である必要があります。", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "低い", + "text": "必要に応じて Just-In-Time クラスター アクセスを構成する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", - "severity": "中程度", - "text": "Azure では、Red Hat Enterprise Linux (RHEL) で実行されている同じ高可用性クラスター上での SAP HANA インスタンスと ASCS/SCS インスタンスと ERS インスタンスのインストールと構成がサポートされています。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "低い", + "text": "必要に応じて AKS の AAD 条件付きアクセスを構成する", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", - "severity": "高い", - "text": "すべての運用システムを Premium マネージド SSD で実行し、Azure NetApp Files または Ultra Disk Storage を使用します。少なくとも、OS ディスクは Premium レベルにある必要があるため、パフォーマンスの向上と最高の SLA を実現できます。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", + "severity": "低い", + "text": "Windows AKS ワークロードで必要な場合は、gMSA を構成します", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", - "severity": "高い", - "text": "Azure で SAP HANA を実行するのは、SAP によって認定されたストレージの種類のみにしてください。特定のボリュームは、該当する場合、特定のディスク構成で実行する必要があることに注意してください。これらの構成には、書き込みアクセラレータの有効化と Premium ストレージの使用が含まれます。また、ストレージ上で実行されるファイルシステムが、マシン上で実行される DBMS と互換性があることを確認する必要があります。", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", + "severity": "中程度", + "text": "より細かく制御するには、マネージドKubelet Identityの使用を検討してください", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", - "severity": "高い", - "text": "SAP ワークロードに使用するストレージのタイプに応じて、高可用性を構成することを検討してください。Azure で使用できる一部のストレージ サービスは Azure Site Recovery でサポートされていないため、高可用性の構成が異なる場合があります。", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", + "severity": "中程度", + "text": "AGIC を使用している場合は、クラスター間で AppGW を共有しないでください", "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", "severity": "高い", - "text": "さまざまなネイティブ Azure ストレージ サービス (Azure Files、Azure NetApp Files、Azure Shared Disk など) は、すべてのリージョンで使用できるとは限りません。そのため、フェールオーバー後に DR リージョンで同様の SAP を設定するには、それぞれのストレージ サービスが DR サイトで提供されていることを確認します。", + "text": "AKS HTTP ルーティング アドオンを使用せず、代わりにアプリケーション ルーティング アドオンでマネージド NGINX イングレスを使用します。", "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", "severity": "中程度", - "text": "SAPシステムのStart-Stopを自動化してコストを管理します。", - "waf": "費用" - }, - { - "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "低い", - "text": "Azure Premium Storage を SAP HANA と共に使用する場合、Azure Standard SSD ストレージを使用して、コストを意識したストレージ ソリューションを選択できます。ただし、Standard SSD または Standard HDD Azure ストレージを選択すると、個々の VM の SLA に影響することに注意してください。また、非本番環境など、I/O スループットが低く、レイテンシが低いシステムでは、下位シリーズの VM を使用できます。", - "waf": "費用" - }, - { - "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "低い", - "text": "低コストの代替構成 (多目的) として、非運用 HANA データベース サーバー VM に低パフォーマンスの SKU を選択できます。ただし、E シリーズなどの一部の VM タイプは、HANA 認定 (SAP HANA ハードウェア ディレクトリ) されていないか、1 ミリ秒未満のストレージ待機時間を実現できないことに注意してください。", - "waf": "費用" + "text": "Windows ワークロードの場合は、高速ネットワークを使用します", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "severity": "高い", - "text": "管理グループ、サブスクリプション、リソース グループ、リソースに RBAC モデルを適用する", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "安全" + "text": "標準のALBを使用する(基本的なALBとは対照的)", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", "severity": "中程度", - "text": "クラウド コネクタを介して SAP クラウド アプリケーションから SAP オンプレミス (IaaS を含む) に ID を転送するためのプリンシパル伝達の強制", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "text": "Azure CNI を使用する場合は、NodePool に異なるサブネットを使用することを検討してください", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", "severity": "中程度", - "text": "SAML を使用して、SAP Analytics Cloud、SAP Cloud Platform、Business by Design、SAP Qualtrics、SAP C4C with Azure AD などの SAP SaaS アプリケーションに SSO を実装します。", + "text": "プライベート エンドポイント (推奨) または Virtual Network サービス エンドポイントを使用して、クラスターから PaaS サービスにアクセスする", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", - "severity": "中程度", - "text": "SAML を使用して、SAP Fiori や SAP Web GUI などの SAP NetWeaver ベースの Web アプリケーションに SSO を実装します。", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "高い", + "text": "要件に最適な CNI ネットワーク プラグインを選択する (Azure CNI を推奨)", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", - "severity": "中程度", - "text": "SAML を使用して、SAP Fiori や SAP Web GUI などの SAP NetWeaver ベースの Web アプリケーションに SSO を実装します。", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "高い", + "text": "Azure CNI を使用する場合は、ノードあたりのポッドの最大数を考慮して、サブネットのサイズを適切に設定します", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", - "severity": "中程度", - "text": "SAP NetWeaver SSO またはパートナソリューションを使用して、SAP GUI への SSO を実装することができます。", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "高い", + "text": "Azure CNI を使用している場合は、最大ポッド数/ノード (既定値は 30) を確認します", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", - "severity": "中程度", - "text": "SAP GUIおよびWebブラウザアクセスのSSOには、構成と保守が容易なSNC / Kerberos / SPNEGO(シンプルで保護されたGSSAPIネゴシエーションメカニズム)を実装します。X.509 クライアント証明書を使用した SSO の場合は、SAP SSO ソリューションのコンポーネントである SAP Secure Login Server を検討してください。", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "内部アプリの場合、組織は多くの場合、ファイアウォールで AKS サブネット全体を開きます。これにより、ノードへのネットワーク アクセスも開かれ、場合によってはポッドへのネットワーク アクセスも開かれます (Azure CNI を使用している場合)。LoadBalancer の IP が別のサブネットにある場合は、この IP のみをアプリ クライアントで使用できる必要があります。もう 1 つの理由は、AKS サブネット内の IP アドレスが希少なリソースである場合、その IP アドレスをサービスに使用すると、クラスターの最大スケーラビリティが低下することです。", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "severity": "低い", + "text": "プライベート IP LoadBalancer サービスを使用する場合は、(AKS サブネットではなく) 専用サブネットを使用します", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", - "severity": "中程度", - "text": "SAP GUIおよびWebブラウザアクセスのSSOには、構成と保守が容易なSNC / Kerberos / SPNEGO(シンプルで保護されたGSSAPIネゴシエーションメカニズム)を実装します。X.509 クライアント証明書を使用した SSO の場合は、SAP SSO ソリューションのコンポーネントである SAP Secure Login Server を検討してください。", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "高い", + "text": "それに応じて、サービスの IP アドレス範囲のサイズを設定します (クラスターのスケーラビリティが制限されます)。", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", - "severity": "中程度", - "text": "SAP NetWeaver の OAuth を使用して SSO を実装し、サードパーティまたはカスタムアプリケーションが SAP NetWeaver OData サービスにアクセスできるようにします。", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", + "severity": "低い", + "text": "必要に応じて、独自のCNIプラグインを追加します", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", - "severity": "中程度", - "text": "SAP HANA への SSO の実装", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", + "severity": "低い", + "text": "必要に応じて、AKS でノードごとにパブリック IP を構成する", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", "severity": "中程度", - "text": "Azure AD は、RISE でホストされている SAP システムの ID プロバイダーと考えてください。詳細については、「サービスと Azure AD の統合」を参照してください。", - "waf": "安全" + "text": "イングレス コントローラーを使用して、LoadBalancer タイプのサービスで公開する代わりに、Web ベースのアプリを公開します", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", - "severity": "中程度", - "text": "SAP にアクセスするアプリケーションの場合は、プリンシパル伝搬を使用して SSO を確立することができます。", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", + "severity": "低い", + "text": "エグレス トラフィックをスケーリングするために Azure NAT Gateway を outboundType として使用する", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", "severity": "中程度", - "text": "SAP Identity Authentication Service (IAS) を必要とする SAP BTP サービスまたは SaaS ソリューションを使用している場合は、SAP Cloud Identity Authentication サービスと Azure AD の間に SSO を実装して、それらの SAP サービスにアクセスすることを検討してください。この統合により、SAP IAS はプロキシ ID プロバイダーとして機能し、認証要求を中央ユーザー ストアおよび ID プロバイダーとして Azure AD に転送できます。", + "text": "Azure CNI IP の枯渇を回避するために IP の動的割り当てを使用する", + "waf": "確実" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", + "severity": "高い", + "text": "セキュリティ要件で義務付けられている場合は、AzFW/NVA を使用してエグレス トラフィックをフィルター処理します", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", "severity": "中程度", - "text": "SAP BTP への SSO の実装", + "text": "パブリック API エンドポイントを使用している場合は、アクセスできる IP アドレスを制限します", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", - "severity": "中程度", - "text": "SAP SuccessFactors を使用している場合は、Azure AD 自動ユーザー プロビジョニングの使用を検討してください。この統合により、新しい従業員を SAP SuccessFactors に追加すると、Azure AD でそのユーザー アカウントを自動的に作成できます。必要に応じて、Microsoft 365 または Azure AD でサポートされている他の SaaS アプリケーションでユーザー アカウントを作成できます。メール アドレスを SAP SuccessFactors に書き戻します。", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", + "severity": "高い", + "text": "要件で必要な場合は、プライベート クラスターを使用します", "waf": "安全" }, { - "checklist": "SAP Checklist", - "description": "管理グループの階層を適度にフラットに保ちます (4 つ以下)。", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "中程度", - "text": "既存の管理グループポリシーをSAPサブスクリプションに適用", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", - "waf": "オペレーションズ" + "text": "Windows 2019 および 2022 AKS ノードでは、Calico ネットワーク ポリシーを使用できます", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "高い", - "text": "緊密に結合されたアプリケーションを同じSAPサブスクリプションに統合して、ルーティングと管理の複雑さを回避", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", - "waf": "オペレーションズ" + "text": "Kubernetes ネットワーク ポリシー オプションを有効にする (Calico/Azure)", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "高い", - "text": "サブスクリプションをスケールユニットとして活用し、リソースをスケーリングし、環境ごとにサブスクリプションをデプロイすることを検討してください。サンドボックス、非製品、製品", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", - "waf": "オペレーションズ" + "text": "Kubernetesネットワークポリシーを使用してクラスタ内のセキュリティを強化", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "高い", - "text": "サブスクリプションのプロビジョニングの一部としてクォータの増加を確認する (例: サブスクリプション内の使用可能な VM コアの合計)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "waf": "オペレーションズ" + "text": "Web ワークロード (UI または API) に WAF を使用するUse a WAF for a web workloads (UI or API)", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", + "severity": "中程度", + "text": "AKS Virtual Network で DDoS Standard を使用するUse DDoS Standard in the AKS Virtual Network", + "waf": "安全" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", "severity": "低い", - "text": "Quota API は、Azure サービスのクォータを表示および管理するために使用できる REST API です。必要に応じて使用を検討してください。", - "waf": "オペレーションズ" + "text": "必要に応じて、会社の HTTP プロキシを追加します", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", + "severity": "中程度", + "text": "高度なマイクロサービス通信管理にサービスメッシュの使用を検討する", + "waf": "安全" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", "severity": "高い", - "text": "可用性ゾーンにデプロイする場合は、クォータが承認されたら、VM のゾーン デプロイが使用可能であることを確認してください。サブスクリプション、VM シリーズ、CPU の数、必要な可用性ゾーンを含むサポート リクエストを送信します。", + "text": "最も重要なメトリックに関するアラートを構成します (推奨事項については、「Container Insights」を参照してください)", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", - "severity": "高い", - "text": "必要なサービスと機能が、選択したデプロイ リージョン内で使用できることを確認します。ANF、ゾーンなど", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", + "severity": "低い", + "text": "Azure Advisor でクラスターの推奨事項を定期的に確認する", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", - "severity": "中程度", - "text": "コストの分類とリソースのグループ化に Azure リソース タグを活用します (: BillTo、部門 (または部署)、環境 (運用、ステージ、開発)、階層 (Web 層、アプリケーション層)、アプリケーション所有者、ProjectName)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", + "severity": "低い", + "text": "AKS 自動証明書のローテーションを有効にする", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", "severity": "高い", - "text": "Azure Backup サービスを使用して HANA データベースを保護します。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "確実" + "text": "kubernetes のバージョンを定期的に (四半期ごとなど) アップグレードする定期的なプロセスを行うか、AKS 自動アップグレード機能を使用します", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", - "severity": "中程度", - "text": "HANA 、 Oracle 、または DB2 データベースに Azure NetApp Files をデプロイする場合は、 Azure アプリケーション整合性スナップショット ツール (AzAcSnap) を使用して、アプリケーション整合性スナップショットを作成します。AzAcSnap は Oracle データベースもサポートしています。AzAcSnap は、個々の VM ではなく、中央の VM で使用することを検討してください。", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", + "severity": "高い", + "text": "ノードイメージのアップグレードを使用していない場合は、Linuxノードのアップグレードにkuredを使用します", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", "severity": "高い", - "text": "オペレーティングシステムと SAP システムの間でタイムゾーンが一致していることを確認します。", + "text": "クラスタノードイメージを定期的に(毎週など)アップグレードする定期的なプロセスを用意します", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", - "severity": "中程度", - "text": "同じクラスター内で異なるアプリケーション サービスをグループ化しないでください。たとえば、DRBDと中央サービスクラスタを同じクラスタに組み合わせないでください。ただし、同じ Pacemaker クラスターを使用して、約 5 つの異なる中央サービス (マルチ SID クラスター) を管理できます。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", + "severity": "低い", + "text": "アプリケーションまたはクラスター構成を複数のクラスターにデプロイするために gitop を検討してください", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", "severity": "低い", - "text": "Azure の実行コストを節約して最適化するために、スヌーズ モデルで開発/テスト システムを実行することを検討してください。", - "waf": "費用" + "text": "プライベート クラスターで AKS コマンド呼び出しを使用することを検討する", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", - "severity": "中程度", - "text": "お客様の SAP 資産を管理することでお客様と提携する場合は、Azure Lighthouse をご検討ください。Azure Lighthouse を使用すると、マネージド サービス プロバイダーは Azure ネイティブ ID サービスを使用して、顧客の環境に対して認証を行うことができます。これにより、顧客はいつでもアクセスを取り消し、サービスプロバイダーの行動を監査できるため、制御が顧客の手に委ねられます。", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", + "severity": "低い", + "text": "計画されたイベントの場合は、ノードの自動ドレインの使用を検討してください", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", - "severity": "中程度", - "text": "Azure Update Manager を使用して、1 つまたは複数の VM で利用可能な更新プログラムの状態を確認し、定期的な修正プログラムの適用をスケジュールすることを検討してください。", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", + "severity": "高い", + "text": "独自のガバナンスプラクティスを開発して、ノードRG(別名「インフラRG」)のオペレーターによって変更が実行されないようにします", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", "severity": "低い", - "text": "SAP Landscape Management (LaMa) を使用して、SAP Basis の運用を最適化および管理します。Azure 用の SAP LaMa コネクタを使用して、SAP システムの再配置、コピー、複製、更新を行います。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "text": "カスタムノードRG(別名「インフラRG」)名を使用", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", "severity": "中程度", - "text": "Azure Monitor for SAP solutions を使用して、Azure 上の SAP ワークロード (SAP HANA、高可用性 SUSE クラスター、SQL システム) を監視します。SAP Solution Manager を使用して Azure Monitor for SAP solutions を補完することを検討してください。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "非推奨の Kubernetes API を YAML マニフェストで使用しないでください", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", - "severity": "高い", - "text": "SAP の VM 拡張機能チェックを実行します。VM Extension for SAP は、仮想マシン (VM) の割り当てられたマネージド ID を使用して、VM の監視データと構成データにアクセスします。このチェックにより、SAP アプリケーションのすべてのパフォーマンス メトリックが、基になる Azure Extension for SAP からのものであることが保証されます。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", + "severity": "低い", + "text": "Windows ノードのテイント", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", - "severity": "中程度", - "text": "Azure Policy を使用して、アクセス制御とコンプライアンス レポートを作成します。Azure Policy には、組織全体の設定を適用して、一貫したポリシーの遵守と迅速な違反検出を確保する機能があります。", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", + "severity": "低い", + "text": "Windows コンテナーのパッチ レベルをホストのパッチ レベルと同期させる", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", - "severity": "中程度", - "text": "Azure Network Watcher の接続モニターを使用して、SAP データベースとアプリケーション サーバーの待機時間メトリックを監視します。または、Azure Monitor を使用してネットワーク待機時間の測定値を収集して表示します。", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "クラスタレベルでの診断設定経由", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", + "severity": "低い", + "text": "マスター ログ (API ログ) を Azure Monitor または任意のログ管理ソリューションに送信する", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", - "severity": "中程度", - "text": "プロビジョニングされた Azure インフラストラクチャで SAP HANA の品質チェックを実行し、プロビジョニングされた VM が SAP HANA on Azure のベスト プラクティスに準拠していることを確認します。", - "waf": "オペレーションズ" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", + "severity": "低い", + "text": "必要に応じて、nodePool スナップショットを使用します", + "waf": "費用" }, { - "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", - "severity": "高い", - "text": "Azure サブスクリプションごとに、ゾーン デプロイの前に Azure 可用性ゾーンで待機時間テストを実行して、Azure 上の SAP のデプロイに待機時間の短いゾーンを選択します。", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "waf": "パフォーマンス" - }, - { - "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", - "severity": "中程度", - "text": "回復性レポートを実行して、プロビジョニングされた Azure インフラストラクチャ全体 (コンピューティング、データベース、ネットワーク、ストレージ、Site Recovery) の構成が、Cloud Adaption Framework for Azure で定義された構成に準拠していることを確認します。", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", - "waf": "確実" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", + "severity": "低い", + "text": "時間的制約のないワークロードのスポット ノード プールを検討する", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", - "severity": "中程度", - "text": "SAP 用の Microsoft Sentinel ソリューションを使用して脅威保護を実装します。このソリューションを使用して、SAPシステムを監視し、ビジネスロジックとアプリケーションレイヤー全体で高度な脅威を検出します。", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "低い", + "text": "クイック バーストのために AKS 仮想ノードを検討する", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", - "severity": "中程度", - "text": "Azure のタグ付けを活用すると、リソースを論理的にグループ化して追跡し、デプロイを自動化し、最も重要なこととして、発生したコストを可視化できます。", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "高い", + "text": "Container Insights (または Prometheus などの他のツール) を使用してクラスター メトリックを監視する", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", - "severity": "低い", - "text": "レイテンシの影響を受けやすいアプリケーションには、VM 間のレイテンシ監視を使用します。", - "waf": "パフォーマンス" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "高い", + "text": "Container Insights(またはTelegraf/ElasticSearchなどの他のツール)を使用してクラスターログを保存および分析します", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", "severity": "中程度", - "text": "Azure Site Recovery の監視を使用して、SAP アプリケーション サーバーのディザスター リカバリー サービスの正常性を維持します。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "確実" + "text": "ノードの CPU とメモリの使用率を監視する", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "中程度", - "text": "すべてのデータベース・ファイル・システムと実行可能プログラムをアンチウィルス・スキャンから除外します。それらを含めると、パフォーマンスの問題が発生する可能性があります。除外リストに関する規定の詳細については、データベースベンダーに確認してください。たとえば、Oracle では、ウイルス対策スキャンから /oracle//sapdata を除外することをお薦めします。", - "waf": "パフォーマンス" + "text": "Azure CNI を使用している場合は、ノードごとに消費されるポッド IP の割合を監視します", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", - "severity": "低い", - "text": "移行後に、HANA 以外のデータベースの完全なデータベース統計を収集することを検討してください。たとえば、SAP ノート 1020260 - Oracle 統計の配信を実装します。", - "waf": "パフォーマンス" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "OS ディスクの I/O は重要なリソースです。ノード内の OS が I/O で調整されると、予期しない動作が発生し、通常はノードが NotReady と宣言される可能性があります", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", + "severity": "中程度", + "text": "ノード内の OS ディスク キューの深さを監視する", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "severity": "中程度", - "text": "SAP on Azure を使用するすべての Oracle デプロイに Oracle Automatic Storage Management (ASM) を使用することを検討してください。", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", - "waf": "パフォーマンス" + "text": "AzFW/NVA でエグレス フィルター処理を使用しない場合は、標準の ALB によって割り当てられた SNAT ポートを監視します", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", "severity": "中程度", - "text": "Oracle を実行している SAP on Azure の場合、SQL スクリプトのコレクションはパフォーマンスの問題の診断に役立ちます。 自動ワークロード・リポジトリ(AWR)レポートには、Oracleシステムの問題を診断するための貴重な情報が含まれています。AWR レポートは、複数のセッションで実行し、ピーク時間を選択して、分析の範囲を広く設定することをお勧めします。", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", - "waf": "パフォーマンス" + "text": "AKS クラスターのリソース正常性通知をサブスクライブするSubscribe to resource health notifications for your AKS cluster", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "高い", - "text": "Azure Site Recovery の監視を使用して、SAP アプリケーション サーバーのディザスター リカバリー サービスの正常性を維持します。", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "text": "ポッド仕様で要求と制限を構成する", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", - "severity": "中程度", - "text": "HTTP/S アプリを安全に配信するには、Application Gateway v2 を使用し、WAF の保護とポリシーが有効になっていることを確認します。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", - "waf": "安全" - }, - { - "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "中程度", - "text": "Azure への移行中に仮想マシンの DNS または仮想名が変更されない場合、バックグラウンド DNS と仮想名は SAP ランドスケープ内の多くのシステム インターフェイスに接続され、開発者は時間の経過と共に定義するインターフェイスをお客様が認識することがよくあります。移行後に仮想名やDNS名が変更されると、さまざまなシステム間で接続の問題が発生するため、この種の問題を防ぐためにDNSエイリアスを保持することをお勧めします。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "text": "名前空間のリソースクォータを適用する", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", - "severity": "中程度", - "text": "異なるDNSゾーンを使用して、各環境(サンドボックス、開発、プリプロダクション、およびプロダクション)を相互に区別します。例外は、独自の VNet を持つ SAP デプロイです。ここでは、プライベート DNS ゾーンは必要ないかもしれません。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", + "severity": "高い", + "text": "サブスクリプションにノードプールをスケールアウトするのに十分なクォータがあることを確認する", "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "description": "VNet ピアリングを構成する場合は、 [リモート仮想ネットワークへのトラフィックを許可する] 設定を使用します。", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "中程度", - "text": "ローカルおよびグローバル VNet ピアリングは接続を提供し、複数の Azure リージョンにまたがる SAP デプロイのランディング ゾーン間の接続を確保するための推奨されるアプローチです", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "確実" + "text": "Cluster Autoscaler を使用する", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", - "severity": "高い", - "text": "SAP アプリケーションと SAP データベース サーバー間の NVA のデプロイはサポートされていません", - "training": "https://me.sap.com/notes/2731110", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", + "severity": "低い", + "text": "AKS ノード プールのノード構成をカスタマイズする", "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "中程度", - "text": "Virtual WAN は、Azure リージョンとオンプレミスの場所間でグローバルなトランジット接続が必要な新しいネットワーク、大規模ネットワーク、またはグローバル ネットワークでの Azure デプロイに使用します。このアプローチでは、Azure ネットワークの推移的なルーティングを手動で設定する必要がなく、SAP on Azure デプロイの標準に従うことができます。", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "waf": "オペレーションズ" + "text": "必要に応じてHorizontal Pod Autoscalerを使用します", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", - "severity": "中程度", - "text": "リージョン間でネットワーク仮想アプライアンス (NVA) をデプロイするのは、パートナーの NVA が使用されている場合にのみ検討してください。ネイティブ NVA が存在する場合、リージョン間または VNet 間の NVA は必要ありません。パートナー ネットワーク テクノロジと NVA をデプロイする場合は、ベンダーのガイダンスに従って、Azure ネットワークと競合する構成を確認します。", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "オペレーションズ" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "ノードが大きくなると、パフォーマンスが向上し、エフェメラル ディスクや高速ネットワークなどの機能が提供されますが、爆発半径が大きくなり、スケーリングの粒度が低下します", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", + "severity": "高い", + "text": "大きすぎず小さすぎない適切なノードサイズを検討してください", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", - "severity": "中程度", - "text": "Virtual WAN は、Virtual WAN ベースのトポロジのスポーク VNet 間の接続を管理し (ユーザー定義ルーティング (UDR) や NVA を設定する必要はありません)、同じ仮想ハブ内の VNet 間トラフィックの最大ネットワーク スループットは 50 ギガビット/秒です。必要に応じて、SAP ランディング ゾーンでは VNet ピアリングを使用して他のランディング ゾーンに接続し、この帯域幅の制限を克服できます。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", - "waf": "オペレーションズ" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", + "severity": "低い", + "text": "スケーラビリティのために 5,000 を超えるノードが必要な場合は、追加の AKS クラスターの使用を検討してください", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "severity": "高い", - "text": "SAP ワークロードを実行している VM へのパブリック IP の割り当てはお勧めしません。", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", + "severity": "低い", + "text": "AKS 自動化のために EventGrid イベントをサブスクライブすることを検討する", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", - "severity": "高い", - "text": "ASR を設定するときは、DR 側で IP アドレスを予約することを検討してください", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "オペレーションズ" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", + "severity": "低い", + "text": "AKS クラスターで実行時間の長い操作を行う場合は、イベントの終了を検討してください", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "severity": "高い", - "text": "運用サイトと DR サイトで重複する IP アドレス範囲を使用しないでください。", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "オペレーションズ" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", + "severity": "低い", + "text": "必要に応じて、AKS ノードに Azure Dedicated Hosts を使用することを検討してください", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", - "severity": "中程度", - "text": "Azure では VNet に複数の委任サブネットを作成するのに役立ちますが、Azure NetApp Files の VNet に存在できる委任サブネットは 1 つだけです。Azure NetApp Files に複数の委任されたサブネットを使用すると、新しいボリュームを作成しようとすると失敗します。", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "オペレーションズ" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "高い", + "text": "エフェメラル OS ディスクを使用する", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", - "severity": "中程度", - "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルタリング (組織で必要な場合) を管理します", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", + "severity": "高い", + "text": "非エフェメラル ディスクの場合、複数のポッドを実行するには高いパフォーマンスが必要であり、既定の AKS ログ ローテーションしきい値で巨大なログが生成されるため、多くのポッド/ノードを実行する場合は、ノードに高い IOPS とより大きな OS ディスクを使用します", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", - "severity": "中程度", - "text": "Application Gateway、SAP Web Dispatcher、およびその他のサードパーティサービスの比較に示すように、Application Gateway が SAP Web アプリのリバースプロキシとして機能する場合、Application Gateway と Web Application Firewall には制限があります。", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", + "severity": "低い", + "text": "ハイパー パフォーマンス ストレージ オプションの場合は、AKS 上の Ultra Disks を使用します", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", "severity": "中程度", - "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン間でグローバルな保護を提供します。", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", - "waf": "安全" + "text": "クラスター内に状態を保持することは避け、外部 (AzStorage、AzSQL、Cosmos など) にデータを格納します", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", "severity": "中程度", - "text": "Azure Front Door と Application Gateway を使用して HTTP/S アプリケーションを保護している場合は、Azure Front Door の Web アプリケーション ファイアウォール ポリシーを利用します。Azure Front Door からのトラフィックのみを受信するように Application Gateway をロックダウンします。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", - "waf": "安全" + "text": "AzFiles Standard を使用する場合は、パフォーマンス上の理由から AzFiles Premium や ANF を検討してください", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", "severity": "中程度", - "text": "Web アプリケーション ファイアウォールを使用して、インターネットに公開されているトラフィックをスキャンします。別のオプションは、ロード バランサーで使用するか、Application Gateway やサードパーティ ソリューションなどのファイアウォール機能が組み込まれているリソースで使用することです。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", - "waf": "安全" + "text": "Azure ディスクと AZ を使用する場合は、適切なゾーンにストレージをプロビジョニングするために VolumeBindingMode:WaitForFirstConsumer を使用して LRS ディスクのゾーン内にノードプールを配置するか、複数のゾーンにまたがるノードプールに ZRS ディスクを使用することを検討してください", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", - "severity": "中程度", - "text": "Virtual WAN は、Azure リージョンとオンプレミスの場所間でグローバルなトランジット接続が必要な新しいネットワーク、大規模ネットワーク、またはグローバル ネットワークでの Azure デプロイに使用します。このアプローチでは、Azure ネットワークの推移的なルーティングを手動で設定する必要がなく、SAP on Azure デプロイの標準に従うことができます。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "severity": "高い", + "text": "2 つのレプリカで読み取り操作の可用性を 99.9% にする", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "中程度", - "text": "データ漏えいを防ぐには、Azure Private Link を使用して、Azure Blob Storage、Azure Files、Azure Data Lake Storage Gen2、Azure Data Factory などのサービスとしてのプラットフォーム リソースに安全にアクセスします。Azure プライベート エンドポイントは、VNet と Azure Storage、Azure Backup などのサービス間のトラフィックをセキュリティで保護するのにも役立ちます。VNet とプライベート エンドポイント対応サービス間のトラフィックは、Microsoft グローバル ネットワークを経由するため、パブリック インターネットに公開されるのを防ぎます。", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", - "waf": "安全" + "text": "3 つのレプリカで読み取り/書き込み操作の可用性を 99.9% に向上させる", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", "severity": "高い", - "text": "SAP アプリケーションと DBMS レイヤーで使用される VM で Azure 高速ネットワークが有効になっていることを確認します。", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "パフォーマンス" + "text": "読み取りレプリカや書き込みレプリカを有効にすることでアベイラビリティーゾーンを活用する", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "severity": "中程度", - "text": "Azure Load Balancer の内部デプロイが Direct Server Return (DSR) を使用するように設定されていることを確認します。この設定 (フローティング IP の有効化) は、DBMS レイヤーの高可用性構成に内部ロード バランサー構成を使用する場合のレイテンシを短縮します。", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "安全" + "text": "リージョンの冗長性については、地理的リージョン間で検索インデックスをレプリケートする自動化された方法が提供されないため、検索用に 2 つ以上のリージョンにサービスを手動で作成します", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", "severity": "中程度", - "text": "アプリケーション セキュリティ グループ (ASG) ルールと NSG ルールを使用して、SAP アプリケーションと DBMS レイヤー間のネットワーク セキュリティ アクセス制御リストを定義できます。ASG は、セキュリティの管理に役立つ仮想マシンをグループ化します。", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", - "waf": "安全" - }, - { - "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "severity": "高い", - "text": "ピアリングされていない異なる Azure VNet に SAP アプリケーション レイヤーと SAP DBMS を配置することはサポートされていません。", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "パフォーマンス" + "text": "複数のサービス間でデータを同期するには、複数のサービスでコンテンツを更新するためにインデクサーを使用するか、複数のサービスでコンテンツの更新をプッシュするために REST API を使用する", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", "severity": "中程度", - "text": "SAP アプリケーションでのネットワーク待機時間を最適化するには、Azure 近接通信配置グループの使用を検討してください。", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "パフォーマンス" + "text": "Azure Traffic Manager を使用して要求を調整する", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "severity": "高い", - "text": "オンプレミスと Azure の間で分割された SAP アプリケーション サーバー レイヤーと DBMS レイヤーの実行はまったくサポートされていません。どちらのレイヤーも、オンプレミスまたは Azure に完全に存在する必要があります。", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "パフォーマンス" - }, - { - "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", "severity": "高い", - "text": "データベース管理システム (DBMS) と SAP システムのアプリケーション層を異なる VNet でホストし、それらを VNet ピアリングで接続することは、層間の過剰なネットワーク トラフィックによって大きなコストが発生する可能性があるため、お勧めしません。Azure 仮想ネットワーク内のサブネットを使用して、SAP アプリケーション レイヤーと DBMS レイヤーを分離することをお勧めします。", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "費用" + "text": "Azure Cognitive Search インデックスをバックアップおよび復元します。このサンプル コードを使用して、インデックス定義とスナップショットを一連の Json ファイルにバックアップします", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", - "severity": "高い", - "text": "Linux ゲスト・オペレーティング・システムで Load Balancer を使用する場合は、Linux ネットワーク・パラメーター net.ipv4.tcp_timestamps が 0 に設定されていることを確認します。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", + "severity": "中程度", + "text": "Azure ランディング ゾーン接続リソースを複数のリージョンにデプロイして、複数リージョンのアプリケーション ランディング ゾーンとディザスター リカバリー シナリオを迅速にサポートできるようにします。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", "severity": "中程度", - "text": "SAP RISE/ECS デプロイの場合、仮想ピアリングは、お客様の既存の Azure 環境との接続を確立するための推奨される方法です。SAP vnet と顧客 vnet はどちらもネットワーク セキュリティ グループ (NSG) で保護されているため、vnet ピアリングを介して SAP ポートとデータベース ポートで通信できます", - "waf": "安全" + "text": "Azure リソースの管理には 1 つの Entra テナントを使用します (マルチテナントに対する明確な規制要件やビジネス要件がない限り)。", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "高い", - "text": "Azure VM の SAP HANA データベースのバックアップを確認します。", - "waf": "費用" + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", + "severity": "低い", + "text": "マルチテナント自動化アプローチを使用して、Microsoft Entra ID テナントを管理します。", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", - "severity": "中程度", - "text": "Site Recovery の組み込み監視 (SAP に使用されている場所) を確認します。", - "waf": "費用" + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", + "severity": "高い", + "text": "同じ ID でマルチテナント管理に Azure Lighthouse を使用します。", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", "severity": "高い", - "text": "SAP HANA システムランドスケープの監視のガイダンスを確認します。", - "waf": "オペレーションズ" + "text": "テナントを管理するためのアクセス権をパートナーに付与する場合は、Azure Lighthouse を使用します。", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "費用" }, { - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", - "severity": "中程度", - "text": "Azure Linux VM のバックアップ戦略で Oracle Database を確認します。", - "waf": "オペレーションズ" + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", + "severity": "高い", + "text": "クラウド運用モデルに合わせた RBAC モデルを適用します。管理グループとサブスクリプション全体のスコープと割り当て。", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", "severity": "中程度", - "text": "SQL Server 2016 での Azure Blob Storage の使用を確認します。", - "waf": "オペレーションズ" + "text": "すべてのアカウントの種類に対して、認証の種類である [職場または学校アカウント] のみを使用します。Microsoftアカウントの使用は避けてください", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", "severity": "中程度", - "text": "Azure VM の自動バックアップ v2 の使用を確認します。", - "waf": "オペレーションズ" + "text": "権限の割り当てには、グループのみを使用してください。グループ管理システムがすでに導入されている場合は、オンプレミス グループを Entra ID のみのグループに追加します。", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", "severity": "高い", - "text": "Premium ディスク使用時の M シリーズの書き込みアクセラレータの有効化 (V1)", - "waf": "オペレーションズ" + "text": "Azure 環境に対する権限を持つすべてのユーザーに対して、Microsoft Entra ID 条件付きアクセス ポリシーを適用します。", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", - "severity": "中程度", - "text": "可用性ゾーンの待機時間をテストします。", - "waf": "パフォーマンス" + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", + "severity": "高い", + "text": "Azure 環境に対する権限を持つすべてのユーザーに多要素認証を適用します。", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", "severity": "中程度", - "text": "すべての SAP コンポーネントに対して SAP EarlyWatch Alert を有効化します。", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "パフォーマンス" + "text": "Microsoft Entra ID Privileged Identity Management (PIM) を適用して、ゼロスタンディング アクセスと最小特権を確立します。", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "中程度", - "text": "SAP ABAPMeter レポート /SSA/CAT を使用して、SAP アプリケーション サーバーとデータベース サーバー間の待機時間を確認します。", - "training": "https://me.sap.com/notes/0002879613", - "waf": "パフォーマンス" + "text": "Active Directory Domain Services から Entra ドメイン サービスへの切り替えを計画している場合は、すべてのワークロードの互換性を評価します。", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "中程度", - "text": "CCMS を使用した SQL Server パフォーマンス監視を確認します。", - "waf": "パフォーマンス" + "text": "Microsoft Entra Domain Services を使用する場合は、レプリカ セットを使用します。レプリカ セットを使用すると、マネージド ドメインの回復性が向上し、追加のリージョンにデプロイできるようになります。", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "severity": "中程度", - "text": "SAP アプリケーション レイヤー VM と DBMS VM 間のネットワーク遅延をテストします (NIPING)。", - "training": "https://me.sap.com/notes/1100926/E", - "waf": "パフォーマンス" + "text": "Microsoft Entra ID ログをプラットフォーム中央の Azure Monitor と統合します。Azure Monitor を使用すると、Azure のログと監視データに関する信頼できる唯一の情報源を使用できるため、ログの収集と保持に関する要件を満たすためのクラウド ネイティブ オプションを組織に提供できます。", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", - "severity": "中程度", - "text": "SAP HANA Studio のアラートを確認します。", - "waf": "パフォーマンス" + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", + "severity": "高い", + "text": "テナント全体のアカウント ロックアウトを防ぐために、緊急アクセスまたは非常用アカウントを実装します。MFA は、2024 年 10 月にすべてのユーザーに対してデフォルトで有効になります。これらのアカウントを更新して、パスキー (FIDO2) を使用するか、MFA の証明書ベースの認証を構成することをお勧めします。", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", "severity": "中程度", - "text": "HANA_Configuration_Minichecksを使用して SAP HANA ヘルスチェックを実行します。", - "waf": "パフォーマンス" + "text": "特に必要なシナリオがない限り、Microsoft Entra ID ロールの割り当てにオンプレミスの同期アカウントを使用しないでください。", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", "severity": "中程度", - "text": "Azure、オンプレミス、またはその他のクラウド環境で Windows VM と Linux VM を実行している場合は、Azure Automation の更新管理センターを使用して、セキュリティ パッチを含むオペレーティング システムの更新プログラムを管理できます。", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "text": "Microsoft Entra ID アプリケーション プロキシを使用してリモート ユーザーにアプリケーションへのアクセス権を付与する場合は、テナントごとに 1 つのインスタンスしか持つことができないため、プラットフォーム リソースとして管理します。", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", "severity": "中程度", - "text": "SAP は、SAP システムを保護するために即時のアクションが必要な非常に重要なセキュリティパッチ (ホットフィックス) をリリースするため、SAP セキュリティ OSS ノートを定期的に確認してください。", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", - "waf": "安全" - }, - { - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", - "severity": "低い", - "text": "SQL Server 上の SAP システムではアカウントが使用されないため、SQL Server on SQL Server システム管理者アカウントを無効にすることができます。元のシステム管理者アカウントを無効にする前に、システム管理者権限を持つ別のユーザーがサーバーにアクセスできることを確認してください。", + "text": "ハブアンドスポークネットワークトポロジは、最大限の柔軟性を必要とするネットワークシナリオに使用します。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", "severity": "高い", - "text": "xp_cmdshellを無効にします。SQL Server 機能xp_cmdshellは、SQL Server 内部オペレーティング システム コマンド シェルを有効にします。これは、セキュリティ監査における潜在的なリスクです。", - "training": "https://me.sap.com/notes/3019299/E", - "waf": "安全" + "text": "ExpressRoute ゲートウェイ、VPN ゲートウェイ、Azure Firewall またはパートナー NVA などの共有ネットワーク サービスを中央ハブ仮想ネットワークにデプロイします。必要に応じて、DNS サービスもデプロイします。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "費用" }, { - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "VNet", "severity": "高い", - "text": "Azure 上の SAP HANA データベース サーバーの暗号化には、SAP HANA ネイティブの暗号化テクノロジが使用されます。さらに、Azure で SQL Server を使用している場合は、Transparent Data Encryption (TDE) を使用してデータとログ ファイルを保護し、バックアップも暗号化されるようにします。", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して、DDoS ネットワークまたは IP 保護プランを使用します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "severity": "中程度", - "text": "Azure Storage の暗号化は、すべての Azure Resource Manager アカウントとクラシック ストレージ アカウントに対して有効になっており、無効にすることはできません。データは既定で暗号化されるため、Azure Storage の暗号化を使用するためにコードやアプリケーションを変更する必要はありません。", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "text": "パートナー ネットワーク テクノロジまたは NVA をデプロイする場合は、パートナー ベンダーのガイダンスに従ってください。", + "waf": "確実" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", + "severity": "低い", + "text": "ハブ アンド スポークのシナリオで ExpressRoute ゲートウェイと VPN ゲートウェイ間のトランジットが必要な場合は、Azure Route Server を使用します。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", - "severity": "高い", - "text": "Azure Key Vault を使用してシークレットと資格情報を格納する", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "低い", + "text": "Route Server を使用する場合は、Route Server サブネットに /27 プレフィックスを使用します。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", "severity": "中程度", - "text": "デプロイが成功したら、承認されていない変更から保護するために、Azure リソースをロックすることをお勧めします。また、カスタマイズされた Azure ポリシー (カスタム ロール) を使用して、サブスクリプションごとに LOCK 制約とルールを適用することもできます。", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", - "waf": "安全" + "text": "Azure リージョン間で複数のハブ アンド スポーク トポロジを持つネットワーク アーキテクチャの場合は、ハブ VNet 間でグローバル仮想ネットワーク ピアリングを使用して、リージョンを相互に接続します。", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", "severity": "中程度", - "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "安全" + "text": "Azure Monitor for Networks を使用して、Azure 上のネットワークのエンドツーエンドの状態を監視します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", - "severity": "高い", - "text": "既存の要件、規制、コンプライアンス制御 (内部/外部) に基づいて - 必要な Azure ポリシーと Azure RBAC ロールを決定します", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", - "waf": "安全" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "severity": "中程度", + "text": "リージョンに 400 を超えるスポーク ネットワークがある場合は、VNet ピアリングの制限 (500) と ExpressRoute 経由でアドバタイズできるプレフィックスの最大数 (1000) をバイパスするために、追加のハブをデプロイします。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "severity": "中程度", + "text": "ルート テーブルあたりのルート数を 400 に制限します。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "確実" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", "severity": "高い", - "text": "SAP 環境でMicrosoft Defender for Endpointを有効にする場合は、すべてのサーバーをターゲットにするのではなく、DBMS サーバー上のデータ ファイルとログ ファイルを除外することをお勧めします。ターゲット ファイルを除外する場合は、DBMS ベンダーの推奨事項に従ってください。", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", - "waf": "安全" + "text": "VNet ピアリングを構成するときは、\"リモート仮想ネットワークへのトラフィックを許可する\" 設定を使用します。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", "severity": "高い", - "text": "Microsoft Defender for Cloud の Just-In-Time アクセス権を持つ SAP 管理者カスタム ロールを委任します。", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "waf": "安全" + "text": "Standard Load Balancer SKU をゾーン冗長デプロイで使用すると、Standard SKU Load Balancer を選択すると、可用性ゾーンとゾーンの回復性によって信頼性が向上し、デプロイがゾーンとリージョンの障害に耐えられるようになります。Basic とは異なり、グローバル負荷分散をサポートし、SLA を提供します。", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "低い", - "text": "サードパーティのセキュリティ製品を DIAG (SAP GUI)、RFC、HTTPS の SPNEGO の Secure Network Communications (SNC) と統合することで、転送中のデータを暗号化します。", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", - "waf": "安全" + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "severity": "高い", + "text": "Load Balancer バックエンド プールに少なくとも 2 つのインスタンスが含まれていることを確認し、バックエンドに少なくとも 2 つのインスタンスがある Azure Load Balancers をデプロイすると、単一障害点が防止され、スケーラビリティがサポートされます。", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", "severity": "中程度", - "text": "プリンシパル暗号化機能には Microsoft マネージド キーが既定で設定され、必要に応じてカスタマー マネージド キーが使用されます。", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "ExpressRoute Direct を使用している場合は、組織のルーターと MSEE の間のレイヤー 2 レベルでトラフィックを暗号化するために MACsec を構成します。この図は、フロー内のこの暗号化を示しています。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", - "severity": "高い", - "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", + "severity": "中程度", + "text": "MACsec がオプションではないシナリオ (ExpressRoute Direct を使用しない場合など) は、VPN ゲートウェイを使用して、ExpressRoute プライベート ピアリング経由で IPsec トンネルを確立します。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", "severity": "高い", - "text": "HANA 以外の Windows および Windows 以外のオペレーティング システムのディスク暗号化キーとシークレットを制御および管理するには、Azure Key Vault を使用します。SAP HANA は Azure Key Vault ではサポートされていないため、SAP ABAP キーや SSH キーなどの別の方法を使用する必要があります。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "text": "Azure リージョンとオンプレミスの場所間で重複する IP アドレス空間が使用されていないことを確認します。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", - "severity": "高い", - "text": "SAP on Azure スポーク サブスクリプションのロールベースのアクセス制御 (RBAC) ロールをカスタマイズして、ネットワーク関連の偶発的な変更を回避する", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "中程度", + "text": "プライベートインターネットのアドレス割り当て範囲(RFC 1918)のIPアドレスを使用します。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "severity": "高い", - "text": "DMZ と NVA を他の SAP 資産から分離し、Azure Private Link を構成し、SAP on Azure リソースを安全に管理および制御します", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "waf": "安全" - }, - { - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "severity": "低い", - "text": "Azure で Microsoft マルウェア対策ソフトウェアを使用して、悪意のあるファイル、アドウェア、その他の脅威から仮想マシンを保護することを検討してください。", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", - "waf": "安全" + "text": "IP アドレス空間が無駄にならないようにし、不必要に大規模な仮想ネットワーク (/16 など) を作成しないでください。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "パフォーマンス" }, { - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", - "severity": "低い", - "text": "さらに強力な保護を行うには、Microsoft Defender for Endpoint の使用を検討してください。", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", - "waf": "安全" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", + "severity": "高い", + "text": "運用サイトとディザスター リカバリー サイトで重複する IP アドレス範囲を使用しないでください。", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", "severity": "高い", - "text": "仮想ネットワーク ピアリングによってスポーク ネットワークに接続されているハブ仮想ネットワークを介してすべてのトラフィックを通過させることにより、SAP アプリケーション サーバーとデータベース サーバーをインターネットまたはオンプレミス ネットワークから分離します。ピアリングされた仮想ネットワークにより、SAP on Azure ソリューションがパブリック インターネットから分離されることが保証されます。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", - "waf": "安全" + "text": "Standard SKU とゾーン冗長 IP を使用する (該当する場合)、Azure のパブリック IP アドレスは Standard SKU であり、非ゾーン、ゾーン、またはゾーン冗長として使用できます。ゾーン冗長 IP は、すべてのゾーンでアクセス可能であり、1 つのゾーンの障害に耐えるため、回復性が向上します。", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "waf": "確実" }, { - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "低い", - "text": "SAP Fiori のようなインターネットに接続するアプリケーションの場合は、セキュリティレベルを維持しながら、アプリケーション要件ごとに負荷を分散してください。レイヤー 7 セキュリティのために、Azure Marketplace で入手できるサードパーティの Web アプリケーション ファイアウォール (WAF) を使用できます。", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", - "waf": "安全" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", + "severity": "中程度", + "text": "Azure での名前解決が必要な環境では、Azure プライベート DNS を使用して解決し、名前解決に委任されたゾーン ('azure.contoso.com' など) を使用します。", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "オペレーションズ" }, { - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", "severity": "中程度", - "text": "Azure Monitor for SAP solutions でセキュリティで保護された通信を有効にするには、ルート証明書またはサーバー証明書のどちらを使用するかを選択できます。ルート証明書を使用することを強くお勧めします。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "Azure とオンプレミス間での名前解決が必要で、Active Directory のような既存のエンタープライズ DNS サービスがない環境の場合は、Azure DNS Private Resolver を使用して DNS 要求を Azure またはオンプレミスの DNS サーバーにルーティングします。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", - "severity": "高い", - "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する", - "waf": "確実" - }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", - "severity": "高い", - "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する", - "waf": "確実" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "severity": "低い", + "text": "独自の DNS が必要でデプロイする特別なワークロード (Red Hat OpenShift など) は、優先する DNS ソリューションを使用する必要があります。", + "training": "https://learn.microsoft.com/training/courses/az-700t00", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", "severity": "高い", - "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する", - "waf": "確実" + "text": "Azure DNS の自動登録を有効にすると、仮想ネットワーク内にデプロイされた仮想マシンの DNS レコードのライフサイクルが自動的に管理されます。", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", - "severity": "高い", - "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", + "severity": "中程度", + "text": "複数の Azure リージョン間の DNS 解決を管理し、サービスが別のリージョンにフェールオーバーするときの計画を実装します", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "確実" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", "severity": "中程度", - "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護", - "waf": "オペレーションズ" + "text": "Azure Bastion を使用して、ネットワークに安全に接続します。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "ストレージに関連する Microsoft クラウド セキュリティ ベンチマークのガイダンスを適用する", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", "severity": "中程度", - "text": "「ストレージの Azure セキュリティ ベースライン」を検討する", + "text": "Azure Bastion は、/26 以上のサブネットで使用します。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Azure Storage は、既定ではパブリック IP アドレスを持ち、インターネットからアクセスできます。プライベート エンドポイントを使用すると、アクセスが必要な Azure コンピューティング リソースのみに Azure Storage を安全に公開できるため、パブリック インターネットへの露出がなくなります", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", - "severity": "高い", - "text": "Azure Storage のプライベート エンドポイントの使用を検討する", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", + "severity": "中程度", + "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン間でグローバルな保護を提供します。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "新しく作成されたストレージ アカウントは ARM デプロイ モデルを使用して作成されるため、RBAC、監査などがすべて有効になります。サブスクリプションにクラシック デプロイ モデルの古いストレージ アカウントがないことを確認します", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", - "severity": "中程度", - "text": "古いストレージ アカウントが \"クラシック デプロイ モデル\" を使用していないことを確認する", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "低い", + "text": "Azure Front Door と Azure Application Gateway を使用して HTTP/S アプリを保護する場合は、Azure Front Door の WAF ポリシーを使用します。Azure Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信するようにします。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Microsoft Defender を活用して、不審なアクティビティや構成ミスについて学習します。", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "severity": "高い", - "text": "すべてのストレージ アカウントで Microsoft Defender を有効にする", + "text": "受信 HTTP/S 接続に WAF やその他のリバース プロキシが必要な場合は、ランディング ゾーン仮想ネットワーク内にデプロイし、保護してインターネットに公開するアプリと共にデプロイします。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "論理的な削除メカニズムにより、誤って削除されたブロブを回復できます。", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", - "severity": "中程度", - "text": "BLOB の '論理的な削除' を有効にする", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "高い", + "text": "Azure DDoS ネットワークまたは IP Protection プランを使用して、仮想ネットワーク内のパブリック IP アドレス エンドポイントを保護します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由など、削除された情報をすぐに削除するようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナに対して「論理的な削除」を選択的に無効にすることを検討してください。", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", - "severity": "中程度", - "text": "BLOB の '論理的な削除' を無効にする", - "waf": "安全" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", + "severity": "高い", + "text": "ネットワークの送信トラフィックの構成と戦略を管理する方法を、今後の破壊的変更の前に計画します。2025 年 9 月 30 日に、新しいデプロイの既定の送信アクセスは廃止され、明示的なアクセス構成のみが許可されます。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "コンテナの論理的な削除を使用すると、コンテナが削除された後に、たとえば、誤って削除した操作から回復するなどして、コンテナを回復できます。", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", - "severity": "高い", - "text": "コンテナの「論理的な削除」を有効にする", - "waf": "安全" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由など、削除された情報をすぐに削除するようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナに対して「論理的な削除」を選択的に無効にすることを検討してください。", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", - "severity": "中程度", - "text": "コンテナの「論理的な削除」を無効にする", - "waf": "安全" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "削除する前に、ユーザーに削除ロックを最初に解除するように強制することで、ストレージ アカウントが誤って削除されるのを防ぎます", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", "severity": "高い", - "text": "ストレージ アカウントでのリソース ロックの有効化", + "text": "診断設定を追加して、保護されたすべてのパブリック IP アドレス (DDoS IP またはネットワーク保護) の DDoS 関連のログを保存します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "BLOB の \"訴訟ホールド\" または \"時間ベースの保持\" ポリシーを検討して、BLOB、コンテナー、またはストレージ アカウントを削除できないようにします。「不可能」は実際には「不可能」を意味することに注意してください。ストレージ アカウントに不変 BLOB が含まれている場合、そのストレージ アカウントを \"削除\" する唯一の方法は、Azure サブスクリプションをキャンセルすることです。", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", "severity": "高い", - "text": "不変ブロブについて考える", + "text": "Virtual Machines に直接関連付けられているパブリック IP アドレスを拒否するポリシーの割り当てがあることを確認します。 特定の VM でパブリック IP が必要な場合は、除外を使用します。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "ストレージ アカウントへの保護されていない HTTP/80 アクセスを無効にして、すべてのデータ転送が暗号化され、整合性が保護され、サーバーが認証されるようにすることを検討してください。", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", - "severity": "高い", - "text": "HTTPS を要求する (つまり、ストレージ アカウントのポート 80 を無効にする)", - "waf": "安全" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", + "severity": "中程度", + "text": "ExpressRoute を Azure へのプライマリ接続として使用します。 バックアップ接続のソースとして VPN を使用します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "ストレージ アカウントでカスタム ドメイン (ホスト名) を構成する場合は、TLS/HTTPS が必要かどうかを確認します。その場合は、ストレージ アカウントの前に Azure CDN を配置する必要がある場合があります。", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", - "severity": "高い", - "text": "HTTPS を適用する (HTTP を無効にする) 場合は、ストレージ アカウントにカスタム ドメイン (CNAME) を使用していないことを確認します。", - "waf": "安全" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "description": "AS パスの先頭と接続の重みを使用して Azure からオンプレミスへのトラフィックに影響を与えたり、独自のルーターの BGP 属性の全範囲を使用してオンプレミスから Azure へのトラフィックに影響を与えたりできます。", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", + "severity": "中程度", + "text": "複数の ExpressRoute 回線または複数のオンプレミスの場所を使用する場合は、BGP 属性を使用してルーティングを最適化します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "クライアントが SAS トークンを使用して BLOB データにアクセスするときに HTTPS を要求すると、資格情報の損失リスクを最小限に抑えるのに役立ちます。", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", "severity": "中程度", - "text": "Shared Access Signature (SAS) トークンを HTTPS 接続のみに制限する", - "waf": "安全" + "text": "ExpressRoute/VPN ゲートウェイの適切な SKU は、帯域幅とパフォーマンスの要件に基づいて選択してください。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": ".最新の TLS バージョンを適用すると、古いバージョンを使用しているクライアントからの要求が拒否されます。", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", "severity": "高い", - "text": "ストレージ アカウントに最新の TLS バージョンを適用する", - "waf": "安全" + "text": "無制限のデータ ExpressRoute 回線を使用しているのは、そのコストを正当化する帯域幅に達した場合にのみしてください。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "費用" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Microsoft Entra ID トークンは、可能な限り、共有アクセス署名よりも優先する必要があります", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", "severity": "高い", - "text": "BLOB アクセスに Microsoft Entra ID トークンを使用する", - "waf": "安全" + "text": "ExpressRoute のローカル SKU を活用して、回線のコストを削減します (回線ピアリングの場所がローカル SKU の Azure リージョンをサポートしている場合)。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "費用" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "ユーザー、グループ、またはアプリケーションにロールを割り当てる場合は、タスクの実行に必要なアクセス許可のみをそのセキュリティ プリンシパルに付与します。リソースへのアクセスを制限することで、意図しないデータの誤用と悪意のある誤用の両方を防ぐことができます。", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", "severity": "中程度", - "text": "IaM アクセス許可の最小特権", - "waf": "安全" + "text": "ゾーン冗長 ExpressRoute ゲートウェイをサポートされている Azure リージョンにデプロイします。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "ユーザー委任 SAS は、Azure Active Directory (Azure AD) 資格情報と、SAS に指定されたアクセス許可によって保護されます。ユーザー委任 SAS は、そのスコープと機能の点でサービス SAS に似ていますが、サービス SAS よりもセキュリティ上の利点があります。", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "高い", - "text": "SAS を使用する場合は、ストレージ アカウント キー ベースの SAS よりも \"ユーザー委任 SAS\" を優先します。", - "waf": "安全" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", + "severity": "中程度", + "text": "10 Gbps を超える帯域幅または専用の 10/100 Gbps ポートが必要なシナリオでは、ExpressRoute Direct を使用します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "ストレージ アカウント キー (\"共有キー\") には、監査機能がほとんどありません。誰が/いつキーのコピーをフェッチしたかを監視することはできますが、キーが複数の人の手に渡ると、特定のユーザーに使用状況を帰属させることはできなくなります。Entra ID認証のみに依存すると、ストレージアクセスをユーザーに結び付けることが容易になります。", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", - "severity": "高い", - "text": "Microsoft Entra ID アクセス (およびユーザー委任 SAS) のみがサポートされるように、ストレージ アカウント キーを無効にすることを検討してください。", - "waf": "安全" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", + "severity": "中程度", + "text": "待機時間を短くする必要がある場合、またはオンプレミスから Azure へのスループットを 10 Gbps より大きくする必要がある場合は、FastPath を有効にして、データ パスから ExpressRoute ゲートウェイをバイパスします。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "アクティビティ ログ データを使用して、ストレージ アカウントのセキュリティが (ストレージ アカウント キー、アクセス ポリシーなど) 表示または変更されているのは「いつ」、「誰が」、「何を」、「どのように」特定します。", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", - "severity": "高い", - "text": "Azure Monitor を使用して、ストレージ アカウントでのコントロール プレーン操作を監査することを検討してください", - "waf": "安全" + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", + "severity": "中程度", + "text": "ゾーン冗長 VPN ゲートウェイを使用して、ブランチまたはリモートの場所を Azure (使用可能な場合) に接続します。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "キーの有効期限ポリシーを使用すると、アカウント アクセス キーのローテーションのリマインダーを設定できます。リマインダーは、指定した間隔が経過し、キーがまだローテーションされていない場合に表示されます。", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", "severity": "中程度", - "text": "ストレージ アカウント キーを使用する場合は、\"キーの有効期限ポリシー\" を有効にすることを検討してください", - "waf": "安全" + "text": "オンプレミスで冗長な VPN アプライアンス (アクティブ/アクティブまたはアクティブ/パッシブ) を使用します。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS 有効期限ポリシーは、SAS が有効である推奨間隔を指定します。SAS 有効期限ポリシーは、サービス SAS またはアカウント SAS に適用されます。ユーザーが、推奨間隔よりも長い有効期間でサービス SAS またはアカウント SAS を生成すると、警告が表示されます。", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", - "severity": "中程度", - "text": "SAS 有効期限ポリシーの構成を検討する", - "waf": "安全" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", + "severity": "高い", + "text": "ExpressRoute Direct を使用する場合は、コストを節約するために、ローカル Azure リージョンへの ExpressRoute ローカル回線を使用することを検討してください。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "費用" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "保存されているアクセス ポリシーでは、ストレージ アカウント キーを再生成しなくても、サービス SAS のアクセス許可を取り消すことができます。", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", "severity": "中程度", - "text": "SASを保存されたアクセスポリシーにリンクすることを検討する", + "text": "運用環境と非運用環境を分離する場合など、トラフィックの分離または専用の帯域幅が必要な場合は、異なる ExpressRoute 回線を使用します。これにより、ルーティングドメインを分離し、ノイズの多い隣人のリスクを軽減できます。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", "severity": "中程度", - "text": "チェックインされた接続文字列とストレージ アカウント キーを検出するように、アプリケーションのソース コード リポジトリを構成することを検討してください。", - "waf": "安全" + "text": "ExpressRoute の可用性と使用率は、組み込みの Express Route Insights を使用して監視します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "理想的には、アプリケーションでマネージド ID を使用して Azure Storage に対する認証を行う必要があります。それが不可能な場合は、ストレージ資格情報 (接続文字列、ストレージ アカウント キー、SAS、サービス プリンシパル資格情報) を Azure KeyVault または同等のサービスに持つことを検討してください。", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", + "severity": "中程度", + "text": "接続モニターは、ネットワーク全体 (特にオンプレミスと Azure の間) の接続監視に使用します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "オペレーションズ" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", + "severity": "中程度", + "text": "冗長性を確保するために、さまざまなピアリングの場所から ExpressRoute 回線を使用します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "確実" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", + "severity": "中程度", + "text": "ExpressRoute 回線を 1 つだけ使用する場合は、ExpressRoute のフェールオーバーとしてサイト間 VPN を使用します。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "確実" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", "severity": "高い", - "text": "Azure KeyVault に接続文字列を格納することを検討してください (マネージド ID が不可能なシナリオの場合)", - "waf": "安全" + "text": "GatewaySubnet でルート テーブルを使用している場合は、ゲートウェイ ルートが伝達されていることを確認してください。", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "アドホック SAS サービス SAS またはアカウント SAS で短期的な有効期限を使用します。このように、SASが侵害された場合でも、SASは短時間しか有効ではありません。この方法は、保存されたアクセス ポリシーを参照できない場合に特に重要です。有効期限が近いと、BLOB にアップロードできる時間を制限することで、BLOB に書き込むことができるデータの量も制限されます。", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", "severity": "高い", - "text": "アドホックSASの有効期間を短くするよう努める", - "waf": "安全" + "text": "ExpressRoute を使用する場合、オンプレミスのルーティングは動的である必要があり、接続エラーが発生した場合は、回線の残りの接続に収束する必要があります。負荷は、アクティブ/アクティブとして両方の接続で共有するのが理想的ですが、アクティブ/パッシブもサポートされています。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SASを作成するときは、できるだけ具体的で制限的にしてください。1 つのリソースと操作には、より広範なアクセスを提供する SAS よりも SAS を優先します。", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", "severity": "中程度", - "text": "SAS に狭いスコープを適用する", - "waf": "安全" + "text": "ExpressRoute 回線の 2 つの物理リンクが、ネットワーク内の 2 つの異なるエッジ デバイスに接続されていることを確認します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS には、SAS を使用してリソースを要求する権限を与えられたクライアントの IP アドレスまたはアドレス範囲のパラメーターを含めることができます。", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", "severity": "中程度", - "text": "可能な限り、SAS のスコープを特定のクライアント IP アドレスに設定することを検討してください", - "waf": "安全" + "text": "BFD(Bidirectional Forwarding Detection)が顧客またはプロバイダのエッジルーティングデバイスで有効で設定されていることを確認します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS は、クライアントがアップロードするデータの量を制限することはできません。時間の経過に伴うストレージ量の価格設定モデルを考えると、クライアントが悪意を持って大きなコンテンツをアップロードしたかどうかを検証することは理にかなっているかもしれません。", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "低い", - "text": "クライアントが SAS を使用してファイルをアップロードした後、アップロードされたデータを確認することを検討してください。", - "waf": "安全" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", + "severity": "高い", + "text": "ExpressRoute ゲートウェイを異なるピアリングの場所から 2 つ以上の回線に接続すると、回復性が向上します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "「ローカル ユーザー アカウント」を使用して SFTP 経由で BLOB ストレージにアクセスする場合、「通常の」RBAC コントロールは適用されません。NFS または REST 経由の BLOB アクセスは、SFTP アクセスよりも制限が厳しい場合があります。残念ながら、2023 年初頭の時点で、SFTP エンドポイントで現在サポートされている ID 管理の形式は、ローカル ユーザーのみです", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", - "severity": "高い", - "text": "SFTP: SFTP アクセスの「ローカル ユーザー」の数を制限し、アクセスが必要かどうかを経時的に監査します。", - "waf": "安全" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", + "severity": "中程度", + "text": "ExpressRoute 仮想ネットワーク ゲートウェイの診断ログとアラートを構成します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", "severity": "中程度", - "text": "SFTP: SFTP エンドポイントは POSIX のような ACL をサポートしていません。", - "waf": "安全" + "text": "VNet 間通信に ExpressRoute 回線を使用しないでください。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "ストレージは、CORS(Cross-Origin Resource Sharing)、つまり、異なるドメインのWebアプリが同一生成元ポリシーを緩和できるようにするHTTP機能をサポートしています。CORS を有効にするときは、CorsRules を最小限の特権に保ちます。", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", - "severity": "高い", - "text": "過度に広範なCORSポリシーを避ける", - "waf": "安全" + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", + "severity": "低い", + "text": "検査のために Azure トラフィックをハイブリッドの場所に送信しないでください。 代わりに、Azure のリソース間の通信が Microsoft バックボーン ネットワーク経由で行われるように、\"Azure のトラフィックは Azure にとどまる\" という原則に従います。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "保存データは常にサーバー側で暗号化され、さらにクライアント側でも暗号化される場合があります。サーバー側の暗号化は、プラットフォーム管理キー (デフォルト) またはカスタマー管理キーを使用して行われる場合があります。クライアント側の暗号化は、クライアントが BLOB ごとに暗号化/暗号化解除キーを Azure ストレージに提供するか、クライアント側で暗号化を完全に処理することによって行われます。したがって、機密性の保証については Azure Storage にまったく依存しません。", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", "severity": "高い", - "text": "保存データの暗号化方法を決定します。データのスレッドモデルを理解する。", + "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルタリング (組織で必要な場合) を管理します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", "severity": "中程度", - "text": "プラットフォームの暗号化を使用するかどうかを決定します。", + "text": "グローバル ネットワーク環境全体のセキュリティ体制を管理するためのグローバル Azure Firewall ポリシーを作成し、それをすべての Azure Firewall インスタンスに割り当てます。Azure のロールベースのアクセス制御を介して、増分ファイアウォール ポリシーをローカル セキュリティ チームに委任することで、特定のリージョンの要件を満たすためのきめ細かなポリシーを可能にします。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", - "severity": "中程度", - "text": "クライアント側の暗号化を使用するかどうかを決定します。", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", + "severity": "低い", + "text": "サポートされているパートナー SaaS セキュリティプロバイダーを Firewall Manager 内で構成します。これは、組織がアウトバウンド接続を保護するためにそのようなソリューションを使用する場合です。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Resource Graph エクスプローラー (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) を利用して、匿名 BLOB アクセスを許可するストレージ アカウントを見つけます。", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", "severity": "高い", - "text": "パブリック BLOB の匿名アクセスが必要かどうか、または特定のストレージ アカウントに対して無効にできるかどうかを検討します。", + "text": "アプリケーション・ルールを使用して、サポートされているプロトコルの宛先ホスト名でアウトバウンド・トラフィックをフィルタリングします。 FQDN ベースのネットワーク規則と Azure Firewall と DNS プロキシを使用して、他のプロトコル経由でインターネットへのエグレス トラフィックをフィルター処理します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", "severity": "高い", - "text": "storagev2 アカウントタイプを活用して、パフォーマンスと信頼性を向上させます", - "waf": "確実" + "text": "Azure Firewall Premium を使用して、追加のセキュリティ機能を有効にします。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", "severity": "高い", - "text": "GRS、ZRS、またはGZRSストレージを活用して、最高の可用性を実現", - "waf": "確実" + "text": "Azure Firewall の脅威インテリジェンス モードを [アラート] と [拒否] に構成して、保護を強化します。", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Azure Storage", - "severity": "中程度", - "text": "フェールオーバー後の書き込み操作には、顧客管理のフェールオーバーを使用します", - "waf": "確実" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", + "severity": "高い", + "text": "Azure Firewall の IDPS モードを [拒否] に構成して、保護を強化します。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Azure Storage", - "severity": "中程度", - "text": "Microsoft マネージド フェールオーバーの詳細を理解する", - "waf": "確実" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", + "severity": "高い", + "text": "Virtual WAN に接続されていない VNet 内のサブネットの場合は、インターネット トラフィックが Azure Firewall またはネットワーク仮想アプライアンスにリダイレクトされるようにルート テーブルをアタッチします。", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", "severity": "中程度", - "text": "ソフト削除を有効にする", - "waf": "確実" + "text": "診断設定を追加して、リソース固有の宛先テーブルを使用して、すべての Azure Firewall デプロイのログを保存します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", - "service": "Azure Data Factory", - "severity": "中程度", - "text": "Azure Data Factory の FTA 回復性プレイブックの活用", - "waf": "確実" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", + "severity": "高い", + "text": "Azure Firewall クラシック ルール (存在する場合) からファイアウォール ポリシーに移行します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", "severity": "高い", - "text": "Availability Zones をサポートするリージョンでゾーン冗長パイプラインを使用するUse zone redundant pipelines in regions that support Availability Zones", - "waf": "確実" + "text": "Azure Firewall サブネットに /26 プレフィックスを使用します。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "安全" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", "severity": "中程度", - "text": "DevOps を使用して Github と Azure DevOps の統合で ARM テンプレートをバックアップする", - "waf": "確実" + "text": "ファイアウォールポリシー内のルールを、使用頻度に基づいて「ルールコレクショングループ」と「ルールコレクション」に整理します。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", "severity": "中程度", - "text": "セルフホステッド統合ランタイム VM を別のリージョンにレプリケートしてください", - "waf": "確実" + "text": "IP グループまたは IP プレフィックスを使用して、IP テーブル・ルールの数を減らします。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", "severity": "中程度", - "text": "必ず、姉妹リージョンでネットワークをレプリケートまたは複製してください。別のリージョンに VNet のコピーを作成する必要があります", - "waf": "確実" - }, - { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "description": "ADF パイプラインで Key Vault が使用されている場合は、Key Vault をレプリケートするために何もする必要はありません。Key Vault はマネージド サービスであり、Microsoft が処理します", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Azure Data Factory", - "severity": "低い", - "text": "Keyvault 統合を使用している場合は、Keyvault の SLA を使用して可用性を把握します", - "waf": "確実" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "severity": "高い", - "text": "2 つのレプリカで読み取り操作の可用性を 99.9% にする", - "waf": "確実" + "text": "DNATSのソースIPとしてワイルドカード(*やanyなど)を使用せず、受信DNATのソースIPを指定する必要があります。", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", "severity": "中程度", - "text": "3 つのレプリカで読み取り/書き込み操作の可用性を 99.9% に向上させる", - "waf": "確実" + "text": "SNAT ポートの使用状況を監視し、NAT ゲートウェイの設定を評価し、シームレスなフェールオーバーを確保することで、SNAT ポートの枯渇を防ぎます。ポート数が制限に近づく場合は、SNAT の枯渇が差し迫っている可能性があります。", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", "severity": "高い", - "text": "読み取りレプリカや書き込みレプリカを有効にすることでアベイラビリティーゾーンを活用する", - "waf": "確実" + "text": "Azure Firewall Premium を使用している場合は、TLS 検査を有効にします。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", - "severity": "中程度", - "text": "リージョンの冗長性については、地理的リージョン間で検索インデックスをレプリケートする自動化された方法が提供されないため、検索用に 2 つ以上のリージョンにサービスを手動で作成します", - "waf": "確実" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", + "severity": "低い", + "text": "Web カテゴリを使用して、特定のトピックへの送信アクセスを許可または拒否します。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", "severity": "中程度", - "text": "複数のサービス間でデータを同期するには、複数のサービスでコンテンツを更新するためにインデクサーを使用するか、複数のサービスでコンテンツの更新をプッシュするために REST API を使用する", - "waf": "確実" + "text": "TLS 検査の一環として、Azure App Gateway からのトラフィックの受信を検査用に計画します。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", "severity": "中程度", - "text": "Azure Traffic Manager を使用して要求を調整する", - "waf": "確実" + "text": "Azure Firewall DNS プロキシ構成を有効にします。", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "安全" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "severity": "高い", - "text": "Azure Cognitive Search インデックスをバックアップおよび復元します。このサンプル コードを使用して、インデックス定義とスナップショットを一連の Json ファイルにバックアップします", - "waf": "確実" + "text": "Azure Firewall を Azure Monitor と統合し、診断ログを有効にして、ファイアウォールのログとメトリックを格納および分析します。", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", - "severity": "高い", - "text": "ビジネスとSLOの要件に基づいて適切な関数ホスティングプランを選択します", - "waf": "確実" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "低い", + "text": "ファイアウォールルールのバックアップを実装する", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "severity": "高い", - "text": "リージョンで適用可能な場合は Availability Zones を活用します (従量課金レベルでは使用できません)", - "waf": "確実" - }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", - "severity": "中程度", - "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する", + "text": "Azure Firewall を複数の可用性ゾーンにデプロイします。Azure Firewall は、そのデプロイに応じて異なる SLA を提供します。1 つの可用性ゾーンまたは複数の可用性ゾーンで、信頼性とパフォーマンスが向上する可能性があります。", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", "waf": "確実" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", "severity": "高い", - "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します", + "text": "Azure Firewall VNet で DDoS Protection を構成し、DDoS Protection プランを Azure Firewall をホストしている仮想ネットワークに関連付けて、DDoS 攻撃に対する軽減を強化します。Azure Firewall Manager は、ファイアウォール インフラストラクチャと DDoS 保護プランの作成を統合します。", "waf": "確実" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "Azure Functions", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", "severity": "高い", - "text": "App Service プランで実行されているすべての関数アプリで \"Always On\" が有効になっていることを確認する", - "waf": "確実" - }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", - "severity": "中程度", - "text": "関数アプリを独自のストレージ アカウントにペアリングします。Function Apps のストレージ アカウントは、緊密に結合されていない限り、再利用しないようにしてください", - "waf": "確実" + "text": "0.0.0.0/0 ルートやコントロール プレーン トラフィックをブロックする NSG ルールなど、仮想ネットワークに挿入された Azure PaaS サービスのコントロール プレーン通信を中断しないでください。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", "severity": "中程度", - "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、関数アプリのコードを保護します", - "waf": "オペレーションズ" + "text": "オンプレミスからプライベート エンドポイントと ExpressRoute プライベート ピアリングを介して Azure PaaS サービスにアクセスします。この方法では、公共のインターネット経由のトランジットを回避できます。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "安全" }, { "arm-service": "Microsoft.Network/virtualNetworks", "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", "service": "VNet", - "severity": "中程度", - "text": "Azure ランディング ゾーン接続リソースを複数のリージョンにデプロイして、複数リージョンのアプリケーション ランディング ゾーンとディザスター リカバリー シナリオを迅速にサポートできるようにします。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "確実" + "severity": "高い", + "text": "既定では、すべてのサブネットで仮想ネットワーク サービス エンドポイントを有効にしないでください。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "安全" }, { + "arm-service": "Microsoft.Network/azureFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "severity": "中程度", - "text": "Azure リソースの管理には 1 つの Entra テナントを使用します (マルチテナントに対する明確な規制要件やビジネス要件がない限り)。", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", - "waf": "オペレーションズ" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", - "severity": "低い", - "text": "マルチテナント自動化アプローチを使用して、Microsoft Entra ID テナントを管理します。", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", - "waf": "オペレーションズ" + "text": "Azure Firewall または NVA の IP アドレスではなく FQDN を使用して Azure PaaS サービスへのエグレス トラフィックをフィルター処理し、データの流出を防ぎます。Private Link を使用している場合は、すべての FQDN をブロックでき、それ以外の場合は必要な PaaS サービスのみを許可できます。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "waf": "安全" }, { + "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", "severity": "高い", - "text": "同じ ID でマルチテナント管理に Azure Lighthouse を使用します。", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", - "waf": "オペレーションズ" + "text": "Gateway サブネットには、少なくとも /27 プレフィックスを使用します。", + "waf": "安全" }, { + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", "severity": "高い", - "text": "テナントを管理するためのアクセス権をパートナーに付与する場合は、Azure Lighthouse を使用します。", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "費用" + "text": "VirtualNetwork サービス タグを使用して接続を制限する NSG 受信既定の規則に依存しないでください。", + "waf": "安全" }, { + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", - "severity": "高い", - "text": "クラウド運用モデルに合わせた RBAC モデルを適用します。管理グループとサブスクリプション全体のスコープと割り当て。", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", + "severity": "中程度", + "text": "NSG を使用して、サブネット間のトラフィックと、プラットフォーム全体の East/West トラフィック (ランディング ゾーン間のトラフィック) を保護します。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "安全" }, { + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", "severity": "中程度", - "text": "すべてのアカウントの種類に対して、認証の種類である [職場または学校アカウント] のみを使用します。Microsoftアカウントの使用は避けてください", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "NSG とアプリケーション セキュリティ グループを使用して、ランディング ゾーン内のトラフィックをマイクロセグメント化し、中央の NVA を使用してトラフィック フローをフィルター処理しないようにします。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "安全" }, { + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", "severity": "中程度", - "text": "権限の割り当てには、グループのみを使用してください。グループ管理システムがすでに導入されている場合は、オンプレミス グループを Entra ID のみのグループに追加します。", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "VNet フロー ログを有効にし、Traffic Analytics にフィードして、内部および外部のトラフィック フローに関する分析情報を取得します。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "waf": "安全" }, { + "arm-service": "Microsoft.Network/networkSecurityGroups", "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", - "severity": "高い", - "text": "Azure 環境に対する権限を持つすべてのユーザーに対して、Microsoft Entra ID 条件付きアクセス ポリシーを適用します。", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "安全" + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", + "severity": "中程度", + "text": "1000 ルールの制限があるため、NSG ごとに 900 を超える NSG ルールを実装しないでください。", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "waf": "確実" }, { + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", - "severity": "高い", - "text": "Azure 環境に対する権限を持つすべてのユーザーに多要素認証を適用します。", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", - "waf": "安全" + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", + "severity": "中程度", + "text": "Virtual WAN ルーティング設計の一覧にシナリオが明示的に説明されている場合は、Virtual WAN を使用します。", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "waf": "オペレーションズ" }, { + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", "severity": "中程度", - "text": "Microsoft Entra ID Privileged Identity Management (PIM) を適用して、ゼロスタンディング アクセスと最小特権を確立します。", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" + "text": "Azure リージョンごとに Virtual WAN ハブを使用して、共通のグローバル Azure Virtual WAN を介して Azure リージョン間で複数のランディング ゾーンを接続します。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "パフォーマンス" }, { + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", "severity": "中程度", - "text": "Active Directory Domain Services から Entra ドメイン サービスへの切り替えを計画している場合は、すべてのワークロードの互換性を評価します。", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "text": "送信インターネット トラフィックの保護とフィルタリングを行うには、セキュリティで保護されたハブに Azure Firewall をデプロイします。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", "severity": "中程度", - "text": "Microsoft Entra Domain Services を使用する場合は、レプリカ セットを使用します。レプリカ セットを使用すると、マネージド ドメインの回復性が向上し、追加のリージョンにデプロイできるようになります。", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "text": "Virtual WAN ネットワーク アーキテクチャが、特定されたアーキテクチャ シナリオと一致していることを確認します。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "確実" }, { + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", "severity": "中程度", - "text": "Microsoft Entra ID ログをプラットフォーム中央の Azure Monitor と統合します。Azure Monitor を使用すると、Azure のログと監視データに関する信頼できる唯一の情報源を使用できるため、ログの収集と保持に関する要件を満たすためのクラウド ネイティブ オプションを組織に提供できます。", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", - "waf": "安全" - }, - { - "ammp": true, - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", - "severity": "高い", - "text": "テナント全体のアカウント ロックアウトを防ぐために、緊急アクセスまたは非常用アカウントを実装します。MFA は、2024 年 10 月にすべてのユーザーに対してデフォルトで有効になります。これらのアカウントを更新して、パスキー (FIDO2) を使用するか、MFA の証明書ベースの認証を構成することをお勧めします。", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", - "waf": "安全" + "text": "Azure Monitor Insights for Virtual WAN を使用して、Virtual WAN のエンドツーエンド トポロジ、状態、および主要なメトリックを監視します。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "オペレーションズ" }, { + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", "severity": "中程度", - "text": "特に必要なシナリオがない限り、Microsoft Entra ID ロールの割り当てにオンプレミスの同期アカウントを使用しないでください。", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", - "waf": "安全" + "text": "Virtual WAN のブランチ間トラフィックは、これらのフローを明示的にブロックする必要がない限り、無効にしないでください。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "確実" }, { + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", "severity": "中程度", - "text": "Microsoft Entra ID アプリケーション プロキシを使用してリモート ユーザーにアプリケーションへのアクセス権を付与する場合は、テナントごとに 1 つのインスタンスしか持つことができないため、プラットフォーム リソースとして管理します。", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "安全" + "text": "AS-Path は ExpressRoute や VPN よりも柔軟性が高いため、ハブ ルーティング設定として使用します。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "確実" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", "severity": "中程度", - "text": "ハブアンドスポークネットワークトポロジは、最大限の柔軟性を必要とするネットワークシナリオに使用します。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "安全" + "text": "Virtual WAN でラベルベースの伝達を構成すると、仮想ハブ間の接続が損なわれます。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "確実" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "microsoft.network/virtualWans", "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", "severity": "高い", - "text": "ExpressRoute ゲートウェイ、VPN ゲートウェイ、Azure Firewall またはパートナー NVA などの共有ネットワーク サービスを中央ハブ仮想ネットワークにデプロイします。必要に応じて、DNS サービスもデプロイします。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "費用" + "text": "仮想ハブに少なくとも /23 プレフィックスを割り当てて、十分な IP スペースが使用可能であることを確認します。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "確実" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "高い", - "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して、DDoS ネットワークまたは IP 保護プランを使用します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Azure Policy を戦略的に活用し、環境のコントロールを定義し、ポリシー イニシアチブを使用して関連するポリシーをグループ化します。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "中程度", - "text": "パートナー ネットワーク テクノロジまたは NVA をデプロイする場合は、パートナー ベンダーのガイダンスに従ってください。", - "waf": "確実" + "text": "規制とコンプライアンスの要件を Azure Policy 定義と Azure ロールの割り当てにマップします。", + "training": "https://learn.microsoft.com/training/modules/governance-security/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", - "severity": "低い", - "text": "ハブ アンド スポークのシナリオで ExpressRoute ゲートウェイと VPN ゲートウェイ間のトランジットが必要な場合は、Azure Route Server を使用します。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "中程度", + "text": "中間ルート管理グループで Azure Policy 定義を確立して、継承されたスコープで割り当てられるようにします。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualHubs", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", - "severity": "低い", - "text": "Route Server を使用する場合は、Route Server サブネットに /27 プレフィックスを使用します。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "高い", + "text": "ポリシーの割り当てを適切な最上位レベルで管理し、必要に応じて下位レベルで除外します。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", - "severity": "中程度", - "text": "Azure リージョン間で複数のハブ アンド スポーク トポロジを持つネットワーク アーキテクチャの場合は、ハブ VNet 間でグローバル仮想ネットワーク ピアリングを使用して、リージョンを相互に接続します。", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", - "waf": "パフォーマンス" + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "低い", + "text": "Azure Policy を使用して、ユーザーがサブスクリプション/管理グループ レベルでプロビジョニングできるサービスを制御します。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", - "severity": "中程度", - "text": "Azure Monitor for Networks を使用して、Azure 上のネットワークのエンドツーエンドの状態を監視します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "オペレーションズ" + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "高い", + "text": "可能な場合は組み込みポリシーを使用して、運用オーバーヘッドを最小限に抑えます。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "description": "Resource Policy Contributor ロールを特定のスコープに割り当てると、ポリシー管理を関連するチームに委任できます。たとえば、中央のITチームが管理グループレベルのポリシーを監督し、アプリケーションチームがサブスクリプションのポリシーを処理することで、組織の標準に準拠した分散型ガバナンスが可能になります。", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "severity": "中程度", - "text": "リージョンに 400 を超えるスポーク ネットワークがある場合は、VNet ピアリングの制限 (500) と ExpressRoute 経由でアドバタイズできるプレフィックスの最大数 (1000) をバイパスするために、追加のハブをデプロイします。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "確実" + "text": "特定のスコープで組み込みのリソース ポリシー共同作成者ロールを割り当てて、アプリケーション レベルのガバナンスを有効にします。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "中程度", - "text": "ルート テーブルあたりのルート数を 400 に制限します。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "確実" + "text": "ルート管理グループのスコープで行われる Azure Policy の割り当ての数を制限して、継承されたスコープでの除外による管理を回避します。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", - "severity": "高い", - "text": "VNet ピアリングを構成するときは、\"リモート仮想ネットワークへのトラフィックを許可する\" 設定を使用します。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "確実" + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", + "severity": "中程度", + "text": "データ主権の要件が存在する場合は、それらを適用するために Azure ポリシーをデプロイする必要があります。", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "安全" }, { + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "severity": "高い", - "text": "Standard Load Balancer SKU をゾーン冗長デプロイで使用すると、Standard SKU Load Balancer を選択すると、可用性ゾーンとゾーンの回復性によって信頼性が向上し、デプロイがゾーンとリージョンの障害に耐えられるようになります。Basic とは異なり、グローバル負荷分散をサポートし、SLA を提供します。", - "waf": "確実" + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", + "severity": "中程度", + "text": "ソブリン ランディング ゾーンの場合は、ソブリン ポリシー ベースラインをデプロイし、正しい管理グループ レベルで割り当てます。", + "waf": "安全" }, { + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "severity": "高い", - "text": "Load Balancer バックエンド プールに少なくとも 2 つのインスタンスが含まれていることを確認し、バックエンドに少なくとも 2 つのインスタンスがある Azure Load Balancers をデプロイすると、単一障害点が防止され、スケーラビリティがサポートされます。", - "waf": "確実" + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", + "severity": "中程度", + "text": "ソブリン ランディング ゾーンの場合は、ソブリン制御の目標をポリシー マッピングに文書化します。", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Authorization/policyDefinitions", "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", "severity": "中程度", - "text": "ExpressRoute Direct を使用している場合は、組織のルーターと MSEE の間のレイヤー 2 レベルでトラフィックを暗号化するために MACsec を構成します。この図は、フロー内のこの暗号化を示しています。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "text": "ソブリン・ランディング・ゾーンについては、「ソブリン・コントロールの目標からポリシー・マッピングまで」の管理プロセスが実施されていることを確認してください。", "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "severity": "中程度", - "text": "MACsec がオプションではないシナリオ (ExpressRoute Direct を使用しない場合など) は、VPN ゲートウェイを使用して、ExpressRoute プライベート ピアリング経由で IPsec トンネルを確立します。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "安全" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", - "severity": "高い", - "text": "Azure リージョンとオンプレミスの場所間で重複する IP アドレス空間が使用されていないことを確認します。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "安全" + "text": "Azure ロールベースのアクセス制御 (Azure RBAC)、データ主権要件、またはデータ保持ポリシーで個別のワークスペースが義務付けられている場合を除き、1 つのモニター ログ ワークスペースを使用してプラットフォームを一元的に管理します。", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "中程度", - "text": "プライベートインターネットのアドレス割り当て範囲(RFC 1918)のIPアドレスを使用します。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "安全" + "text": "すべてのリージョンで 1 つの Azure Monitor ログ ワークスペースを使用するか、さまざまな地理的リージョンをカバーする複数のワークスペースを作成するかを決定します。各アプローチには、リージョン間のネットワーク料金の可能性など、長所と短所があります", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "確実" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "severity": "高い", - "text": "IP アドレス空間が無駄にならないようにし、不必要に大規模な仮想ネットワーク (/16 など) を作成しないでください。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "パフォーマンス" + "text": "ログの保持要件が 12 年を超える場合は、ログを Azure Storage にエクスポートします。write-once、read-many ポリシーで不変ストレージを使用して、ユーザーが指定した間隔でデータを消去および変更できないようにします。", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", - "severity": "高い", - "text": "運用サイトとディザスター リカバリー サイトで重複する IP アドレス範囲を使用しないでください。", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "確実" + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", + "severity": "中程度", + "text": "Azure Policy を使用して、OS レベルの仮想マシン (VM) 構成のずれを監視します。ポリシーを使用して Azure Automanage マシン構成の監査機能を有効にすると、アプリケーション チームのワークロードは、わずかな労力で機能機能をすぐに使用できます。", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "オペレーションズ" }, { + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", - "severity": "高い", - "text": "Standard SKU とゾーン冗長 IP を使用する (該当する場合)、Azure のパブリック IP アドレスは Standard SKU であり、非ゾーン、ゾーン、またはゾーン冗長として使用できます。ゾーン冗長 IP は、すべてのゾーンでアクセス可能であり、1 つのゾーンの障害に耐えるため、回復性が向上します。", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", - "waf": "確実" + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "service": "VM", + "severity": "中程度", + "text": "Azure Update Manager は、Azure の Windows VM と Linux VM の修正プログラム適用メカニズムとして使用します。", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Network/dnsZones", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", "severity": "中程度", - "text": "Azure での名前解決が必要な環境では、Azure プライベート DNS を使用して解決し、名前解決に委任されたゾーン ('azure.contoso.com' など) を使用します。", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Azure Arc を使用して、Azure の外部にある Windows および Linux VM の修正プログラム適用メカニズムとして Azure Update Manager を使用します。", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Network/dnsZones", + "arm-service": "microsoft.network/networkWatchers", "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", "severity": "中程度", - "text": "Azure とオンプレミス間での名前解決が必要で、Active Directory のような既存のエンタープライズ DNS サービスがない環境の場合は、Azure DNS Private Resolver を使用して DNS 要求を Azure またはオンプレミスの DNS サーバーにルーティングします。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "安全" + "text": "Network Watcher を使用して、トラフィック フローを事前に監視します。", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Network/dnsZones", + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", - "severity": "低い", - "text": "独自の DNS が必要でデプロイする特別なワークロード (Red Hat OpenShift など) は、優先する DNS ソリューションを使用する必要があります。", - "training": "https://learn.microsoft.com/training/courses/az-700t00", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", + "severity": "中程度", + "text": "Azure Monitor ログを使用して、分析情報とレポートを作成します。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Network/dnsZones", + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", - "severity": "高い", - "text": "Azure DNS の自動登録を有効にすると、仮想ネットワーク内にデプロイされた仮想マシンの DNS レコードのライフサイクルが自動的に管理されます。", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", + "severity": "中程度", + "text": "Azure Monitor アラートを使用して、運用アラートを生成します。", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Network/dnsZones", + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", "severity": "中程度", - "text": "複数の Azure リージョン間の DNS 解決を管理し、サービスが別のリージョンにフェールオーバーするときの計画を実装します", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Azure Automation アカウントを使用して変更とインベントリの追跡を使用する場合は、Log Analytics ワークスペースと Automation アカウントをリンクするためにサポートされているリージョンが選択されていることを確認してください。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "オペレーションズ" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "severity": "低い", + "text": "Azure Backup を使用する場合は、既定の設定が GRS であるため、バックアップに正しいバックアップの種類 (GRS、ZRS、LRS) を使用します。", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", "waf": "確実" }, { - "arm-service": "microsoft.network/bastionHosts", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", "severity": "中程度", - "text": "Azure Bastion を使用して、ネットワークに安全に接続します。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "text": "Azure ゲスト ポリシーを使用して、VM 拡張機能を通じてソフトウェア構成を自動的にデプロイし、準拠したベースライン VM 構成を適用します。", "waf": "安全" }, { - "arm-service": "microsoft.network/bastionHosts", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "description": "Azure Policy のゲスト構成機能を使用して、マシンの設定 (OS、アプリケーション、環境など) を監査および修復し、リソースが予想される構成と一致していることを確認し、Update Management では VM のパッチ管理を適用できます。", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", "severity": "中程度", - "text": "Azure Bastion は、/26 以上のサブネットで使用します。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "text": "Azure Policy を使用して VM セキュリティ構成のドリフトを監視します。", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", "severity": "中程度", - "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン間でグローバルな保護を提供します。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "安全" + "text": "Azure Site Recovery は、Azure から Azure Virtual Machines へのディザスター リカバリー シナリオに使用します。これにより、リージョン間でワークロードをレプリケートできます。", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "waf": "オペレーションズ" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", + "severity": "中程度", + "text": "Azure ネイティブのバックアップ機能、または Azure と互換性のあるサード パーティのバックアップ ソリューションを使用します。", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "オペレーションズ" }, { "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", "service": "WAF", - "severity": "低い", - "text": "Azure Front Door と Azure Application Gateway を使用して HTTP/S アプリを保護する場合は、Azure Front Door の WAF ポリシーを使用します。Azure Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信するようにします。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "安全" + "severity": "高い", + "text": "診断設定を追加して、Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを保存します。ログを定期的に確認して、攻撃や誤検知の検出がないか確認します。", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "waf": "オペレーションズ" }, { "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", "service": "WAF", - "severity": "高い", - "text": "受信 HTTP/S 接続に WAF やその他のリバース プロキシが必要な場合は、ランディング ゾーン仮想ネットワーク内にデプロイし、保護してインターネットに公開するアプリと共にデプロイします。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "安全" + "severity": "中程度", + "text": "Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを Microsoft Sentinel に送信します。攻撃を検出し、WAF テレメトリを Azure 環境全体に統合します。", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "severity": "高い", - "text": "Azure DDoS ネットワークまたは IP Protection プランを使用して、仮想ネットワーク内のパブリック IP アドレス エンドポイントを保護します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Azure Key Vault を使用して、シークレットと資格情報を格納します。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", - "severity": "高い", - "text": "ネットワークの送信トラフィックの構成と戦略を管理する方法を、今後の破壊的変更の前に計画します。2025 年 9 月 30 日に、新しいデプロイの既定の送信アクセスは廃止され、明示的なアクセス構成のみが許可されます。", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", - "waf": "確実" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "高い", - "text": "診断設定を追加して、保護されたすべてのパブリック IP アドレス (DDoS IP またはネットワーク保護) の DDoS 関連のログを保存します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", + "severity": "中程度", + "text": "アプリケーションやリージョンごとに異なる Azure Key Vault を使用して、トランザクションのスケール制限を回避し、シークレットへのアクセスを制限します。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", - "severity": "高い", - "text": "Virtual Machines に直接関連付けられているパブリック IP アドレスを拒否するポリシーの割り当てがあることを確認します。 特定の VM でパブリック IP が必要な場合は、除外を使用します。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中程度", + "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "中程度", - "text": "ExpressRoute を Azure へのプライマリ接続として使用します。 バックアップ接続のソースとして VPN を使用します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "パフォーマンス" + "text": "最小特権モデルに従って、キー、シークレット、証明書を完全に削除する承認を、特殊なカスタム Microsoft Entra ID ロールに制限します。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "description": "AS パスの先頭と接続の重みを使用して Azure からオンプレミスへのトラフィックに影響を与えたり、独自のルーターの BGP 属性の全範囲を使用してオンプレミスから Azure へのトラフィックに影響を与えたりできます。", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "中程度", - "text": "複数の ExpressRoute 回線または複数のオンプレミスの場所を使用する場合は、BGP 属性を使用してルーティングを最適化します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "確実" + "text": "公開認証局を使用して証明書の管理と更新プロセスを自動化し、管理を容易にします。", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "中程度", - "text": "ExpressRoute/VPN ゲートウェイの適切な SKU は、帯域幅とパフォーマンスの要件に基づいて選択してください。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "パフォーマンス" + "text": "キーと証明書のローテーションのための自動化されたプロセスを確立します。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", - "severity": "高い", - "text": "無制限のデータ ExpressRoute 回線を使用しているのは、そのコストを正当化する帯域幅に達した場合にのみしてください。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "費用" + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中程度", + "text": "コンテナーでファイアウォールと仮想ネットワーク サービス エンドポイントまたはプライベート エンドポイントを有効にして、キー コンテナーへのアクセスを制御します。", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", - "severity": "高い", - "text": "ExpressRoute のローカル SKU を活用して、回線のコストを削減します (回線ピアリングの場所がローカル SKU の Azure リージョンをサポートしている場合)。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "費用" + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", + "severity": "中程度", + "text": "プラットフォーム中央の Azure Monitor Log Analytics ワークスペースを使用して、Key Vault の各インスタンス内のキー、証明書、シークレットの使用状況を監査します。", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "中程度", - "text": "ゾーン冗長 ExpressRoute ゲートウェイをサポートされている Azure リージョンにデプロイします。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "確実" + "text": "Key Vault のインスタンス化と特権アクセスを委任し、Azure Policy を使用して一貫した準拠構成を適用します。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "中程度", - "text": "10 Gbps を超える帯域幅または専用の 10/100 Gbps ポートが必要なシナリオでは、ExpressRoute Direct を使用します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "パフォーマンス" + "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "中程度", - "text": "待機時間を短くする必要がある場合、またはオンプレミスから Azure へのスループットを 10 Gbps より大きくする必要がある場合は、FastPath を有効にして、データ パスから ExpressRoute ゲートウェイをバイパスします。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "パフォーマンス" + "text": "独自のキーを持ち込む場合、これは考慮されるすべてのサービスでサポートされているとは限りません。不整合が望ましい結果を妨げないように、適切な軽減策を実装します。レイテンシを最小限に抑える適切なリージョンペアとディザスタリカバリリージョンを選択します。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", "severity": "中程度", - "text": "ゾーン冗長 VPN ゲートウェイを使用して、ブランチまたはリモートの場所を Azure (使用可能な場合) に接続します。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "確実" + "text": "ソブリン ランディング ゾーンの場合は、Azure Key Vault マネージド HSM を使用してシークレットと資格情報を格納します。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", "severity": "中程度", - "text": "オンプレミスで冗長な VPN アプライアンス (アクティブ/アクティブまたはアクティブ/パッシブ) を使用します。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "確実" + "text": "Microsoft Entra ID レポート機能を使用して、アクセス制御監査レポートを生成します。", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", "severity": "高い", - "text": "ExpressRoute Direct を使用する場合は、コストを節約するために、ローカル Azure リージョンへの ExpressRoute ローカル回線を使用することを検討してください。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "費用" + "text": "すべてのサブスクリプションで Defender Cloud セキュリティ態勢管理を有効にします。", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", - "severity": "中程度", - "text": "運用環境と非運用環境を分離する場合など、トラフィックの分離または専用の帯域幅が必要な場合は、異なる ExpressRoute 回線を使用します。これにより、ルーティングドメインを分離し、ノイズの多い隣人のリスクを軽減できます。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", + "severity": "高い", + "text": "すべてのサブスクリプションで、サーバーの Defender Cloud ワークロード保護プランを有効にします。", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", - "severity": "中程度", - "text": "ExpressRoute の可用性と使用率は、組み込みの Express Route Insights を使用して監視します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "オペレーションズ" + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", + "severity": "高い", + "text": "すべてのサブスクリプションで Azure リソースの Defender Cloud ワークロード保護プランを有効にします。", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", - "severity": "中程度", - "text": "接続モニターは、ネットワーク全体 (特にオンプレミスと Azure の間) の接続監視に使用します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "オペレーションズ" + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", + "severity": "高い", + "text": "IaaS サーバーでエンドポイント保護を有効にします。", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Compute/virtualMachines", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", "severity": "中程度", - "text": "冗長性を確保するために、さまざまなピアリングの場所から ExpressRoute 回線を使用します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "確実" + "text": "Azure Monitor ログと Defender for Cloud を使用して、基本オペレーティング システムの修正プログラムのずれを監視します。", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Insights/components", "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "中程度", - "text": "ExpressRoute 回線を 1 つだけ使用する場合は、ExpressRoute のフェールオーバーとしてサイト間 VPN を使用します。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "確実" + "text": "既定のリソース構成を一元化された Azure Monitor Log Analytics ワークスペースに接続します。", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", "severity": "高い", - "text": "GatewaySubnet でルート テーブルを使用している場合は、ゲートウェイ ルートが伝達されていることを確認してください。", - "waf": "確実" + "text": "相関ログによる一元的な脅威検出 - セキュリティデータを中央の場所に統合して、SIEM(セキュリティ情報およびイベント管理)を介してさまざまなサービス間で関連付けることができます", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", - "severity": "高い", - "text": "ExpressRoute を使用する場合、オンプレミスのルーティングは動的である必要があり、接続エラーが発生した場合は、回線の残りの接続に収束する必要があります。負荷は、アクティブ/アクティブとして両方の接続で共有するのが理想的ですが、アクティブ/パッシブもサポートされています。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "確実" + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", + "severity": "中程度", + "text": "ソブリン ランディング ゾーンの場合は、Entra ID テナントで透明度ログを有効にします。", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", "severity": "中程度", - "text": "ExpressRoute 回線の 2 つの物理リンクが、ネットワーク内の 2 つの異なるエッジ デバイスに接続されていることを確認します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "確実" + "text": "Sovereign Landing Zone の場合は、Entra ID テナントでカスタマー ロックボックスを有効にします。", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Storage/storageAccounts", "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", - "severity": "中程度", - "text": "BFD(Bidirectional Forwarding Detection)が顧客またはプロバイダのエッジルーティングデバイスで有効で設定されていることを確認します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "確実" + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "高い", + "text": "ストレージ アカウントへの安全な転送を有効にします。", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.Storage/storageAccounts", "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", "severity": "高い", - "text": "ExpressRoute ゲートウェイを異なるピアリングの場所から 2 つ以上の回線に接続すると、回復性が向上します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "確実" + "text": "ストレージ アカウントのコンテナーの論理的な削除を有効にして、削除されたコンテナーとその内容を回復します。", + "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", + "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", - "severity": "中程度", - "text": "ExpressRoute 仮想ネットワーク ゲートウェイの診断ログとアラートを構成します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", + "severity": "高い", + "text": "Key Vault シークレットを使用して、資格情報 (仮想マシン、ユーザー パスワード)、証明書、キーなどの機密情報のハードコーディングを回避します。", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "ストレージに関連する Microsoft クラウド セキュリティ ベンチマークのガイダンスを適用する", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "severity": "中程度", - "text": "VNet 間通信に ExpressRoute 回線を使用しないでください。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "パフォーマンス" + "text": "\"ストレージの Azure セキュリティ ベースライン\" を検討する", + "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", - "severity": "低い", - "text": "検査のために Azure トラフィックをハイブリッドの場所に送信しないでください。 代わりに、Azure のリソース間の通信が Microsoft バックボーン ネットワーク経由で行われるように、\"Azure のトラフィックは Azure にとどまる\" という原則に従います。", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "既定では、Azure Storage にはパブリック IP アドレスがあり、インターネットにアクセス可能です。プライベート エンドポイントを使用すると、アクセスが必要な Azure コンピューティング リソースにのみ Azure Storage を安全に公開できるため、パブリック インターネットへの露出を排除できます", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", + "severity": "高い", + "text": "Azure Storage にプライベート エンドポイントを使用することを検討する", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "新しく作成されたストレージ アカウントは、RBAC や監査などがすべて有効になるように、ARM デプロイ モデルを使用して作成されます。サブスクリプションにクラシック デプロイ モデルの古いストレージ アカウントがないことを確認する", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", + "severity": "中程度", + "text": "古いストレージ アカウントで \"クラシック デプロイ モデル\" が使用されていないことを確認する", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Microsoft Defender を活用して、不審なアクティビティや構成ミスについて学習します。", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", "severity": "高い", - "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルタリング (組織で必要な場合) を管理します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "すべてのストレージ アカウントに対して Microsoft Defender を有効にする", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "論理的な削除メカニズムを使用すると、誤って削除された BLOB を回復できます。", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "severity": "中程度", - "text": "グローバル ネットワーク環境全体のセキュリティ体制を管理するためのグローバル Azure Firewall ポリシーを作成し、それをすべての Azure Firewall インスタンスに割り当てます。Azure のロールベースのアクセス制御を介して、増分ファイアウォール ポリシーをローカル セキュリティ チームに委任することで、特定のリージョンの要件を満たすためのきめ細かなポリシーを可能にします。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "BLOB の \"論理的な削除\" を有効にする", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", - "severity": "低い", - "text": "サポートされているパートナー SaaS セキュリティプロバイダーを Firewall Manager 内で構成します。これは、組織がアウトバウンド接続を保護するためにそのようなソリューションを使用する場合です。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", + "severity": "中程度", + "text": "BLOB の '論理的な削除' を無効にする", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "コンテナーの論理的な削除を使用すると、コンテナーが削除された後に回復できます (たとえば、偶発的な削除操作から回復します)。", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "severity": "高い", - "text": "アプリケーション・ルールを使用して、サポートされているプロトコルの宛先ホスト名でアウトバウンド・トラフィックをフィルタリングします。 FQDN ベースのネットワーク規則と Azure Firewall と DNS プロキシを使用して、他のプロトコル経由でインターネットへのエグレス トラフィックをフィルター処理します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "コンテナーの \"論理的な削除\" を有効にする", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", - "severity": "高い", - "text": "Azure Firewall Premium を使用して、追加のセキュリティ機能を有効にします。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "中程度", + "text": "コンテナーの \"論理的な削除\" を無効にする", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "削除前に削除ロックを最初に解除するようにユーザーに強制することで、ストレージ アカウントが誤って削除されないようにします", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "severity": "高い", - "text": "Azure Firewall の脅威インテリジェンス モードを [アラート] と [拒否] に構成して、保護を強化します。", + "text": "ストレージ アカウントでのリソース ロックの有効化", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "BLOB の \"訴訟ホールド\" または \"時間ベースの保持\" ポリシーを検討して、BLOB、コンテナー、またはストレージ アカウントを削除できないようにします。「不可能」は実際には「不可能」を意味することに注意してください。ストレージ アカウントに不変の BLOB が含まれる場合、そのストレージ アカウントを \"取り除く\" 唯一の方法は、Azure サブスクリプションを取り消すことです。", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", "severity": "高い", - "text": "Azure Firewall の IDPS モードを [拒否] に構成して、保護を強化します。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "不変の BLOB を検討する", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "ストレージ アカウントへの保護されていない HTTP/80 アクセスを無効にして、すべてのデータ転送が暗号化され、整合性が保護され、サーバーが認証されるようにすることを検討してください。", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", "severity": "高い", - "text": "Virtual WAN に接続されていない VNet 内のサブネットの場合は、インターネット トラフィックが Azure Firewall またはネットワーク仮想アプライアンスにリダイレクトされるようにルート テーブルをアタッチします。", + "text": "HTTPS を要求する (つまり、ストレージ アカウントのポート 80 を無効にする)", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", - "severity": "中程度", - "text": "診断設定を追加して、リソース固有の宛先テーブルを使用して、すべての Azure Firewall デプロイのログを保存します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", - "severity": "大事な", - "text": "Azure Firewall クラシック ルール (存在する場合) からファイアウォール ポリシーに移行します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "ストレージ アカウントでカスタム ドメイン (ホスト名) を構成する場合は、TLS/HTTPS が必要かどうかを確認します。その場合は、ストレージ アカウントの前に Azure CDN を配置する必要があります。", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", "severity": "高い", - "text": "Azure Firewall サブネットに /26 プレフィックスを使用します。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "HTTPS を適用する (HTTP を無効にする) 場合は、ストレージ アカウントにカスタム ドメイン (CNAME) を使用していないことを確認します。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "クライアントが SAS トークンを使用して BLOB データにアクセスするときに HTTPS を要求すると、資格情報が失われるリスクを最小限に抑えることができます。", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "severity": "中程度", - "text": "ファイアウォールポリシー内のルールを、使用頻度に基づいて「ルールコレクショングループ」と「ルールコレクション」に整理します。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "パフォーマンス" + "text": "Shared Access Signature (SAS) トークンを HTTPS 接続のみに制限する", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", - "severity": "中程度", - "text": "IP グループまたは IP プレフィックスを使用して、IP テーブル・ルールの数を減らします。", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "AAD トークンは、可能な限り、共有アクセス署名よりも優先する必要があります", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "高い", + "text": "BLOB アクセスに Azure Active Directory (Azure AD) トークンを使用する", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "ユーザー、グループ、またはアプリケーションにロールを割り当てる場合は、タスクの実行に必要なアクセス許可のみをセキュリティ プリンシパルに付与します。リソースへのアクセスを制限することで、意図しないデータの誤用と悪意のあるデータの誤用の両方を防ぐことができます。", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "中程度", - "text": "DNATSのソースIPとしてワイルドカード(*やanyなど)を使用せず、受信DNATのソースIPを指定する必要があります。", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "パフォーマンス" + "text": "IaM アクセス許可の最小特権", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", - "severity": "中程度", - "text": "SNAT ポートの使用状況を監視し、NAT ゲートウェイの設定を評価し、シームレスなフェールオーバーを確保することで、SNAT ポートの枯渇を防ぎます。ポート数が制限に近づく場合は、SNAT の枯渇が差し迫っている可能性があります。", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "ユーザー委任 SAS は、Azure Active Directory (Azure AD) 資格情報と、SAS に指定されたアクセス許可によってセキュリティで保護されます。ユーザー委任 SAS は、そのスコープと機能の点でサービス SAS に似ていますが、サービス SAS よりもセキュリティ上の利点があります。", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", + "severity": "高い", + "text": "SAS を使用する場合は、ストレージ アカウント キー ベースの SAS よりも \"ユーザー委任 SAS\" を優先します。", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "ストレージ アカウント キー (\"共有キー\") には、監査機能がほとんどありません。誰がいつキーのコピーを取得したかを監視できますが、キーが複数の人の手に渡ると、使用状況を特定のユーザーに帰属させることは不可能です。AAD 認証のみに依存することで、ストレージへのアクセスをユーザーに結び付けやすくなります。", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", "severity": "高い", - "text": "Azure Firewall Premium を使用している場合は、TLS 検査を有効にします。", - "waf": "パフォーマンス" + "text": "ストレージ アカウント キーを無効にして、AAD アクセス (およびユーザー委任 SAS) のみがサポートされるようにすることを検討してください。", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", - "severity": "低い", - "text": "Web カテゴリを使用して、特定のトピックへの送信アクセスを許可または拒否します。", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "アクティビティ ログ データを使用して、ストレージ アカウントのセキュリティ (ストレージ アカウント キー、アクセス ポリシーなど) が \"いつ、誰が、何を、\"どのように\" 表示または変更されているかを特定します。", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "高い", + "text": "Azure Monitor を使用して、ストレージ アカウントに対するコントロール プレーン操作を監査することを検討してください", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "キーの有効期限ポリシーを使用すると、アカウントアクセスキーのローテーションのリマインダーを設定できます。リマインダーは、指定した間隔が経過し、キーがまだローテーションされていない場合に表示されます。", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "中程度", - "text": "TLS 検査の一環として、Azure App Gateway からのトラフィックの受信を検査用に計画します。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "パフォーマンス" + "text": "ストレージ アカウント キーを使用する場合は、\"キーの有効期限ポリシー\" を有効にすることを検討してください", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS 有効期限ポリシーでは、SAS が有効である推奨間隔を指定します。SAS 有効期限ポリシーは、サービス SAS またはアカウント SAS に適用されます。ユーザーがサービス SAS またはアカウント SAS を、推奨間隔よりも長い有効期間で生成すると、警告が表示されます。", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "severity": "中程度", - "text": "Azure Firewall DNS プロキシ構成を有効にします。", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "text": "SAS 有効期限ポリシーの構成を検討する", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", - "severity": "高い", - "text": "Azure Firewall を Azure Monitor と統合し、診断ログを有効にして、ファイアウォールのログとメトリックを格納および分析します。", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", - "severity": "低い", - "text": "ファイアウォールルールのバックアップを実装する", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "保存されているアクセス ポリシーを使用すると、ストレージ アカウント キーを再生成することなく、サービス SAS のアクセス許可を取り消すことができます。", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", + "severity": "中程度", + "text": "保存されているアクセス ポリシーに SAS をリンクすることを検討する", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", - "severity": "高い", - "text": "Azure Firewall を複数の可用性ゾーンにデプロイします。Azure Firewall は、そのデプロイに応じて異なる SLA を提供します。1 つの可用性ゾーンまたは複数の可用性ゾーンで、信頼性とパフォーマンスが向上する可能性があります。", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "確実" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", + "severity": "中程度", + "text": "チェックインされた接続文字列とストレージ アカウント キーを検出するようにアプリケーションのソース コード リポジトリを構成することを検討してください。", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "理想的には、アプリケーションでマネージド ID を使用して Azure Storage に対する認証を行う必要があります。それが不可能な場合は、ストレージ資格情報 (接続文字列、ストレージ アカウント キー、SAS、サービス プリンシパル資格情報) を Azure KeyVault または同等のサービスに用意することを検討してください。", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", "severity": "高い", - "text": "Azure Firewall VNet で DDoS Protection を構成し、DDoS Protection プランを Azure Firewall をホストしている仮想ネットワークに関連付けて、DDoS 攻撃に対する軽減を強化します。Azure Firewall Manager は、ファイアウォール インフラストラクチャと DDoS 保護プランの作成を統合します。", - "waf": "確実" + "text": "接続文字列を Azure KeyVault に格納することを検討する (マネージド ID が不可能なシナリオの場合)", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "アドホック SAS サービス SAS またはアカウント SAS で、有効期限が近づいています。このように、SAS が侵害された場合でも、有効期間は短時間です。この方法は、保存されているアクセス ポリシーを参照できない場合に特に重要です。また、有効期限が近いと、BLOB にアップロードできる時間が制限されるため、BLOB に書き込めるデータの量も制限されます。", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "高い", - "text": "0.0.0.0/0 ルートやコントロール プレーン トラフィックをブロックする NSG ルールなど、仮想ネットワークに挿入された Azure PaaS サービスのコントロール プレーン通信を中断しないでください。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "アドホックSASの有効期間を短くする", "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS を作成するときは、できるだけ具体的かつ制限的にしてください。1 つのリソースと操作には、より広範なアクセスを提供する SAS よりも SAS を優先します。", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "中程度", - "text": "オンプレミスからプライベート エンドポイントと ExpressRoute プライベート ピアリングを介して Azure PaaS サービスにアクセスします。この方法では、公共のインターネット経由のトランジットを回避できます。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "SAS に狭いスコープを適用する", "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS には、SAS を使用してリソースを要求する権限をクライアント IP アドレスまたはアドレス範囲に与えるパラメーターを含めることができます。", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", + "severity": "中程度", + "text": "可能な限り、SAS のスコープを特定のクライアント IP アドレスに設定することを検討してください", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS は、クライアントがアップロードするデータの量を制限できません。時間の経過に伴うストレージ容量の価格モデルを考えると、クライアントが悪意を持って大きなコンテンツをアップロードしたかどうかを検証することは理にかなっているかもしれません。", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "低い", + "text": "クライアントが SAS を使用してファイルをアップロードした後、アップロードされたデータを確認することを検討してください。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "\"ローカル ユーザー アカウント\" を使用して SFTP 経由で BLOB ストレージにアクセスする場合、\"通常の\" RBAC 制御は適用されません。NFS または REST 経由の BLOB アクセスは、SFTP アクセスよりも制限が厳しい場合があります。残念ながら、2023 年初頭の時点で、SFTP エンドポイントで現在サポートされている ID 管理の形式はローカル ユーザーだけです", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "severity": "高い", - "text": "既定では、すべてのサブネットで仮想ネットワーク サービス エンドポイントを有効にしないでください。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "SFTP: SFTPアクセスの「ローカルユーザー」の数を制限し、時間の経過とともにアクセスが必要かどうかを監査します。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "severity": "中程度", - "text": "Azure Firewall または NVA の IP アドレスではなく FQDN を使用して Azure PaaS サービスへのエグレス トラフィックをフィルター処理し、データの流出を防ぎます。Private Link を使用している場合は、すべての FQDN をブロックでき、それ以外の場合は必要な PaaS サービスのみを許可できます。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "SFTP: SFTP エンドポイントは、POSIX ライクな ACL をサポートしていません。", "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "ストレージは、CORS (Cross-Origin Resource Sharing)、つまり、異なるドメインの Web アプリが同一生成元ポリシーを緩めることを可能にする HTTP 機能をサポートしています。CORS を有効にする場合は、CorsRules を最小の特権に保ちます。", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", "severity": "高い", - "text": "Gateway サブネットには、少なくとも /27 プレフィックスを使用します。", + "text": "過度に広範な CORS ポリシーを避ける", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "保存データは常にサーバー側で暗号化され、さらにクライアント側でも暗号化される場合があります。サーバー側の暗号化は、プラットフォーム マネージド キー (既定) またはカスタマー マネージド キーを使用して行われる場合があります。クライアント側の暗号化は、クライアントが BLOB ごとに暗号化/暗号化解除キーを Azure Storage に提供するか、クライアント側で暗号化を完全に処理することによって行われます。そのため、機密性の保証を Azure Storage にまったく依存しません。", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", "severity": "高い", - "text": "VirtualNetwork サービス タグを使用して接続を制限する NSG 受信既定の規則に依存しないでください。", + "text": "保存データの暗号化方法を決定します。データのスレッド モデルを理解します。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", "severity": "中程度", - "text": "NSG を使用して、サブネット間のトラフィックと、プラットフォーム全体の East/West トラフィック (ランディング ゾーン間のトラフィック) を保護します。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "どのプラットフォーム暗号化を使用するか、または使用するかを決定します。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", "severity": "中程度", - "text": "NSG とアプリケーション セキュリティ グループを使用して、ランディング ゾーン内のトラフィックをマイクロセグメント化し、中央の NVA を使用してトラフィック フローをフィルター処理しないようにします。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "クライアント側の暗号化を使用するかどうかを決定します。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", - "severity": "中程度", - "text": "VNet フロー ログを有効にし、Traffic Analytics にフィードして、内部および外部のトラフィック フローに関する分析情報を取得します。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Resource Graph エクスプローラー (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) を利用して、匿名 BLOB アクセスを許可するストレージ アカウントを検索します。", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", + "severity": "高い", + "text": "パブリック BLOB アクセスが必要かどうか、または特定のストレージ アカウントに対して無効にできるかどうかを検討します。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", - "severity": "中程度", - "text": "1000 ルールの制限があるため、NSG ごとに 900 を超える NSG ルールを実装しないでください。", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", + "severity": "高い", + "text": "ビジネスとSLOの要件に基づいて適切な関数ホスティングプランを選択します", "waf": "確実" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", - "severity": "中程度", - "text": "Virtual WAN ルーティング設計の一覧にシナリオが明示的に説明されている場合は、Virtual WAN を使用します。", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", + "severity": "高い", + "text": "リージョンで適用可能な場合は Availability Zones を活用します (従量課金レベルでは使用できません)", + "waf": "確実" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", "severity": "中程度", - "text": "Azure リージョンごとに Virtual WAN ハブを使用して、共通のグローバル Azure Virtual WAN を介して Azure リージョン間で複数のランディング ゾーンを接続します。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "パフォーマンス" + "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する", + "waf": "確実" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", - "severity": "中程度", - "text": "送信インターネット トラフィックの保護とフィルタリングを行うには、セキュリティで保護されたハブに Azure Firewall をデプロイします。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", + "severity": "高い", + "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します", + "waf": "確実" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "Azure Functions", + "severity": "高い", + "text": "App Service プランで実行されているすべての関数アプリで \"Always On\" が有効になっていることを確認する", + "waf": "確実" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", "severity": "中程度", - "text": "Virtual WAN ネットワーク アーキテクチャが、特定されたアーキテクチャ シナリオと一致していることを確認します。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "関数アプリを独自のストレージ アカウントにペアリングします。Function Apps のストレージ アカウントは、緊密に結合されていない限り、再利用しないようにしてください", "waf": "確実" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", "severity": "中程度", - "text": "Azure Monitor Insights for Virtual WAN を使用して、Virtual WAN のエンドツーエンド トポロジ、状態、および主要なメトリックを監視します。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、関数アプリのコードを保護します", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", - "severity": "中程度", - "text": "Virtual WAN のブランチ間トラフィックは、これらのフローを明示的にブロックする必要がない限り、無効にしないでください。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", + "severity": "高い", + "text": "Availability Zones (リージョンで適用可能な場合) を活用する (これは自動的に有効になります)", "waf": "確実" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "severity": "中程度", - "text": "AS-Path は ExpressRoute や VPN よりも柔軟性が高いため、ハブ ルーティング設定として使用します。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "Microsoft が開始するフェールオーバーに注意してください。これらは、まれに、影響を受けるリージョンから対応する geo ペア リージョンにすべての IoT ハブをフェールオーバーするために Microsoft によって実行されます。", "waf": "確実" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", - "severity": "中程度", - "text": "Virtual WAN でラベルベースの伝達を構成すると、仮想ハブ間の接続が損なわれます。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", + "severity": "高い", + "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する", "waf": "確実" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "severity": "高い", - "text": "仮想ハブに少なくとも /23 プレフィックスを割り当てて、十分な IP スペースが使用可能であることを確認します。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "手動フェールオーバーをトリガーする方法を学習します。", "waf": "確実" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", "severity": "高い", - "text": "Azure Policy を戦略的に活用し、環境のコントロールを定義し、ポリシー イニシアチブを使用して関連するポリシーをグループ化します。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "安全" + "text": "フェールオーバー後にフェールバックする方法を学習します。", + "waf": "確実" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", "severity": "中程度", - "text": "規制とコンプライアンスの要件を Azure Policy 定義と Azure ロールの割り当てにマップします。", - "training": "https://learn.microsoft.com/training/modules/governance-security/", + "text": "Application Gateway v2 SKU を使用していることを確認する", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", "severity": "中程度", - "text": "中間ルート管理グループで Azure Policy 定義を確立して、継承されたスコープで割り当てられるようにします。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "Azure Load Balancers に Standard SKU を使用していることを確認します", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "severity": "高い", - "text": "ポリシーの割り当てを適切な最上位レベルで管理し、必要に応じて下位レベルで除外します。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", + "severity": "中程度", + "text": "Load Balancer フロントエンドの IP アドレスがゾーン冗長であることを確認します (ゾーン フロントエンドが必要な場合を除く)。", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", - "severity": "低い", - "text": "Azure Policy を使用して、ユーザーがサブスクリプション/管理グループ レベルでプロビジョニングできるサービスを制御します。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", + "severity": "中程度", + "text": "Application Gateways v2 は、IP プレフィックスが /24 以上のサブネットにデプロイする必要があります", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "severity": "高い", - "text": "可能な場合は組み込みポリシーを使用して、運用オーバーヘッドを最小限に抑えます。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "description": "リバースプロキシの管理全般、特にWAFの管理は、ネットワーキングよりもアプリケーションに近いため、アプリと同じサブスクリプションに属します。Application Gateway と WAF を接続サブスクリプションに一元化することは、1 つのチームによって管理されている場合は問題ない可能性があります。", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", + "severity": "中程度", + "text": "ランディング ゾーン仮想ネットワーク内の受信 HTTP(S) 接続のプロキシに使用される Azure Application Gateway v2 またはパートナー NVA と、それらがセキュリティ保護しているアプリをデプロイします。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "description": "Resource Policy Contributor ロールを特定のスコープに割り当てると、ポリシー管理を関連するチームに委任できます。たとえば、中央のITチームが管理グループレベルのポリシーを監督し、アプリケーションチームがサブスクリプションのポリシーを処理することで、組織の標準に準拠した分散型ガバナンスが可能になります。", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", "severity": "中程度", - "text": "特定のスコープで組み込みのリソース ポリシー共同作成者ロールを割り当てて、アプリケーション レベルのガバナンスを有効にします。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して、DDoS ネットワークまたは IP 保護プランを使用します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", "severity": "中程度", - "text": "ルート管理グループのスコープで行われる Azure Policy の割り当ての数を制限して、継承されたスコープでの除外による管理を回避します。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "安全" + "text": "自動スケールは、最小インスタンス数が 2 になるように構成します。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "確実" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", "severity": "中程度", - "text": "データ主権の要件が存在する場合は、それらを適用するために Azure ポリシーをデプロイする必要があります。", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "安全" + "text": "Application Gateway を複数の可用性ゾーンにデプロイする", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "確実" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", "severity": "中程度", - "text": "ソブリン ランディング ゾーンの場合は、ソブリン ポリシー ベースラインをデプロイし、正しい管理グループ レベルで割り当てます。", + "text": "Front Door と Application Gateway を使用して HTTP/S アプリを保護する場合は、Front Door で WAF ポリシーを使用します。Application Gateway をロックダウンして、Front Door からのトラフィックのみを受信します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", - "severity": "中程度", - "text": "ソブリン ランディング ゾーンの場合は、ソブリン制御の目標をポリシー マッピングに文書化します。", - "waf": "安全" + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", + "severity": "高い", + "text": "Traffic Manager を使用して、HTTP/S 以外のプロトコルにまたがるグローバル アプリを配信します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "確実" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", - "severity": "中程度", - "text": "ソブリン・ランディング・ゾーンについては、「ソブリン・コントロールの目標からポリシー・マッピングまで」の管理プロセスが実施されていることを確認してください。", + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "低い", + "text": "ユーザーが内部アプリケーションへのアクセスのみを必要とする場合、Microsoft Entra ID アプリケーション プロキシは Azure Virtual Desktop (AVD) の代替手段として検討されていますか?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "severity": "中程度", - "text": "Azure ロールベースのアクセス制御 (Azure RBAC)、データ主権要件、またはデータ保持ポリシーで個別のワークスペースが義務付けられている場合を除き、1 つのモニター ログ ワークスペースを使用してプラットフォームを一元的に管理します。", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "オペレーションズ" + "text": "ネットワーク内の着信接続用に開かれるファイアウォール ポートの数を減らすには、Microsoft Entra ID アプリケーション プロキシを使用して、リモート ユーザーに内部アプリケーションへの安全で認証されたアクセスを提供することを検討してください。", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", - "severity": "中程度", - "text": "すべてのリージョンで 1 つの Azure Monitor ログ ワークスペースを使用するか、さまざまな地理的リージョンをカバーする複数のワークスペースを作成するかを決定します。各アプローチには、リージョン間のネットワーク料金の可能性など、長所と短所があります", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", + "severity": "高い", + "text": "Load Balancer のアウトバウンド規則の代わりに Azure NAT Gateway を使用して SNAT のスケーラビリティを向上させる", "waf": "確実" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", "severity": "高い", - "text": "ログの保持要件が 12 年を超える場合は、ログを Azure Storage にエクスポートします。write-once、read-many ポリシーで不変ストレージを使用して、ユーザーが指定した間隔でデータを消去および変更できないようにします。", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", - "severity": "中程度", - "text": "Azure Policy を使用して、OS レベルの仮想マシン (VM) 構成のずれを監視します。ポリシーを使用して Azure Automanage マシン構成の監査機能を有効にすると、アプリケーション チームのワークロードは、わずかな労力で機能機能をすぐに使用できます。", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", - "severity": "中程度", - "text": "Azure Update Manager は、Azure の Windows VM と Linux VM の修正プログラム適用メカニズムとして使用します。", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "オペレーションズ" + "text": "Azure Application Gateway WAF ボット保護ルール セットを有効にします。ボット ルールは、良いボットと悪いボットを検出します。", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", - "severity": "中程度", - "text": "Azure Arc を使用して、Azure の外部にある Windows および Linux VM の修正プログラム適用メカニズムとして Azure Update Manager を使用します。", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "オペレーションズ" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", + "severity": "高い", + "text": "Azure Application Gateway WAF ポリシーで要求本文の検査機能が有効になっているかどうかを確認します。", + "waf": "安全" }, { - "arm-service": "microsoft.network/networkWatchers", - "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", - "severity": "中程度", - "text": "Network Watcher を使用して、トラフィック フローを事前に監視します。", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "オペレーションズ" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", + "severity": "高い", + "text": "ワークロードの検出モードで Azure Application Gateway WAF を調整します。誤検出を減らします。", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", - "severity": "中程度", - "text": "Azure Monitor ログを使用して、分析情報とレポートを作成します。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "オペレーションズ" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "App Gateway", + "severity": "高い", + "text": "Application Gateway の WAF ポリシーを \"防止\" モードでデプロイします。", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", "severity": "中程度", - "text": "Azure Monitor アラートを使用して、運用アラートを生成します。", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "オペレーションズ" + "text": "Azure Application Gateway WAF にレート制限を追加します。レート制限は、クライアントが誤ってまたは意図的に短時間に大量のトラフィックを送信するのをブロックします。", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", "severity": "中程度", - "text": "Azure Automation アカウントを使用して変更とインベントリの追跡を使用する場合は、Log Analytics ワークスペースと Automation アカウントをリンクするためにサポートされているリージョンが選択されていることを確認してください。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", - "waf": "オペレーションズ" + "text": "Azure Application Gateway WAF のレート制限には高いしきい値を使用します。レート制限のしきい値を高くすると、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多くのリクエストに対する保護を提供します。", + "waf": "安全" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", "severity": "低い", - "text": "Azure Backup を使用する場合は、既定の設定が GRS であるため、バックアップに正しいバックアップの種類 (GRS、ZRS、LRS) を使用します。", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "確実" + "text": "すべての地理的地域からのトラフィックを想定していない場合は、geo フィルタを使用して、想定外の国からのトラフィックをブロックします。", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", "severity": "中程度", - "text": "Azure ゲスト ポリシーを使用して、VM 拡張機能を通じてソフトウェア構成を自動的にデプロイし、準拠したベースライン VM 構成を適用します。", + "text": "Azure Application Gateway WAF を使用してトラフィックを geo フィルタリングする場合は、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致できない場合に、正当な要求を誤ってブロックしないようにします。", "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "description": "Azure Policy のゲスト構成機能を使用して、マシンの設定 (OS、アプリケーション、環境など) を監査および修復し、リソースが予想される構成と一致していることを確認し、Update Management では VM のパッチ管理を適用できます。", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", "severity": "中程度", - "text": "Azure Policy を使用して VM セキュリティ構成のドリフトを監視します。", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "最新の Azure Application Gateway WAF ルール セット バージョンを使用します。ルールセットの更新は、現在の脅威の状況を考慮して定期的に更新されます。", "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", "severity": "中程度", - "text": "Azure Site Recovery は、Azure から Azure Virtual Machines へのディザスター リカバリー シナリオに使用します。これにより、リージョン間でワークロードをレプリケートできます。", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "text": "診断設定を追加して、Azure Application Gateway WAF ログを保存します。", "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", "severity": "中程度", - "text": "Azure ネイティブのバックアップ機能、または Azure と互換性のあるサード パーティのバックアップ ソリューションを使用します。", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "text": "Azure Application Gateway WAF ログを Microsoft Sentinel に送信します。", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", - "severity": "高い", - "text": "診断設定を追加して、Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを保存します。ログを定期的に確認して、攻撃や誤検知の検出がないか確認します。", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", + "severity": "中程度", + "text": "Azure Application Gateway WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", "severity": "中程度", - "text": "Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを Microsoft Sentinel に送信します。攻撃を検出し、WAF テレメトリを Azure 環境全体に統合します。", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "text": "従来のWAF構成のかわりにWAFポリシーを使用します。", "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", - "severity": "高い", - "text": "Azure Key Vault を使用して、シークレットと資格情報を格納します。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", + "severity": "中程度", + "text": "バックエンドの受信トラフィックをフィルター処理して、Application Gateway サブネット (NSG など) からの接続のみを受け入れるようにします。", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", - "severity": "中程度", - "text": "アプリケーションやリージョンごとに異なる Azure Key Vault を使用して、トランザクションのスケール制限を回避し、シークレットへのアクセスを制限します。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", + "severity": "高い", + "text": "バックエンド サーバーへのトラフィックを暗号化する必要があります。", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "中程度", - "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", + "severity": "高い", + "text": "Web アプリケーション ファイアウォールを使用する必要があります。", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "中程度", - "text": "最小特権モデルに従って、キー、シークレット、証明書を完全に削除する承認を、特殊なカスタム Microsoft Entra ID ロールに制限します。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "安全" - }, - { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "App Gateway", "severity": "中程度", - "text": "公開認証局を使用して証明書の管理と更新プロセスを自動化し、管理を容易にします。", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "text": "HTTP を HTTPS にリダイレクトする", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", "severity": "中程度", - "text": "キーと証明書のローテーションのための自動化されたプロセスを確立します。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "安全" + "text": "ゲートウェイで管理される Cookie を使用して、ユーザーセッションからのトラフィックを同じサーバーに転送して処理する", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "中程度", - "text": "コンテナーでファイアウォールと仮想ネットワーク サービス エンドポイントまたはプライベート エンドポイントを有効にして、キー コンテナーへのアクセスを制御します。", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", + "severity": "高い", + "text": "計画されたサービス更新中に接続ドレインを有効にして、バックエンド プールの既存のメンバーへの接続が失われないようにします", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", - "severity": "中程度", - "text": "プラットフォーム中央の Azure Monitor Log Analytics ワークスペースを使用して、Key Vault の各インスタンス内のキー、証明書、シークレットの使用状況を監査します。", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "安全" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "App Gateway", + "severity": "低い", + "text": "カスタムエラーページを作成して、パーソナライズされたユーザーエクスペリエンスを表示する", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "App Gateway", "severity": "中程度", - "text": "Key Vault のインスタンス化と特権アクセスを委任し、Azure Policy を使用して一貫した準拠構成を適用します。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "text": "HTTP 要求と応答ヘッダーを編集して、クライアントとサーバー間のルーティングと情報交換を容易にします", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "App Gateway", "severity": "中程度", - "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "安全" + "text": "Front Door を構成して、グローバル Web トラフィックのルーティングと最上位のエンドユーザーのパフォーマンス、および迅速なグローバル フェイルオーバーによる信頼性を最適化する", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", "severity": "中程度", - "text": "独自のキーを持ち込む場合、これは考慮されるすべてのサービスでサポートされているとは限りません。不整合が望ましい結果を妨げないように、適切な軽減策を実装します。レイテンシを最小限に抑える適切なリージョンペアとディザスタリカバリリージョンを選択します。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "安全" + "text": "トランスポート層の負荷分散を使用する", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", "severity": "中程度", - "text": "ソブリン ランディング ゾーンの場合は、Azure Key Vault マネージド HSM を使用してシークレットと資格情報を格納します。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "text": "1 つのゲートウェイ上の複数の Web アプリケーションのホスト名またはドメイン名に基づいてルーティングを構成する", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", "severity": "中程度", - "text": "Microsoft Entra ID レポート機能を使用して、アクセス制御監査レポートを生成します。", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "text": "SSL証明書管理を一元化して、バックエンドサーバーファームからの暗号化と復号化のオーバーヘッドを削減します", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", - "severity": "高い", - "text": "すべてのサブスクリプションで Defender Cloud セキュリティ態勢管理を有効にします。", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", + "severity": "低い", + "text": "Application Gateway を使用して WebSocket プロトコルと HTTP/2 プロトコルをネイティブにサポートする", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", "severity": "高い", - "text": "すべてのサブスクリプションで、サーバーの Defender Cloud ワークロード保護プランを有効にします。", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "text": "ADDS ドメイン コントローラーがネイティブ Azure の ID サブスクリプションにデプロイされていることを確認する", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", - "severity": "高い", - "text": "すべてのサブスクリプションで Azure リソースの Defender Cloud ワークロード保護プランを有効にします。", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", + "severity": "中程度", + "text": "Azure ベースのリソース (Azure VMware Solution を含む) からの認証要求を Azure にローカルに保持するように ADDS サイトとサービスが構成されていることを確認します", "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", "severity": "高い", - "text": "IaaS サーバーでエンドポイント保護を有効にします。", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "text": "vCenterがADDに接続されていることを確認し、「名前付きユーザーアカウント」に基づく認証を有効にします", "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", - "service": "VM", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", "severity": "中程度", - "text": "Azure Monitor ログと Defender for Cloud を使用して、基本オペレーティング システムの修正プログラムのずれを監視します。", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "text": "vCenter から ADDS への接続でセキュア プロトコル (LDAPS) が使用されていることを確認します", "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", "severity": "中程度", - "text": "既定のリソース構成を一元化された Azure Monitor Log Analytics ワークスペースに接続します。", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "text": "vCenter IdP の CloudAdmin アカウントは、緊急アカウント(非常用アカウント)としてのみ使用されます", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", "severity": "高い", - "text": "相関ログによる一元的な脅威検出 - セキュリティデータを中央の場所に統合して、SIEM(セキュリティ情報およびイベント管理)を介してさまざまなサービス間で関連付けることができます", + "text": "NSX-Manager が外部 ID プロバイダ (LDAPS) と統合されていることを確認します。", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", "severity": "中程度", - "text": "ソブリン ランディング ゾーンの場合は、Entra ID テナントで透明度ログを有効にします。", + "text": "VMware vSphere 内で使用するために RBAC モデルが作成されているか", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", "severity": "中程度", - "text": "Sovereign Landing Zone の場合は、Entra ID テナントでカスタマー ロックボックスを有効にします。", + "text": "RBAC アクセス許可は、特定のユーザーではなく、ADDS グループに付与する必要があります", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", "severity": "高い", - "text": "ストレージ アカウントへの安全な転送を有効にします。", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "text": "Azure の Azure VMware Solution リソースに対する RBAC アクセス許可は、限られた所有者のセットのみに \"ロックダウン\" されます", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", "severity": "高い", - "text": "ストレージ アカウントのコンテナーの論理的な削除を有効にして、削除されたコンテナーとその内容を回復します。", + "text": "すべてのカスタム ロールのスコープが CloudAdmin で許可された承認で設定されていることを確認する", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", "severity": "高い", - "text": "Key Vault シークレットを使用して、資格情報 (仮想マシン、ユーザー パスワード)、証明書、キーなどの機密情報のハードコーディングを回避します。", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", - "waf": "オペレーションズ" + "text": "お客様のユース ケースに適した Azure VMware Solution 接続モデルが選択されているか", + "waf": "パフォーマンス" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", - "severity": "低い", - "text": "ベスト プラクティスについては、「ベースラインの高可用性ゾーン冗長 Web アプリケーション アーキテクチャ」を参照してください", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", + "severity": "高い", + "text": "オンプレミスから Azure への ExpressRoute または VPN 接続が \"接続モニター\" を使用して監視されていることを確認する", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", "severity": "中程度", - "text": "Premium レベルと Standard レベルを使用します。これらの層では、ステージング スロットと自動バックアップがサポートされています。", - "waf": "確実" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", - "service": "App Services", - "severity": "高い", - "text": "リージョンで適用可能な場合は Availability Zones を活用します (Premium v2 または v3 レベルが必要)", - "waf": "確実" + "text": "Azure VMware Solution バックエンドの ExpressRoute 接続を監視するために、Azure ネイティブ リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", "severity": "中程度", - "text": "ヘルスチェックの実装", - "waf": "確実" + "text": "エンド 2 エンドの接続を監視するために、オンプレミス リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", "severity": "高い", - "text": "「Azure App Service のバックアップと復元のベスト プラクティス」を参照してください", - "waf": "確実" + "text": "ルート サーバーを使用する場合は、ルート サーバーから ExR ゲートウェイ、オンプレミスに伝達されるルートが 1000 を超えないようにします (ARS 制限)。", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", "severity": "高い", - "text": "Azure App Service の信頼性に関するベスト プラクティスを実装する", - "waf": "確実" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", - "severity": "低い", - "text": "災害時に App Service アプリを別のリージョンに移動する方法を理解する", - "waf": "確実" + "text": "Azure Portal で Azure VMware Solution リソースを管理するロールに対して Privileged Identity Management が実装されていますか (永続的なアクセス許可は許可されません)", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", "severity": "高い", - "text": "Azure App Service の信頼性サポートについて理解する", - "waf": "確実" + "text": "Privileged Identity Management 監査レポートは、Azure VMware Solution PIM ロールに対して実装する必要がある", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", "severity": "中程度", - "text": "App Service プランで実行されている Function Apps に対して \"Always On\" が有効になっていることを確認する", - "waf": "確実" + "text": "Privileged Identity Management を使用している場合は、Azure VMware Solution のホストの自動置換通知用の有効な SMTP レコードを使用して、有効な Entra ID が有効なアカウントが作成されていることを確認します。(常任許可が必要)", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", - "severity": "中程度", - "text": "正常性チェックを使用した App Service インスタンスの監視", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", + "severity": "高い", + "text": "CloudAdmin アカウントの使用を緊急アクセスのみに制限する", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", "severity": "中程度", - "text": "Application Insights の可用性テストを使用して Web アプリまたは Web サイトの可用性と応答性を監視する", - "waf": "確実" + "text": "vCenter Server でカスタム RBAC ロールを作成して、vCenter 内に最小特権モデルを実装します", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", - "severity": "低い", - "text": "Application Insights Standard テストを使用して、Web アプリまたは Web サイトの可用性と応答性を監視する", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", + "severity": "中程度", + "text": "cloudadmin (vCenter) と admin (NSX) の資格情報を定期的にローテーションするように定義されたプロセスです。", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Key Vault を使用して、アプリケーションに必要なシークレットを格納します。 Key Vault は、シークレットを格納するための安全で監査された環境を提供し、Key Vault SDK または App Service Key Vault リファレンスを通じて App Service と適切に統合されています。", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", "severity": "高い", - "text": "Key Vault を使用してシークレットを格納する", + "text": "一元化された ID プロバイダーを使用して、Azure VMware Solution で実行されているワークロード (VM) に使用する", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "マネージド ID を使用して、Key Vault SDK または App Service Key Vault 参照を使用して Key Vault に接続します。", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", - "severity": "高い", - "text": "マネージド ID を使用して Key Vault に接続する", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", + "severity": "中程度", + "text": "East-West トラフィック フィルタリングは NSX-T 内に実装されていますか", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service TLS 証明書を Key Vault に格納します。", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", "severity": "高い", - "text": "Key Vault を使用して TLS 証明書を格納します。", + "text": "Azure VMware Solution 上のワークロードは、インターネットに直接公開されません。トラフィックは、Azure Application Gateway、Azure Firewall、またはサード パーティのソリューションによってフィルター処理され、検査されます", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "機密情報を処理するシステムは分離する必要があります。 そのためには、個別の App Service プランまたは App Service Environment を使用し、異なるサブスクリプションまたは管理グループの使用を検討してください。", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", - "severity": "中程度", - "text": "機密情報を処理するシステムを分離する", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", + "severity": "高い", + "text": "監査とログ記録は、Azure VMware Solution および Azure VMware Solution ベースのワークロードへの受信インターネット要求に対して実装されます", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service のローカル ディスクは暗号化されていないため、機密データを格納しないでください。 (例: D:\\\\Local and %TMP%)。", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", "severity": "中程度", - "text": "機密データをローカルディスクに保存しない", + "text": "セッション監視は、疑わしい/悪意のあるアクティビティを特定するために、Azure VMware Solution または Azure VMware Solution ベースのワークロードからの送信インターネット接続に実装されます", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "認証された Web アプリケーションの場合は、Azure AD や Azure AD B2C などの確立された ID プロバイダーを使用します。 選択したアプリケーション フレームワークを利用して、このプロバイダーと統合するか、App Service の認証/承認機能を使用します。", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", "severity": "中程度", - "text": "認証に確立された ID プロバイダーを使用する", + "text": "Azure の ExR/VPN Gateway サブネットで DDoS Standard 保護が有効になっているか", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "適切に管理され、セキュリティで保護された DevOps デプロイ パイプラインなど、制御された信頼できる環境から App Service にコードをデプロイします。これにより、バージョン管理されておらず、悪意のあるホストからデプロイされることが確認されていないコードが回避されます。", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", - "severity": "高い", - "text": "信頼できる環境からのデプロイ", - "waf": "安全" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "FTP/FTPS と WebDeploy/SCM の両方の基本認証を無効にします。 これにより、これらのサービスへのアクセスが無効になり、デプロイに Azure AD で保護されたエンドポイントの使用が強制されます。 SCM サイトは、Azure AD 資格情報を使用して開くこともできます。", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", - "severity": "高い", - "text": "基本認証の無効化", - "waf": "安全" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "可能な場合は、マネージド ID を使用して Azure AD のセキュリティで保護されたリソースに接続します。 これが不可能な場合は、Key Vault にシークレットを格納し、代わりにマネージド ID を使用して Key Vault に接続します。", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", - "severity": "高い", - "text": "マネージド ID を使用してリソースに接続する", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", + "severity": "中程度", + "text": "専用の特権アクセス ワークステーション (PAW) を使用して、Azure VMware Solution、vCenter、NSX Manager、HCX Manager を管理する", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Container Registry に格納されているイメージを使用する場合は、マネージド ID を使用してこれらをプルします。", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", - "severity": "高い", - "text": "マネージド ID を使用してコンテナーをプルするPull containers using a Managed Identity", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", + "severity": "中程度", + "text": "Azure VMware Solution で実行されているワークロードに対して Advanced Threat Detection (Microsoft Defender for Cloud 別名 ASC) を有効にする", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service の診断設定を構成することで、ログ記録と監視の中央の宛先として、すべてのテレメトリを Log Analytics に送信できます。これにより、HTTP ログ、アプリケーション ログ、プラットフォーム ログなどの App Service のランタイム アクティビティを監視できます。", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", "severity": "中程度", - "text": "App Service ランタイム ログを Log Analytics に送信する", + "text": "Azure ARC for Servers を使用して、Azure ネイティブ テクノロジを使用して Azure VMware Solution で実行されているワークロードを適切に管理します (Azure ARC for Azure VMware Solution はまだ利用できません)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "ログ記録と監視の中央の宛先としてアクティビティ ログを Log Analytics に送信するための診断設定を設定します。これにより、App Service リソース自体のコントロール プレーンのアクティビティを監視できます。", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", - "severity": "中程度", - "text": "App Service アクティビティ ログを Log Analytics に送信する", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", + "severity": "低い", + "text": "Azure VMware Solution 上のワークロードで、実行時に十分なデータ暗号化 (ゲスト内ディスク暗号化や SQL TDE など) が使用されるようにします。(保存時の vSAN 暗号化がデフォルトです)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "リージョンの VNet 統合、ネットワーク セキュリティ グループ、および UDR の組み合わせを使用して、送信ネットワーク アクセスを制御します。 トラフィックは、Azure Firewall などの NVA にルーティングする必要があります。 ファイアウォールのログを必ず監視してください。", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", - "severity": "中程度", - "text": "送信ネットワーク アクセスを制御する必要がある", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", + "severity": "低い", + "text": "ゲスト内暗号化を使用する場合は、可能な場合は Azure Key Vault に暗号化キーを格納します", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "VNet 統合を使用し、VNet NAT ゲートウェイまたは Azure Firewall などの NVA を使用することで、安定した送信 IP を提供できます。 これにより、受信側は必要に応じて IP に基づいて許可リストに登録できます。 多くの場合、Azure サービスへの通信では、IP アドレスに依存する必要はなく、代わりにサービス エンドポイントなどのメカニズムを使用する必要があります。 (また、受信側でプライベート エンドポイントを使用すると、SNAT の発生が回避され、安定した送信 IP 範囲が提供されます)。", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", - "severity": "低い", - "text": "インターネットアドレスへの送信通信のIPを安定させる", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", + "severity": "中程度", + "text": "Azure VMware Solution で実行されているワークロードには、拡張セキュリティ更新プログラムのサポートの使用を検討してください (Azure VMware Solution は ESU の対象です)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service のアクセス制限、サービス エンドポイント、またはプライベート エンドポイントの組み合わせを使用して、受信ネットワーク アクセスを制御します。Web アプリ自体と SCM サイトに対して異なるアクセス制限を要求し、構成できます。", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", "severity": "高い", - "text": "受信ネットワーク アクセスを制御する必要がある", - "waf": "安全" + "text": "適切な vSAN データ冗長化方式(RAID 仕様)が使用されていることを確認します。", + "waf": "確実" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Application Gateway や Azure Front Door などの Web アプリケーション ファイアウォールを使用して、悪意のある受信トラフィックから保護します。 WAFのログを必ず監視してください。", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", "severity": "高い", - "text": "App Service の前で WAF を使用するUse a WAF in Front of App Service", - "waf": "安全" + "text": "許容障害ポリシーが vSAN ストレージのニーズを満たすために設定されていることを確認します", + "waf": "確実" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "WAFのみへのアクセスをロックダウンすることで、WAFをバイパスできないようにします。 アクセス制限、サービス・エンドポイントおよびプライベート・エンドポイントを組み合わせて使用します。", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", "severity": "高い", - "text": "WAFをバイパスすることは避けてください", - "waf": "安全" + "text": "十分なクォータを要求し、拡張とディザスタリカバリの要件を考慮していることを確認します", + "waf": "確実" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service の構成で最小 TLS ポリシーを 1.2 に設定します。", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", "severity": "中程度", - "text": "最小 TLS ポリシーを 1.2 に設定します。", - "waf": "安全" + "text": "ESXiへのアクセス制限を理解し、サードパーティのソリューションに影響を与える可能性のあるアクセス制限があることを確認してください。", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "HTTPS のみを使用するように App Service を構成します。 これにより、App Service は HTTP から HTTPS にリダイレクトされます。 HTTP Strict Transport Security (HSTS) をコード内または WAF から使用して、サイトに HTTPS を使用してのみアクセスする必要があることをブラウザーに通知することを強く検討してください。", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", - "severity": "高い", - "text": "HTTPS のみを使用", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", + "severity": "中程度", + "text": "ESXi ホストの密度と効率に関するポリシーがあることを確認し、新しいノードを要求するためのリード タイムを念頭に置いてください", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "CORS 構成では、すべての配信元がサービスにアクセスできるため、ワイルドカードを使用しないでください (これにより、CORS の目的が損なわれます)。具体的には、サービスにアクセスできると予想される配信元のみを許可します。", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", - "severity": "高い", - "text": "ワイルドカードは CORS に使用しないでください", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", + "severity": "中程度", + "text": "Azure VMware Solution の適切なコスト管理プロセスが整っていることを確認する - Azure Cost Management を使用できます", + "waf": "費用" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "リモート デバッグは、サービスに追加のポートが開き、攻撃対象領域が増加するため、運用環境でオンにしないでください。このサービスは、48 時間後に自動的にリモート デバッグをオフにすることに注意してください。", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", - "severity": "高い", - "text": "リモートデバッグをオフにする", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", + "severity": "低い", + "text": "Azure VMware Solution を使用するためのコストを最適化するために Azure 予約インスタンスが使用されているか", + "waf": "費用" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Defender for App Service を有効にします。 これは(他の脅威の中でも)既知の悪意のあるIPアドレスへの通信を検出します。 操作の一環として、Defender for App Service からの推奨事項を確認します。", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", "severity": "中程度", - "text": "Defender for Cloud を有効にする - Defender for App Service", + "text": "他の Azure Native Services を使用する場合は、Azure Private-Link の使用を検討してください", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure は、ネットワーク上で DDoS Basic 保護を提供しており、通常のトラフィック パターンを学習し、異常な動作を検出できるインテリジェントな DDoS Standard 機能によって改善できます。DDoS Standard は仮想ネットワークに適用されるため、Application Gateway や NVA など、アプリの前にあるネットワーク リソース用に構成する必要があります。", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", + "severity": "高い", + "text": "必要なすべてのリソースが同じ Azure 可用性ゾーン内に存在することを確認する", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "service": "AVS", "severity": "中程度", - "text": "WAF VNet で DDoS Protection Standard を有効にするEnable DDOS Protection Standard on the WAF VNet", + "text": "Azure VMware Solution ゲスト VM ワークロードに対して Microsoft Defender for Cloud を有効にする", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Container Registry に格納されているイメージを使用する場合は、プライベート エンドポイントとアプリ設定 \"WEBSITE_PULL_IMAGE_OVER_VNET\" を使用して、Azure Container Registry から仮想ネットワーク経由でイメージをプルします。", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "service": "AVS", "severity": "中程度", - "text": "Virtual Network 経由でコンテナーをプルする", + "text": "Azure Arc 対応サーバーを使用して Azure VMware Solution ゲスト VM のワークロードを管理する", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "ペネトレーションテストのルールに従って、Webアプリケーションでペネトレーションテストを実施します。", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", - "severity": "中程度", - "text": "ペネトレーションテストの実施", - "waf": "安全" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "DevSecOps プラクティスに従って脆弱性が検証およびスキャンされた信頼できるコードをデプロイします。", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", - "severity": "中程度", - "text": "検証済みコードのデプロイ", - "waf": "安全" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "サポートされているプラットフォーム、プログラミング言語、プロトコル、およびフレームワークの最新バージョンを使用します。", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "service": "AVS", "severity": "高い", - "text": "最新のプラットフォーム、言語、プロトコル、フレームワークを使用", - "waf": "安全" + "text": "Azure VMware Solution での診断ログとメトリック ログを有効にするEnable Diagnostic and metric logging on Azure VMware Solution", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "ストレージに関連する Microsoft クラウド セキュリティ ベンチマークのガイダンスを適用する", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "service": "AVS", "severity": "中程度", - "text": "\"ストレージの Azure セキュリティ ベースライン\" を検討する", - "waf": "安全" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "既定では、Azure Storage にはパブリック IP アドレスがあり、インターネットにアクセス可能です。プライベート エンドポイントを使用すると、アクセスが必要な Azure コンピューティング リソースにのみ Azure Storage を安全に公開できるため、パブリック インターネットへの露出を排除できます", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", - "severity": "高い", - "text": "Azure Storage にプライベート エンドポイントを使用することを検討する", - "waf": "安全" + "text": "Log Analytics エージェントを Azure VMware Solution ゲスト VM ワークロードにデプロイする", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "新しく作成されたストレージ アカウントは、RBAC や監査などがすべて有効になるように、ARM デプロイ モデルを使用して作成されます。サブスクリプションにクラシック デプロイ モデルの古いストレージ アカウントがないことを確認する", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "service": "AVS", "severity": "中程度", - "text": "古いストレージ アカウントで \"クラシック デプロイ モデル\" が使用されていないことを確認する", - "waf": "安全" + "text": "Azure VMware Solution VM ワークロードのバックアップ ポリシーとソリューションが文書化され、実装されていることを確認します", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Microsoft Defender を活用して、不審なアクティビティや構成ミスについて学習します。", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", - "severity": "高い", - "text": "すべてのストレージ アカウントに対して Microsoft Defender を有効にする", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "service": "AVS", + "severity": "中程度", + "text": "Microsoft Defender for Cloud を使用して、Azure VMware Solution で実行されているワークロードのコンプライアンス監視を行う", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "論理的な削除メカニズムを使用すると、誤って削除された BLOB を回復できます。", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "service": "AVS", "severity": "中程度", - "text": "BLOB の \"論理的な削除\" を有効にする", + "text": "適用可能なコンプライアンス ベースラインは Microsoft Defender for Cloud に追加されていますか", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", - "severity": "中程度", - "text": "BLOB の '論理的な削除' を無効にする", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "service": "AVS", + "severity": "高い", + "text": "Azure VMware Solution のデプロイに使用する Azure リージョンを選択するときにデータ所在地が評価されましたか", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "コンテナーの論理的な削除を使用すると、コンテナーが削除された後に回復できます (たとえば、偶発的な削除操作から回復します)。", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "service": "AVS", "severity": "高い", - "text": "コンテナーの \"論理的な削除\" を有効にする", + "text": "データ処理への影響 (サービス プロバイダー/サービス コンシューマー モデル) が明確で文書化されているか", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "service": "AVS", "severity": "中程度", - "text": "コンテナーの \"論理的な削除\" を無効にする", + "text": "コンプライアンス上の理由で必要な場合にのみ、vSAN に CMK (カスタマー マネージド キー) を使用することを検討してください。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "削除前に削除ロックを最初に解除するようにユーザーに強制することで、ストレージ アカウントが誤って削除されないようにします", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "service": "AVS", "severity": "高い", - "text": "ストレージ アカウントでのリソース ロックの有効化", - "waf": "安全" + "text": "Azure VMware Solution のコア監視分析情報を有効にするダッシュボードを作成するCreate dashboards to enable a core Azure VMware Solution monitoring insights", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "BLOB の \"訴訟ホールド\" または \"時間ベースの保持\" ポリシーを検討して、BLOB、コンテナー、またはストレージ アカウントを削除できないようにします。「不可能」は実際には「不可能」を意味することに注意してください。ストレージ アカウントに不変の BLOB が含まれる場合、そのストレージ アカウントを \"取り除く\" 唯一の方法は、Azure サブスクリプションを取り消すことです。", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "service": "AVS", "severity": "高い", - "text": "不変の BLOB を検討する", - "waf": "安全" + "text": "Azure VMware Solution のパフォーマンス (CPU >80%、平均メモリ >80%、vSAN >70%) に関する自動アラートの重大しきい値の警告アラートを作成する", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "ストレージ アカウントへの保護されていない HTTP/80 アクセスを無効にして、すべてのデータ転送が暗号化され、整合性が保護され、サーバーが認証されるようにすることを検討してください。", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "service": "AVS", "severity": "高い", - "text": "HTTPS を要求する (つまり、ストレージ アカウントのポート 80 を無効にする)", - "waf": "安全" + "text": "vSAN の消費量が 75% を下回っているかどうかを監視するための重要なアラートが作成されていることを確認します (これは VMware からのサポートしきい値です)。", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "ストレージ アカウントでカスタム ドメイン (ホスト名) を構成する場合は、TLS/HTTPS が必要かどうかを確認します。その場合は、ストレージ アカウントの前に Azure CDN を配置する必要があります。", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "service": "AVS", "severity": "高い", - "text": "HTTPS を適用する (HTTP を無効にする) 場合は、ストレージ アカウントにカスタム ドメイン (CNAME) を使用していないことを確認します。", - "waf": "安全" + "text": "Azure Service Health のアラートと通知に対してアラートが構成されていることを確認する", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "クライアントが SAS トークンを使用して BLOB データにアクセスするときに HTTPS を要求すると、資格情報が失われるリスクを最小限に抑えることができます。", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "service": "AVS", "severity": "中程度", - "text": "Shared Access Signature (SAS) トークンを HTTPS 接続のみに制限する", - "waf": "安全" + "text": "処理のために Azure Storage アカウントまたは Azure EventHub に送信するように Azure VMware Solution ログを構成する", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "AAD トークンは、可能な限り、共有アクセス署名よりも優先する必要があります", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", - "severity": "高い", - "text": "BLOB アクセスに Azure Active Directory (Azure AD) トークンを使用する", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", + "severity": "低い", + "text": "VMware vSphere での詳細な分析情報が必要な場合:vRealize Operations や vRealize Network Insights がソリューションで使用されていますか?", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "ユーザー、グループ、またはアプリケーションにロールを割り当てる場合は、タスクの実行に必要なアクセス許可のみをセキュリティ プリンシパルに付与します。リソースへのアクセスを制限することで、意図しないデータの誤用と悪意のあるデータの誤用の両方を防ぐことができます。", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", - "severity": "中程度", - "text": "IaM アクセス許可の最小特権", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", + "severity": "高い", + "text": "仮想マシンの vSAN ストレージ ポリシーはシック プロビジョニングを適用するため、このポリシーがデフォルトのストレージ ポリシーではないことを確認します", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "ユーザー委任 SAS は、Azure Active Directory (Azure AD) 資格情報と、SAS に指定されたアクセス許可によってセキュリティで保護されます。ユーザー委任 SAS は、そのスコープと機能の点でサービス SAS に似ていますが、サービス SAS よりもセキュリティ上の利点があります。", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "高い", - "text": "SAS を使用する場合は、ストレージ アカウント キー ベースの SAS よりも \"ユーザー委任 SAS\" を優先します。", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", + "severity": "中程度", + "text": "vSAN は有限のリソースであるため、vSphere コンテンツ ライブラリが vSAN に配置されていないことを確認する", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "ストレージ アカウント キー (\"共有キー\") には、監査機能がほとんどありません。誰がいつキーのコピーを取得したかを監視できますが、キーが複数の人の手に渡ると、使用状況を特定のユーザーに帰属させることは不可能です。AAD 認証のみに依存することで、ストレージへのアクセスをユーザーに結び付けやすくなります。", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", - "severity": "高い", - "text": "ストレージ アカウント キーを無効にして、AAD アクセス (およびユーザー委任 SAS) のみがサポートされるようにすることを検討してください。", - "waf": "安全" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "アクティビティ ログ データを使用して、ストレージ アカウントのセキュリティ (ストレージ アカウント キー、アクセス ポリシーなど) が \"いつ、誰が、何を、\"どのように\" 表示または変更されているかを特定します。", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", - "severity": "高い", - "text": "Azure Monitor を使用して、ストレージ アカウントに対するコントロール プレーン操作を監査することを検討してください", - "waf": "安全" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "キーの有効期限ポリシーを使用すると、アカウントアクセスキーのローテーションのリマインダーを設定できます。リマインダーは、指定した間隔が経過し、キーがまだローテーションされていない場合に表示されます。", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", "severity": "中程度", - "text": "ストレージ アカウント キーを使用する場合は、\"キーの有効期限ポリシー\" を有効にすることを検討してください", - "waf": "安全" + "text": "バックアップ ソリューションのデータ リポジトリが vSAN ストレージの外部に保存されていることを確認します。Azure ネイティブまたはディスク プールでバックアップされるデータストア上", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS 有効期限ポリシーでは、SAS が有効である推奨間隔を指定します。SAS 有効期限ポリシーは、サービス SAS またはアカウント SAS に適用されます。ユーザーがサービス SAS またはアカウント SAS を、推奨間隔よりも長い有効期間で生成すると、警告が表示されます。", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", "severity": "中程度", - "text": "SAS 有効期限ポリシーの構成を検討する", - "waf": "安全" + "text": "Azure Arc for Servers を使用して Azure VMware Solution で実行されているワークロードがハイブリッド管理されていることを確認する (Arc for Azure VMware Solution はプレビュー段階です)", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "保存されているアクセス ポリシーを使用すると、ストレージ アカウント キーを再生成することなく、サービス SAS のアクセス許可を取り消すことができます。", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", "severity": "中程度", - "text": "保存されているアクセス ポリシーに SAS をリンクすることを検討する", - "waf": "安全" + "text": "Azure VMware Solution で実行されているワークロードが Azure Log Analytics と Azure Monitor を使用して監視されていることを確認する", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", "severity": "中程度", - "text": "チェックインされた接続文字列とストレージ アカウント キーを検出するようにアプリケーションのソース コード リポジトリを構成することを検討してください。", - "waf": "安全" + "text": "Azure VMware Solution で実行されているワークロードを、既存の更新プログラム管理ツールまたは Azure Update Management に含める", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "理想的には、アプリケーションでマネージド ID を使用して Azure Storage に対する認証を行う必要があります。それが不可能な場合は、ストレージ資格情報 (接続文字列、ストレージ アカウント キー、SAS、サービス プリンシパル資格情報) を Azure KeyVault または同等のサービスに用意することを検討してください。", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", - "severity": "高い", - "text": "接続文字列を Azure KeyVault に格納することを検討する (マネージド ID が不可能なシナリオの場合)", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", + "severity": "中程度", + "text": "Azure Policy を使用して、Azure の管理、監視、セキュリティ ソリューションに Azure VMware Solution ワークロードをオンボードする", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "アドホック SAS サービス SAS またはアカウント SAS で、有効期限が近づいています。このように、SAS が侵害された場合でも、有効期間は短時間です。この方法は、保存されているアクセス ポリシーを参照できない場合に特に重要です。また、有効期限が近いと、BLOB にアップロードできる時間が制限されるため、BLOB に書き込めるデータの量も制限されます。", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", - "severity": "高い", - "text": "アドホックSASの有効期間を短くする", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", + "severity": "中程度", + "text": "Azure VMware Solution で実行されているワークロードが Microsoft Defender for Cloud にオンボードされていることを確認する", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS を作成するときは、できるだけ具体的かつ制限的にしてください。1 つのリソースと操作には、より広範なアクセスを提供する SAS よりも SAS を優先します。", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", "severity": "中程度", - "text": "SAS に狭いスコープを適用する", - "waf": "安全" + "text": "vSAN は有限のリソースであるため、バックアップが vSAN に保存されないようにする", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS には、SAS を使用してリソースを要求する権限をクライアント IP アドレスまたはアドレス範囲に与えるパラメーターを含めることができます。", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", "severity": "中程度", - "text": "可能な限り、SAS のスコープを特定のクライアント IP アドレスに設定することを検討してください", - "waf": "安全" + "text": "すべてのDRソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[SRM/JetStream/Zerto/Veeam/...]", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS は、クライアントがアップロードするデータの量を制限できません。時間の経過に伴うストレージ容量の価格モデルを考えると、クライアントが悪意を持って大きなコンテンツをアップロードしたかどうかを検証することは理にかなっているかもしれません。", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "低い", - "text": "クライアントが SAS を使用してファイルをアップロードした後、アップロードされたデータを確認することを検討してください。", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", + "severity": "中程度", + "text": "ディザスター リカバリー テクノロジがネイティブの Azure IaaS の場合は、Azure Site Recovery を使用します", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "\"ローカル ユーザー アカウント\" を使用して SFTP 経由で BLOB ストレージにアクセスする場合、\"通常の\" RBAC 制御は適用されません。NFS または REST 経由の BLOB アクセスは、SFTP アクセスよりも制限が厳しい場合があります。残念ながら、2023 年初頭の時点で、SFTP エンドポイントで現在サポートされている ID 管理の形式はローカル ユーザーだけです", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", "severity": "高い", - "text": "SFTP: SFTPアクセスの「ローカルユーザー」の数を制限し、時間の経過とともにアクセスが必要かどうかを監査します。", - "waf": "安全" + "text": "いずれかの災害ソリューションで自動復旧計画を使用し、手動タスクを可能な限り回避します", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", "severity": "中程度", - "text": "SFTP: SFTP エンドポイントは、POSIX ライクな ACL をサポートしていません。", - "waf": "安全" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "ストレージは、CORS (Cross-Origin Resource Sharing)、つまり、異なるドメインの Web アプリが同一生成元ポリシーを緩めることを可能にする HTTP 機能をサポートしています。CORS を有効にする場合は、CorsRules を最小の特権に保ちます。", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", - "severity": "高い", - "text": "過度に広範な CORS ポリシーを避ける", - "waf": "安全" + "text": "地政学的リージョンのペアをセカンダリディザスタリカバリ環境として使用する", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "保存データは常にサーバー側で暗号化され、さらにクライアント側でも暗号化される場合があります。サーバー側の暗号化は、プラットフォーム マネージド キー (既定) またはカスタマー マネージド キーを使用して行われる場合があります。クライアント側の暗号化は、クライアントが BLOB ごとに暗号化/暗号化解除キーを Azure Storage に提供するか、クライアント側で暗号化を完全に処理することによって行われます。そのため、機密性の保証を Azure Storage にまったく依存しません。", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "service": "AVS", "severity": "高い", - "text": "保存データの暗号化方法を決定します。データのスレッド モデルを理解します。", - "waf": "安全" + "text": "リージョン間で 2 つの異なるアドレス空間を使用します (例: 10.0.0.0/16 と 192.168.0.0/16)。", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "service": "AVS", "severity": "中程度", - "text": "どのプラットフォーム暗号化を使用するか、または使用するかを決定します。", - "waf": "安全" + "text": "ExpressRoute Global Reach は、プライマリとセカンダリの Azure VMware Solution プライベート クラウド間の接続に使用されますか、それともネットワーク仮想アプライアンスを介してルーティングされますか?", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "service": "AVS", "severity": "中程度", - "text": "クライアント側の暗号化を使用するかどうかを決定します。", - "waf": "安全" + "text": "すべてのバックアップソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[ MABS/CommVault/Metallic.io/Veeam/ . ]", + "waf": "確実" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Resource Graph エクスプローラー (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) を利用して、匿名 BLOB アクセスを許可するストレージ アカウントを検索します。", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", - "severity": "高い", - "text": "パブリック BLOB アクセスが必要かどうか、または特定のストレージ アカウントに対して無効にできるかどうかを検討します。", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "service": "AVS", + "severity": "中程度", + "text": "バックアップ ソリューションを Azure VMware Solution プライベート クラウドと同じリージョンにデプロイする", + "waf": "確実" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "service": "AVS", "severity": "中程度", - "text": "Azure Spring Apps では、アプリごとに 2 つのデプロイが許可され、そのうちの 1 つだけが運用トラフィックを受信します。ブルーグリーンデプロイ戦略により、ダウンタイムをゼロにすることができます。ブルー グリーン デプロイは、Standard レベルと Enterprise レベルでのみ使用できます。CI/CD と ADO/GitHub Actions を使用してデプロイを自動化できます", + "text": "バックアップ ソリューションを vSan の外部の Azure ネイティブ コンポーネントにデプロイする", "waf": "確実" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", - "severity": "中程度", - "text": "Azure Spring Apps インスタンスは、アプリケーション用に複数のリージョンに作成でき、トラフィックは Traffic Manager/Front Door によってルーティングできます。", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "service": "AVS", + "severity": "低い", + "text": "Azure プラットフォームによって管理されている VMware コンポーネントの復元を要求するプロセスは用意されていますか?", "waf": "確実" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", - "severity": "中程度", - "text": "サポートされているリージョンでは、Azure Spring Apps をゾーン冗長としてデプロイできるため、インスタンスは可用性ゾーン間で自動的に分散されます。この機能は、Standard レベルと Enterprise レベルでのみ使用できます。", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "service": "AVS", + "severity": "低い", + "text": "手動デプロイの場合、すべての構成とデプロイを文書化する必要があります", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", - "severity": "中程度", - "text": "アプリに複数のアプリ インスタンスを使用する", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "service": "AVS", + "severity": "低い", + "text": "手動デプロイの場合は、Azure VMware Solution プライベート クラウドでの偶発的なアクションを防ぐために、リソース ロックの実装を検討してください", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", - "severity": "中程度", - "text": "Azure Spring Apps をログ、メトリック、トレースで監視します。ASA を Application Insights と統合し、障害を追跡し、ブックを作成します。", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "service": "AVS", + "severity": "低い", + "text": "自動デプロイの場合は、最小限のプライベート クラウドをデプロイし、必要に応じてスケーリングします", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", - "severity": "中程度", - "text": "Spring Cloud Gateway で自動スケーリングを設定する", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "service": "AVS", + "severity": "低い", + "text": "自動デプロイの場合は、デプロイを開始する前にクォータを要求または予約します", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "service": "AVS", "severity": "低い", - "text": "Standard 従量課金プランと専用プランのアプリの自動スケーリングを有効にします。", - "waf": "確実" + "text": "自動デプロイの場合は、適切なガバナンスのために、自動化または Azure Policy を使用して関連するリソース ロックが作成されていることを確認します", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", - "severity": "中程度", - "text": "ミッション クリティカルなアプリの Spring Boot の商用サポートには、Enterprise プランを使用します。他のレベルでは、OSS のサポートを受けることができます。", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "service": "AVS", + "severity": "低い", + "text": "ExR 認証キーに人間が理解できる名前を実装して、キーの目的/用途を簡単に識別できるようにします", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "高い", - "text": "Key Vault のベスト プラクティス (分離の推奨事項、アクセス制御、データ保護、バックアップ、ログ記録など) について理解しておいてください。", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "service": "AVS", + "severity": "低い", + "text": "Azure VMware Solution と ExpressRoute のデプロイに個別のサービス プリンシパルを使用する場合は、キー コンテナーを使用してシークレットと承認キーを格納します", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "service": "AVS", + "severity": "低い", + "text": "Azure VMware Solution では限られた数の並列操作しかサポートされないため、Azure VMware Solution に多くのリソースをデプロイする必要がある場合に、IaC でアクションをシリアル化するためのリソースの依存関係を定義します。", + "waf": "オペレーションズ" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "service": "AVS", + "severity": "低い", + "text": "単一の Tier-1 ゲートウェイで NSX-T セグメントの自動構成を実行する場合は、NSX-Manager API ではなく Azure Portal API を使用します", + "waf": "オペレーションズ" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "service": "AVS", "severity": "中程度", - "text": "Key Vault はマネージド サービスであり、Microsoft はリージョン内およびリージョン間のフェールオーバーを処理します。Key Vault の可用性と冗長性について理解しておいてください。", - "waf": "確実" + "text": "自動スケールアウトを使用する場合は、Azure VMware Solution を実行しているサブスクリプションに対して十分な Azure VMware Solution クォータを申請してください", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "service": "AVS", "severity": "中程度", - "text": "キー コンテナーの内容は、リージョン内と少なくとも 150 マイル離れたセカンダリ リージョンにレプリケートされますが、キーとシークレットの高い持続性を維持するために、同じ地域内でレプリケートされます。Key Vault のデータ レプリケーションについて理解しておいてください。", - "waf": "確実" + "text": "自動スケールインを使用する場合は、そのようなアクションを実行する前に、ストレージ ポリシーの要件を必ず考慮してください", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "service": "AVS", "severity": "中程度", - "text": "フェールオーバー中は、アクセス ポリシーまたはファイアウォールの構成と設定を変更することはできません。キー コンテナーは、フェールオーバー中は読み取り専用モードになります。Key Vault のフェールオーバー ガイダンスについて理解しておいてください。", - "waf": "確実" + "text": "スケーリング操作は、一度に 1 つのスケール操作しか実行できないため、常に 1 つの SDDC 内でシリアル化する必要があります (複数のクラスタが使用されている場合でも)", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "service": "AVS", "severity": "中程度", - "text": "シークレット、キー、証明書などのキー コンテナー オブジェクトをバックアップすると、バックアップ操作によってオブジェクトが暗号化された BLOB としてダウンロードされます。この BLOB は、Azure の外部で暗号化を解除できません。この BLOB から使用可能なデータを取得するには、BLOB を同じ Azure サブスクリプションと Azure 地域内のキー コンテナーに復元する必要があります。Key Vault のバックアップと復元のガイダンスについて理解しておいてください。", - "waf": "確実" + "text": "アーキテクチャで使用されるサードパーティソリューションでのスケーリング操作を検討および検証します(サポートされているかどうか)", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", - "severity": "高い", - "text": "シークレットの偶発的または悪意のある削除に対する保護が必要な場合は、キー コンテナーで論理的な削除と消去保護機能を構成します。", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "service": "AVS", + "severity": "中程度", + "text": "自動化で環境のスケールイン/スケールアウトの上限を定義して適用する", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", - "severity": "低い", - "text": "Key Vault の論理的に削除されたリソースは、90 暦日の一定期間保持されます。Key Vault の論理的な削除のガイダンスについて理解しておいてください。", - "waf": "確実" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "service": "AVS", + "severity": "中程度", + "text": "監視ルールを実装して、自動スケーリング操作を監視し、成功と失敗を監視して、適切な (自動化された) 応答を有効にします", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "低い", - "text": "Key Vault のバックアップの制限事項を理解します。Key Vault では、キー、シークレット、または証明書オブジェクトの過去のバージョンを 500 個以上バックアップする機能はサポートされていません。キー、シークレット、または証明書オブジェクトをバックアップしようとすると、エラーが発生する可能性があります。以前のバージョンのキー、シークレット、または証明書を削除することはできません。", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", + "severity": "高い", + "text": "MONを使用する場合は、同時に構成されたVMの制限(HCXのMON制限[400 - 標準、1000 - 大規模アプライアンス])に注意してください", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "waf": "確実" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "低い", - "text": "現在、Key Vault では 1 回の操作でキー コンテナー全体をバックアップする方法は提供されておらず、キー、シークレット、証明書を個別にバックアップする必要があります。Key Vault のバックアップと復元のガイダンスについて理解しておいてください。", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", + "severity": "高い", + "text": "MON を使用する場合、100 を超えるネットワーク拡張で MON を有効にすることはできません", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "確実" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", + "service": "AVS", "severity": "中程度", - "text": "データの損失を防ぐために、暗号化にキーを使用する場合は、パージ保護をお勧めします。消去保護はオプションの Key Vault の動作であり、既定では有効になっていません。消去保護は、論理的な削除が有効になった場合にのみ有効にできます。CLI、PowerShell、またはポータルを使用してオンにすることができます。", - "waf": "確実" + "text": "移行に VPN 接続を使用する場合は、それに応じて MTU サイズを調整します。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", - "guid": "d0642c1c-312b-4116-94ab-439e1c836819", - "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", - "service": "Key Vault", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", + "service": "AVS", "severity": "中程度", - "text": "RBAC は、キー コンテナーへのアクセスを制御するために推奨されます。Key Vault のアクセス制御ガイダンスについて理解しておいてください。", - "waf": "安全" + "text": "Azure に接続する接続性の低いリージョン (500 Mbps 以下) の場合は、HCX WAN 最適化アプライアンスのデプロイを検討してください", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus Premium は、保存データの暗号化を提供します。独自のキーを使用する場合、データは引き続き Microsoft マネージド キーを使用して暗号化されますが、さらに Microsoft マネージド キーはカスタマー マネージド キーを使用して暗号化されます。", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", - "severity": "低い", - "text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", + "service": "AVS", + "severity": "中程度", + "text": "移行がオンプレミスアプライアンスから開始され、クラウドアプライアンスから開始されていないことを確認します(逆移行は実行しないでください)", + "waf": "確実" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "クライアント アプリケーションと Azure Service Bus 名前空間間の通信は、トランスポート層セキュリティ (TLS) を使用して暗号化されます。Azure Service Bus 名前空間を使用すると、クライアントは TLS 1.0 以上でデータを送受信できます。より厳格なセキュリティ対策を適用するために、クライアントが新しいバージョンの TLS を使用してデータを送受信することを要求するように Service Bus 名前空間を構成できます。", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "AVS", "severity": "中程度", - "text": "要求に対して最低限必要なバージョンの Transport Layer Security (TLS) を適用する", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "安全" + "text": "Azure NetApp Files を使用して Azure VMware Solution のストレージを拡張する場合は、VM に直接接続するのではなく、これを VMware データストアとして使用することを検討してください。", + "waf": "確実" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Service Bus 名前空間を作成すると、名前空間に対して RootManageSharedAccessKey という名前の SAS ルールが自動的に作成されます。このポリシーには、名前空間全体に対する Manage アクセス許可があります。このルールは管理ルート アカウントのように扱い、アプリケーションで使用しないことをお勧めします。 RBAC を使用した認証プロバイダーとして AAD を使用することをお勧めします。", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "AVS", "severity": "中程度", - "text": "必要のないときに root アカウントを使用することは避けてください", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "安全" + "text": "専用の ExpressRoute ゲートウェイが外部データ ストレージ ソリューションに使用されていることを確認する", + "waf": "確実" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure App Service アプリケーション内、または Azure リソースのサポートに対して有効なマネージド エンティティを持つ仮想マシンで実行されている Service Bus クライアント アプリは、SAS のルールとキー、またはその他のアクセス トークンを処理する必要はありません。クライアント アプリに必要なのは、Service Bus メッセージング名前空間のエンドポイント アドレスのみです。", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", - "service": "Service Bus", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "AVS", "severity": "中程度", - "text": "可能な場合は、アプリケーションでマネージド ID を使用して Azure Service Bus に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに持つことを検討してください", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" + "text": "外部データ ストレージ ソリューションに使用されている ExpressRoute ゲートウェイで FastPath が有効になっていることを確認します", + "waf": "確実" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus のアクセス許可は、キュー、トピック、サブスクリプションなどの個々のリソース レベルにスコープを設定でき、またそうする必要があります。", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "AVS", "severity": "高い", - "text": "最小特権データ プレーン RBAC を使用する", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "安全" - }, - { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus リソース ログには、操作ログ、仮想ネットワーク、IP フィルタリング ログが含まれます。ランタイム監査ログは、Service Bus でのさまざまなデータ プレーン アクセス操作 (メッセージの送受信など) の集計された診断情報をキャプチャします。", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", - "severity": "中程度", - "text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用してリソース ログとランタイム監査ログをトレースする (現在は Premium レベルでのみ使用できます)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "安全" + "text": "ストレッチ クラスタを使用している場合は、選択したディザスタ リカバリ ソリューションがベンダーによってサポートされていることを確認します", + "waf": "確実" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus は、既定ではパブリック IP アドレスを持ち、インターネットからアクセスできます。プライベート エンドポイントを使用すると、仮想ネットワークと Azure Service Bus の間のトラフィックは、Microsoft のバックボーン ネットワークを経由します。それに加えて、パブリックエンドポイントが使用されていない場合は無効にする必要があります。", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", - "severity": "中程度", - "text": "プライベート エンドポイントを使用して Azure Service Bus にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "AVS", + "severity": "高い", + "text": "ストレッチ クラスターを使用する場合は、提供される SLA が要件を満たしていることを確認します", + "waf": "確実" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "IP ファイアウォールを使用すると、パブリック エンドポイントを IPv4 アドレスのセットのみ、または CIDR (Classless Inter-Domain Routing) 表記の IPv4 アドレス範囲のみにさらに制限できます。", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", - "severity": "中程度", - "text": "特定の IP アドレスまたは範囲からのみ Azure Service Bus 名前空間へのアクセスを許可することを検討してください", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "AVS", + "severity": "高い", + "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線が接続ハブに接続されていることを確認します。", + "waf": "確実" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "AVS", "severity": "高い", - "text": "Availability Zones (リージョンで適用可能な場合) を活用する (これは自動的に有効になります)", + "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線で GlobalReach が有効になっていることを確認します。", "waf": "確実" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "中程度", - "text": "Microsoft が開始するフェールオーバーに注意してください。これらは、まれに、影響を受けるリージョンから対応する geo ペア リージョンにすべての IoT ハブをフェールオーバーするために Microsoft によって実行されます。", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "AVS", + "severity": "高い", + "text": "サイトの耐障害性の設定を適切に検討し、必要に応じてビジネスに合わせて変更しましたか?", "waf": "確実" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", - "severity": "高い", - "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", + "severity": "中程度", + "text": "フレキシブル サーバーの活用", "waf": "確実" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", "severity": "高い", - "text": "手動フェールオーバーをトリガーする方法を学習します。", + "text": "Availability Zones (地域的に適用可能な場合) を活用する", "waf": "確実" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", - "severity": "高い", - "text": "フェールオーバー後にフェールバックする方法を学習します。", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", + "severity": "中程度", + "text": "リージョン間の DR シナリオでのデータイン レプリケーションの活用", "waf": "確実" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", - "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", "severity": "中程度", - "text": "Azure Front Door でカスタマー マネージド TLS 証明書を使用する場合は、\"最新\" の証明書バージョンを使用します。証明書の手動更新による停止のリスクを軽減します。", + "text": "グローバルレベルでのエラー処理ポリシーの実装", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", - "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", "severity": "中程度", - "text": "Azure Front Door と WAF ポリシーを使用して、複数の Azure リージョンにまたがるグローバル HTTP/S アプリを提供し、保護します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "text": "すべての API ポリシーに要素が含まれていることを確認します。", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", "severity": "中程度", - "text": "Front Door と Application Gateway を使用して HTTP/S アプリを保護する場合は、Front Door で WAF ポリシーを使用します。Application Gateway をロックダウンして、Front Door からのトラフィックのみを受信します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "text": "ポリシーフラグメントを使用して、複数の API で同じポリシー定義を繰り返さないようにする", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", - "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "Front Door", - "severity": "高い", - "text": "Front Door の WAF ポリシーを \"防止\" モードでデプロイし、Web アプリケーション ファイアウォールがトラフィックを許可または拒否するための適切なアクションを実行するようにします。", - "waf": "安全" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", - "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "Front Door", - "severity": "高い", - "text": "Traffic Manager を Front Door の後ろに配置しないでください。", - "waf": "安全" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", - "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "Front Door", - "severity": "高い", - "text": "Azure Front Door と配信元で同じドメイン名を使用します。ホスト名が一致しないと、微妙なバグが発生する可能性があります。", - "waf": "安全" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", - "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "低い", - "text": "Azure Front Door の配信元グループに配信元が 1 つしかない場合は、正常性プローブを無効にします。", - "waf": "パフォーマンス" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", "severity": "中程度", - "text": "Azure Front Door の適切な正常性プローブ エンドポイントを選択します。アプリケーションのすべての依存関係をチェックする正常性エンドポイントの構築を検討してください。", - "waf": "確実" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", - "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "Front Door", - "severity": "低い", - "text": "Azure Front Door で HEAD 正常性プローブを使用して、Front Door がアプリケーションに送信するトラフィックを減らします。", - "waf": "パフォーマンス" + "text": "API の収益化を計画している場合は、「収益化のサポート」の記事でおすすめの方法をご確認ください", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", - "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", "severity": "高い", - "text": "Azure Front Door でマネージド TLS 証明書を使用します。運用コストと、証明書の更新による停止のリスクを軽減します。", + "text": "診断設定を有効にしてログを Azure Monitor にエクスポートする", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "severity": "中程度", - "text": "Azure Front Door WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。", + "text": "Application Insights を有効にして、より詳細なテレメトリを実現する", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", - "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", "severity": "高い", - "text": "Azure Front Door でエンド ツー エンド TLS を使用します。クライアントから Front Door への接続、および Front Door から配信元への接続には TLS を使用します。", - "waf": "安全" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", - "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", - "service": "Front Door", - "severity": "中程度", - "text": "Azure Front Door で HTTP から HTTPS へのリダイレクトを使用します。古いクライアントを自動的に HTTPS リクエストにリダイレクトすることで、クライアントをサポートします。", - "waf": "安全" + "text": "最も重要なメトリックに関するアラートを構成する", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", "severity": "高い", - "text": "Azure Front Door WAF を有効にします。さまざまな攻撃からアプリケーションを保護します。", + "text": "カスタム SSL 証明書が Azure Key Vault に格納され、安全にアクセスして更新できるようにする", "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", "severity": "高い", - "text": "ワークロードに合わせて Azure Front Door WAF を調整するには、検出モードで WAF を構成して誤検知の検出を減らして修正します。", + "text": "Azure AD を使用して API (データ プレーン) への受信要求を保護する", "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "Front Door", - "severity": "高い", - "text": "Azure Front Door WAF ポリシーで有効になっている要求本文の検査機能を有効にします。", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", + "severity": "中程度", + "text": "Microsoft Entra ID を使用して開発者ポータルでユーザーを認証する", "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", - "service": "Front Door", - "severity": "高い", - "text": "Azure Front Door WAF の既定のルール セットを有効にします。デフォルトのルールセットは、一般的な攻撃を検出してブロックします。", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", + "severity": "中程度", + "text": "適切なグループを作成して、製品の可視性を制御します", "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", - "service": "Front Door", - "severity": "高い", - "text": "Azure Front Door WAF ボット保護ルール セットを有効にします。ボット ルールは、良いボットと悪いボットを検出します。", - "waf": "安全" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", + "severity": "中程度", + "text": "バックエンド機能を使用して、冗長な API バックエンド構成を排除します", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", "severity": "中程度", - "text": "最新の Azure Front Door WAF ルール セット バージョンを使用します。ルールセットの更新は、現在の脅威の状況を考慮して定期的に更新されます。", - "waf": "安全" + "text": "名前付き値を使用して、ポリシーで使用できる共通の値を格納します", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", "severity": "中程度", - "text": "Azure Front Door WAF にレート制限を追加します。レート制限は、クライアントが誤ってまたは意図的に短時間に大量のトラフィックを送信するのをブロックします。", - "waf": "安全" + "text": "DR の場合は、99.99% の SLA で 2 つ以上のリージョンにスケーリングされたデプロイで Premium レベルを活用します", + "waf": "確実" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", "severity": "中程度", - "text": "Azure Front Door WAF のレート制限には高いしきい値を使用します。レート制限のしきい値を高くすると、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多くのリクエストに対する保護を提供します。", - "waf": "安全" + "text": "少なくとも 1 つのユニットを 2 つ以上の可用性ゾーンにデプロイして、SLA を 99.99% に向上させる", + "waf": "確実" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", - "service": "Front Door", - "severity": "低い", - "text": "すべての地理的地域からのトラフィックを想定していない場合は、geo フィルタを使用して、想定外の国からのトラフィックをブロックします。", - "waf": "安全" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", + "severity": "高い", + "text": "自動バックアップ・ルーチンがあることを確認する", + "waf": "確実" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", "severity": "中程度", - "text": "Azure Front Door WAF を使用してトラフィックを geo フィルタリングする場合は、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致できない場合に、正当な要求を誤ってブロックしないようにします。", - "waf": "安全" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "Front Door", - "severity": "中程度", - "text": "ログとメトリックをキャプチャするには、診断設定をオンにします。リソース アクティビティ ログ、アクセス ログ、正常性プローブ ログ、WAF ログを含めます。アラートを設定します。", - "waf": "オペレーションズ" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "845f5f91-9c21-4674-a725-5ce890850e20", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "Front Door", - "severity": "中程度", - "text": "Azure Front Door WAF ログを Microsoft Sentinel に送信します。", - "waf": "オペレーションズ" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", - "service": "Front Door", - "severity": "中程度", - "text": "デプロイ戦略をサポートするルーティング方法を選択します。設定された重み係数に基づいてトラフィックを分散する加重方式は、アクティブ/アクティブモデルをサポートします。プライマリ リージョンがすべてのトラフィックを受信し、バックアップとしてセカンダリ リージョンにトラフィックを送信するように設定する優先度ベースの値は、アクティブ/パッシブ モデルをサポートします。上記の方法とレイテンシを組み合わせて、レイテンシが最も低いオリジンがトラフィックを受信するようにします。", - "waf": "確実" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", - "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", - "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", - "service": "Front Door", - "severity": "高い", - "text": "1 つ以上のバックエンド プールに複数の配信元を持つことで冗長性をサポートします。アプリケーションの冗長インスタンスを常に用意し、各インスタンスがエンドポイントまたはオリジンを公開していることを確認します。これらの配信元は、1 つ以上のバックエンド プールに配置できます。", - "waf": "確実" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", - "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", - "service": "Front Door", - "severity": "中程度", - "text": "バックエンドへの要求の転送にタイムアウトを設定します。エンドポイントのニーズに応じてタイムアウト設定を調整します。そうしないと、配信元が応答を送信する前に Azure Front Door が接続を閉じる可能性があります。また、すべての配信元のタイムアウトが短い場合は、Azure Front Door の既定のタイムアウトを下げることもできます。", - "waf": "確実" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", - "service": "Front Door", - "severity": "中程度", - "text": "アプリケーションにセッション アフィニティが必要かどうかを判断します。高い信頼性要件がある場合は、セッション アフィニティを無効にすることをお勧めします。", + "text": "ポリシーを使用して、フェイルオーバー・バックエンドURLとキャッシュを追加し、コールの失敗を減らします。", "waf": "確実" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", - "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", - "service": "Front Door", - "severity": "中程度", - "text": "ホストヘッダーをバックエンドに送信します。バックエンド サービスは、そのホストからのトラフィックのみを受け入れるルールを作成できるように、ホスト名を認識する必要があります。", - "waf": "安全" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", - "severity": "中程度", - "text": "キャッシュをサポートするエンドポイントにはキャッシュを使用します。", - "waf": "費用" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", - "guid": "34069d73-e4de-46c5-a36f-625f87575a56", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", "severity": "低い", - "text": "単一のバックエンド・プールのヘルス・チェックを無効にします。Azure Front Door の配信元グループに配信元が 1 つしか構成されていない場合、これらの呼び出しは不要です。これは、エンドポイントに複数のオリジンを持てない場合にのみ推奨されます。", - "waf": "費用" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", - "service": "Front Door", - "severity": "中程度", - "text": "セキュリティ レポートを活用するには Premium レベルを使用することをお勧めしますが、Standard Azure Front Door プロファイルでは、組み込みの分析/レポートでトラフィック レポートのみが提供されます。", - "waf": "オペレーションズ" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", - "service": "Front Door", - "severity": "中程度", - "text": "可能な場合は、ワイルドカード TLS 証明書を使用します。", + "text": "高パフォーマンス レベルでログを記録する必要がある場合は、Event Hubs ポリシーを検討してください", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", "severity": "中程度", - "text": "キャッシュ用にアプリケーションのクエリ文字列を最適化します。純粋に静的なコンテンツの場合は、クエリ文字列を無視して、キャッシュを最大限に活用します。アプリケーションでクエリ文字列を使用する場合は、それらをキャッシュキーに含めることを検討してください。キャッシュ キーにクエリ文字列を含めると、Azure Front Door は、構成に基づいてキャッシュされた応答またはその他の応答を提供できます。", + "text": "調整ポリシーを適用して、毎秒の要求数を制御する", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", "waf": "パフォーマンス" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", - "service": "Front Door", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", "severity": "中程度", - "text": "ダウンロード可能なコンテンツにアクセスするときは、ファイル圧縮を使用します。", + "text": "負荷が増加したときにインスタンスの数をスケールアウトするように自動スケーリングを構成する", "waf": "パフォーマンス" }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", - "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", - "link": "https://learn.microsoft.com/azure/cdn/tier-migration", - "service": "Front Door", - "severity": "高い", - "text": "現在クラシック Azure Front Door を使用している場合は、クラシック Azure Front Door は 2027 年 3 月までに非推奨になるため、Standard SKU または Premium SKU への移行を検討してください。", - "waf": "オペレーションズ" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", - "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", - "service": "Front Door", - "severity": "中程度", - "text": "ミッション クリティカルな高可用性シナリオには、Traffic Manager の負荷分散 Azure Front Door とサード パーティの CDN プロバイダー CDN プロファイルの使用を検討してください。", - "waf": "確実" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", - "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", - "service": "Front Door", - "severity": "高い", - "text": "配信元を App Services として Front Door を使用する場合は、アクセス制限を使用して Azure Front Door 経由でのみアプリ サービスへのトラフィックをロックダウンすることを検討してください。", - "waf": "安全" - }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", "service": "APIM", "severity": "中程度", - "text": "グローバルレベルでのエラー処理ポリシーの実装", - "waf": "オペレーションズ" + "text": "セルフホステッド ゲートウェイをデプロイする場所は、バックエンド API に近いリージョンが Azure にありません。", + "waf": "パフォーマンス" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", "service": "APIM", "severity": "中程度", - "text": "すべての API ポリシーに要素が含まれていることを確認します。", - "waf": "オペレーションズ" + "text": "運用環境のワークロードには Premium レベルを使用します。", + "waf": "確実" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", "service": "APIM", "severity": "中程度", - "text": "ポリシーフラグメントを使用して、複数の API で同じポリシー定義を繰り返さないようにする", - "waf": "オペレーションズ" + "text": "複数リージョン モデルでは、ポリシーを使用して、可用性または待機時間に基づいてリージョン バックエンドに要求をルーティングします。", + "waf": "確実" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", "service": "APIM", - "severity": "中程度", - "text": "API の収益化を計画している場合は、「収益化のサポート」の記事でおすすめの方法をご確認ください", - "waf": "オペレーションズ" + "severity": "高い", + "text": "APIM の制限に注意する", + "waf": "確実" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", "service": "APIM", "severity": "高い", - "text": "診断設定を有効にしてログを Azure Monitor にエクスポートする", - "waf": "オペレーションズ" + "text": "セルフホステッド ゲートウェイのデプロイに回復性があることを確認します。", + "waf": "確実" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", "service": "APIM", "severity": "中程度", - "text": "Application Insights を有効にして、より詳細なテレメトリを実現する", - "waf": "オペレーションズ" + "text": "複数リージョンのデプロイに APIM の前で Azure Front Door を使用するUse Azure Front Door in front of APIM for multi-region deployment", + "waf": "パフォーマンス" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", "service": "APIM", - "severity": "高い", - "text": "最も重要なメトリックに関するアラートを構成する", - "waf": "オペレーションズ" + "severity": "中程度", + "text": "仮想ネットワーク (VNet) 内にサービスをデプロイするDeploy the service within a Virtual Network (VNet)", + "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", "service": "APIM", - "severity": "高い", - "text": "カスタム SSL 証明書が Azure Key Vault に格納され、安全にアクセスして更新できるようにする", + "severity": "中程度", + "text": "ネットワーク セキュリティ グループ (NSG) をサブネットにデプロイして、APIM との間のトラフィックを制限または監視します。", "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", "service": "APIM", - "severity": "高い", - "text": "Azure AD を使用して API (データ プレーン) への受信要求を保護する", + "severity": "中程度", + "text": "プライベート エンドポイントをデプロイして、APIM が VNet にデプロイされていない場合に受信トラフィックをフィルター処理します。", "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", "service": "APIM", - "severity": "中程度", - "text": "Microsoft Entra ID を使用して開発者ポータルでユーザーを認証する", - "waf": "安全" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", - "service": "APIM", - "severity": "中程度", - "text": "適切なグループを作成して、製品の可視性を制御します", - "waf": "安全" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", - "service": "APIM", - "severity": "中程度", - "text": "バックエンド機能を使用して、冗長な API バックエンド構成を排除します", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", - "service": "APIM", - "severity": "中程度", - "text": "名前付き値を使用して、ポリシーで使用できる共通の値を格納します", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", - "service": "APIM", - "severity": "中程度", - "text": "DR の場合は、99.99% の SLA で 2 つ以上のリージョンにスケーリングされたデプロイで Premium レベルを活用します", - "waf": "確実" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", - "service": "APIM", - "severity": "中程度", - "text": "少なくとも 1 つのユニットを 2 つ以上の可用性ゾーンにデプロイして、SLA を 99.99% に向上させる", - "waf": "確実" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", - "service": "APIM", - "severity": "高い", - "text": "自動バックアップ・ルーチンがあることを確認する", - "waf": "確実" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", - "severity": "中程度", - "text": "ポリシーを使用して、フェイルオーバー・バックエンドURLとキャッシュを追加し、コールの失敗を減らします。", - "waf": "確実" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", - "severity": "低い", - "text": "高パフォーマンス レベルでログを記録する必要がある場合は、Event Hubs ポリシーを検討してください", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", - "severity": "中程度", - "text": "調整ポリシーを適用して、毎秒の要求数を制御する", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", - "waf": "パフォーマンス" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", - "severity": "中程度", - "text": "負荷が増加したときにインスタンスの数をスケールアウトするように自動スケーリングを構成する", - "waf": "パフォーマンス" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", - "severity": "中程度", - "text": "セルフホステッド ゲートウェイをデプロイする場所は、バックエンド API に近いリージョンが Azure にありません。", - "waf": "パフォーマンス" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", - "severity": "中程度", - "text": "運用環境のワークロードには Premium レベルを使用します。", - "waf": "確実" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", - "severity": "中程度", - "text": "複数リージョン モデルでは、ポリシーを使用して、可用性または待機時間に基づいてリージョン バックエンドに要求をルーティングします。", - "waf": "確実" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", - "severity": "高い", - "text": "APIM の制限に注意する", - "waf": "確実" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", - "severity": "高い", - "text": "セルフホステッド ゲートウェイのデプロイに回復性があることを確認します。", - "waf": "確実" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", - "severity": "中程度", - "text": "複数リージョンのデプロイに APIM の前で Azure Front Door を使用するUse Azure Front Door in front of APIM for multi-region deployment", - "waf": "パフォーマンス" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", - "severity": "中程度", - "text": "仮想ネットワーク (VNet) 内にサービスをデプロイするDeploy the service within a Virtual Network (VNet)", - "waf": "安全" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", - "severity": "中程度", - "text": "ネットワーク セキュリティ グループ (NSG) をサブネットにデプロイして、APIM との間のトラフィックを制限または監視します。", - "waf": "安全" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", - "severity": "中程度", - "text": "プライベート エンドポイントをデプロイして、APIM が VNet にデプロイされていない場合に受信トラフィックをフィルター処理します。", - "waf": "安全" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", - "severity": "高い", - "text": "パブリックネットワークアクセスの無効化", + "severity": "高い", + "text": "パブリックネットワークアクセスの無効化", "waf": "安全" }, { @@ -6142,3845 +5373,5202 @@ "waf": "安全" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "高い", + "text": "Key Vault のベスト プラクティス (分離の推奨事項、アクセス制御、データ保護、バックアップ、ログ記録など) について理解しておいてください。", + "waf": "確実" + }, + { + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", "severity": "中程度", - "text": "Azure Bot Service の信頼性サポートの推奨事項に従う", + "text": "Key Vault はマネージド サービスであり、Microsoft はリージョン内およびリージョン間のフェールオーバーを処理します。Key Vault の可用性と冗長性について理解しておいてください。", "waf": "確実" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", "severity": "中程度", - "text": "ローカル データ所在地とリージョン コンプライアンスを備えたボットのデプロイ", + "text": "キー コンテナーの内容は、リージョン内と少なくとも 150 マイル離れたセカンダリ リージョンにレプリケートされますが、キーとシークレットの高い持続性を維持するために、同じ地域内でレプリケートされます。Key Vault のデータ レプリケーションについて理解しておいてください。", "waf": "確実" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", "severity": "中程度", - "text": "Azure Bot Service は、グローバル サービスとリージョン サービスの両方に対してアクティブ/アクティブ モードで実行されます。停止が発生した場合、エラーを検出したり、サービスを管理したりする必要はありません。Azure Bot Service は、複数リージョンの地理的アーキテクチャで自動フェールオーバーと自動復旧を自動的に実行します。EU ボット リージョン サービスの場合、Azure Bot Service は、冗長性を確保するために、アクティブ/アクティブ レプリケーションを備えたヨーロッパ内の 2 つの完全なリージョンを提供します。グローバル ボット サービスの場合、使用可能なすべてのリージョン/地域をグローバル フットプリントとして提供できます。", + "text": "フェールオーバー中は、アクセス ポリシーまたはファイアウォールの構成と設定を変更することはできません。キー コンテナーは、フェールオーバー中は読み取り専用モードになります。Key Vault のフェールオーバー ガイダンスについて理解しておいてください。", "waf": "確実" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", "severity": "中程度", - "text": "フレキシブル サーバーの活用", + "text": "シークレット、キー、証明書などのキー コンテナー オブジェクトをバックアップすると、バックアップ操作によってオブジェクトが暗号化された BLOB としてダウンロードされます。この BLOB は、Azure の外部で暗号化を解除できません。この BLOB から使用可能なデータを取得するには、BLOB を同じ Azure サブスクリプションと Azure 地域内のキー コンテナーに復元する必要があります。Key Vault のバックアップと復元のガイダンスについて理解しておいてください。", "waf": "確実" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", "severity": "高い", - "text": "Availability Zones (地域的に適用可能な場合) を活用する", - "waf": "確実" - }, - { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", - "severity": "中程度", - "text": "リージョン間の DR シナリオでのデータイン レプリケーションの活用", + "text": "シークレットの偶発的または悪意のある削除に対する保護が必要な場合は、キー コンテナーで論理的な削除と消去保護機能を構成します。", "waf": "確実" }, { - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", - "severity": "中程度", - "text": "有効期間の長い取り消し可能なトークンを使用し、トークンをキャッシュし、Microsoft ID ライブラリを使用してサイレントに取得します", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "低い", + "text": "Key Vault の論理的に削除されたリソースは、90 暦日の一定期間保持されます。Key Vault の論理的な削除のガイダンスについて理解しておいてください。", "waf": "確実" }, { - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", - "severity": "中程度", - "text": "サインイン ユーザー フローがバックアップされ、回復性があることを確認します。ユーザーのサインインに使用するコードがバックアップされ、回復可能であることを確認します。外部プロセスとの回復力のあるインターフェース", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "低い", + "text": "Key Vault のバックアップの制限事項を理解します。Key Vault では、キー、シークレット、または証明書オブジェクトの過去のバージョンを 500 個以上バックアップする機能はサポートされていません。キー、シークレット、または証明書オブジェクトをバックアップしようとすると、エラーが発生する可能性があります。以前のバージョンのキー、シークレット、または証明書を削除することはできません。", "waf": "確実" }, { - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", - "severity": "中程度", - "text": "カスタムブランドアセットはCDNでホストする必要がある", - "waf": "パフォーマンス" - }, - { - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", "severity": "低い", - "text": "複数のIDプロバイダーを持っている(つまり、Microsoft、Google、Facebookアカウントでログインする)", + "text": "現在、Key Vault では 1 回の操作でキー コンテナー全体をバックアップする方法は提供されておらず、キー、シークレット、証明書を個別にバックアップする必要があります。Key Vault のバックアップと復元のガイダンスについて理解しておいてください。", "waf": "確実" }, { - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", "severity": "中程度", - "text": "VM レベルでの高可用性に関する VM ルールに従う (Premium ディスク、リージョン内の 2 つ以上、異なる可用性ゾーン内)", + "text": "データの損失を防ぐために、暗号化にキーを使用する場合は、パージ保護をお勧めします。消去保護はオプションの Key Vault の動作であり、既定では有効になっていません。消去保護は、論理的な削除が有効になった場合にのみ有効にできます。CLI、PowerShell、またはポータルを使用してオンにすることができます。", "waf": "確実" }, { - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", + "guid": "d0642c1c-312b-4116-94ab-439e1c836819", + "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", + "service": "Key Vault", "severity": "中程度", - "text": "複製しないでください!レプリケーションにより、ディレクトリ同期に関する問題が発生する可能性があります", - "waf": "確実" + "text": "RBAC は、キー コンテナーへのアクセスを制御するために推奨されます。Key Vault のアクセス制御ガイダンスについて理解しておいてください。", + "waf": "安全" }, { - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", "severity": "中程度", - "text": "マルチリージョンのアクティブ/アクティブを持つ", + "text": "Azure Data Factory の FTA 回復性プレイブックの活用", "waf": "確実" }, { - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", - "severity": "中程度", - "text": "Azure AD Domain Service スタンプを追加のリージョンと場所に追加する", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "高い", + "text": "Availability Zones をサポートするリージョンでゾーン冗長パイプラインを使用するUse zone redundant pipelines in regions that support Availability Zones", "waf": "確実" }, { - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", "severity": "中程度", - "text": "DR にレプリカ セットを使用する", + "text": "DevOps を使用して Github と Azure DevOps の統合で ARM テンプレートをバックアップする", "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "App Gateway", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "中程度", - "text": "Application Gateway v2 SKU を使用していることを確認する", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "安全" + "text": "セルフホステッド統合ランタイム VM を別のリージョンにレプリケートしてください", + "waf": "確実" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "中程度", - "text": "Azure Load Balancers に Standard SKU を使用していることを確認します", - "waf": "安全" + "text": "必ず、姉妹リージョンでネットワークをレプリケートまたは複製してください。別のリージョンに VNet のコピーを作成する必要があります", + "waf": "確実" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", - "severity": "中程度", - "text": "Load Balancer フロントエンドの IP アドレスがゾーン冗長であることを確認します (ゾーン フロントエンドが必要な場合を除く)。", - "waf": "安全" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "description": "ADF パイプラインで Key Vault が使用されている場合は、Key Vault をレプリケートするために何もする必要はありません。Key Vault はマネージド サービスであり、Microsoft が処理します", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", + "severity": "低い", + "text": "Keyvault 統合を使用している場合は、Keyvault の SLA を使用して可用性を把握します", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "App Gateway", - "severity": "中程度", - "text": "Application Gateways v2 は、IP プレフィックスが /24 以上のサブネットにデプロイする必要があります", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "安全" + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", + "severity": "高い", + "text": "Azure Cache for Redis のゾーン冗長を有効にします。Azure Cache for Redis では、Premium レベルと Enterprise レベルでゾーン冗長構成がサポートされています。ゾーン冗長キャッシュでは、同じリージョン内の異なる Azure Availability Zones にノードを配置できます。これにより、データセンターや AZ の停止が単一障害点として排除され、キャッシュの全体的な可用性が向上します。", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "description": "リバースプロキシの管理全般、特にWAFの管理は、ネットワーキングよりもアプリケーションに近いため、アプリと同じサブスクリプションに属します。Application Gateway と WAF を接続サブスクリプションに一元化することは、1 つのチームによって管理されている場合は問題ない可能性があります。", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", "severity": "中程度", - "text": "ランディング ゾーン仮想ネットワーク内の受信 HTTP(S) 接続のプロキシに使用される Azure Application Gateway v2 またはパートナー NVA と、それらがセキュリティ保護しているアプリをデプロイします。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "安全" + "text": "Azure Cache for Redis インスタンスのデータ永続化を構成します。キャッシュ データはメモリに格納されるため、まれに複数のノードで計画外の障害が発生すると、すべてのデータがドロップされる可能性があります。データの完全な損失を回避するために、Redis 永続化では、メモリ内データのスナップショットを定期的に取得し、ストレージ アカウントに格納できます。", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", "severity": "中程度", - "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して、DDoS ネットワークまたは IP 保護プランを使用します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "text": "geo 冗長ストレージ アカウントを使用して Azure Cache for Redis データを保持するか、geo 冗長性を使用できない場合はゾーン冗長を使用します", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", - "service": "App Gateway", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "severity": "中程度", - "text": "自動スケールは、最小インスタンス数が 2 になるように構成します。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "Premium Azure Cache for Redis インスタンスのパッシブ geo レプリケーションを構成します。geo レプリケーションは、2 つ以上の Azure Cache for Redis インスタンス (通常は 2 つの Azure リージョンにまたがる) をリンクするためのメカニズムです。geo レプリケーションは、主にリージョン間のディザスター リカバリー用に設計されています。2 つの Premium レベルのキャッシュ インスタンスは、プライマリ キャッシュへの読み取りと書き込みを提供する方法で geo レプリケーションを介して接続され、そのデータはセカンダリ キャッシュにレプリケートされます。", "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", - "service": "App Gateway", - "severity": "中程度", - "text": "Application Gateway を複数の可用性ゾーンにデプロイする", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", + "severity": "高い", + "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する", "waf": "確実" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", - "severity": "中程度", - "text": "Front Door と Application Gateway を使用して HTTP/S アプリを保護する場合は、Front Door で WAF ポリシーを使用します。Application Gateway をロックダウンして、Front Door からのトラフィックのみを受信します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", + "severity": "高い", + "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する", + "waf": "確実" }, { - "ammp": true, - "arm-service": "microsoft.network/trafficManagerProfiles", - "checklist": "Azure Application Delivery Networking", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", "severity": "高い", - "text": "Traffic Manager を使用して、HTTP/S 以外のプロトコルにまたがるグローバル アプリを配信します。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する", "waf": "確実" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", - "severity": "低い", - "text": "ユーザーが内部アプリケーションへのアクセスのみを必要とする場合、Microsoft Entra ID アプリケーション プロキシは Azure Virtual Desktop (AVD) の代替手段として検討されていますか?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", + "severity": "高い", + "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します", + "waf": "確実" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", "severity": "中程度", - "text": "ネットワーク内の着信接続用に開かれるファイアウォール ポートの数を減らすには、Microsoft Entra ID アプリケーション プロキシを使用して、リモート ユーザーに内部アプリケーションへの安全で認証されたアクセスを提供することを検討してください。", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "安全" + "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護", + "waf": "オペレーションズ" }, { - "ammp": true, - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", "severity": "高い", - "text": "Load Balancer のアウトバウンド規則の代わりに Azure NAT Gateway を使用して SNAT のスケーラビリティを向上させる", + "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する", "waf": "確実" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "App Gateway", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", "severity": "高い", - "text": "Azure Application Gateway WAF ボット保護ルール セットを有効にします。ボット ルールは、良いボットと悪いボットを検出します。", - "waf": "安全" + "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する", + "waf": "確実" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "App Gateway", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", "severity": "高い", - "text": "Azure Application Gateway WAF ポリシーで要求本文の検査機能が有効になっているかどうかを確認します。", - "waf": "安全" + "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する", + "waf": "確実" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "App Gateway", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", "severity": "高い", - "text": "ワークロードの検出モードで Azure Application Gateway WAF を調整します。誤検出を減らします。", - "waf": "安全" + "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します", + "waf": "確実" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "App Gateway", - "severity": "高い", - "text": "Application Gateway の WAF ポリシーを \"防止\" モードでデプロイします。", - "waf": "安全" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", + "severity": "中程度", + "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "App Gateway", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", "severity": "中程度", - "text": "Azure Application Gateway WAF にレート制限を追加します。レート制限は、クライアントが誤ってまたは意図的に短時間に大量のトラフィックを送信するのをブロックします。", - "waf": "安全" + "text": "Azure Spring Apps では、アプリごとに 2 つのデプロイが許可され、そのうちの 1 つだけが運用トラフィックを受信します。ブルーグリーンデプロイ戦略により、ダウンタイムをゼロにすることができます。ブルー グリーン デプロイは、Standard レベルと Enterprise レベルでのみ使用できます。CI/CD と ADO/GitHub Actions を使用してデプロイを自動化できます", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "App Gateway", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", "severity": "中程度", - "text": "Azure Application Gateway WAF のレート制限には高いしきい値を使用します。レート制限のしきい値を高くすると、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多くのリクエストに対する保護を提供します。", - "waf": "安全" + "text": "Azure Spring Apps インスタンスは、アプリケーション用に複数のリージョンに作成でき、トラフィックは Traffic Manager/Front Door によってルーティングできます。", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "App Gateway", - "severity": "低い", - "text": "すべての地理的地域からのトラフィックを想定していない場合は、geo フィルタを使用して、想定外の国からのトラフィックをブロックします。", - "waf": "安全" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", + "severity": "中程度", + "text": "サポートされているリージョンでは、Azure Spring Apps をゾーン冗長としてデプロイできるため、インスタンスは可用性ゾーン間で自動的に分散されます。この機能は、Standard レベルと Enterprise レベルでのみ使用できます。", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "App Gateway", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", "severity": "中程度", - "text": "Azure Application Gateway WAF を使用してトラフィックを geo フィルタリングする場合は、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致できない場合に、正当な要求を誤ってブロックしないようにします。", - "waf": "安全" + "text": "アプリに複数のアプリ インスタンスを使用する", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "App Gateway", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", "severity": "中程度", - "text": "最新の Azure Application Gateway WAF ルール セット バージョンを使用します。ルールセットの更新は、現在の脅威の状況を考慮して定期的に更新されます。", - "waf": "安全" + "text": "Azure Spring Apps をログ、メトリック、トレースで監視します。ASA を Application Insights と統合し、障害を追跡し、ブックを作成します。", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "App Gateway", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", "severity": "中程度", - "text": "診断設定を追加して、Azure Application Gateway WAF ログを保存します。", - "waf": "オペレーションズ" + "text": "Spring Cloud Gateway で自動スケーリングを設定する", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "App Gateway", - "severity": "中程度", - "text": "Azure Application Gateway WAF ログを Microsoft Sentinel に送信します。", - "waf": "オペレーションズ" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", + "severity": "低い", + "text": "Standard 従量課金プランと専用プランのアプリの自動スケーリングを有効にします。", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "App Gateway", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", "severity": "中程度", - "text": "Azure Application Gateway WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。", - "waf": "オペレーションズ" + "text": "ミッション クリティカルなアプリの Spring Boot の商用サポートには、Enterprise プランを使用します。他のレベルでは、OSS のサポートを受けることができます。", + "waf": "確実" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "App Gateway", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "ストレージに関連する Microsoft クラウド セキュリティ ベンチマークのガイダンスを適用する", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "severity": "中程度", - "text": "従来のWAF構成のかわりにWAFポリシーを使用します。", - "waf": "オペレーションズ" + "text": "「ストレージの Azure セキュリティ ベースライン」を検討する", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "App Gateway", - "severity": "中程度", - "text": "バックエンドの受信トラフィックをフィルター処理して、Application Gateway サブネット (NSG など) からの接続のみを受け入れるようにします。", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Azure Storage は、既定ではパブリック IP アドレスを持ち、インターネットからアクセスできます。プライベート エンドポイントを使用すると、アクセスが必要な Azure コンピューティング リソースのみに Azure Storage を安全に公開できるため、パブリック インターネットへの露出がなくなります", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", + "severity": "高い", + "text": "Azure Storage のプライベート エンドポイントの使用を検討する", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "App Gateway", - "severity": "高い", - "text": "バックエンド サーバーへのトラフィックを暗号化する必要があります。", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "新しく作成されたストレージ アカウントは ARM デプロイ モデルを使用して作成されるため、RBAC、監査などがすべて有効になります。サブスクリプションにクラシック デプロイ モデルの古いストレージ アカウントがないことを確認します", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", + "severity": "中程度", + "text": "古いストレージ アカウントが \"クラシック デプロイ モデル\" を使用していないことを確認する", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "App Gateway", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Microsoft Defender を活用して、不審なアクティビティや構成ミスについて学習します。", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", "severity": "高い", - "text": "Web アプリケーション ファイアウォールを使用する必要があります。", + "text": "すべてのストレージ アカウントで Microsoft Defender を有効にする", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "App Gateway", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "論理的な削除メカニズムにより、誤って削除されたブロブを回復できます。", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "severity": "中程度", - "text": "HTTP を HTTPS にリダイレクトする", + "text": "BLOB の '論理的な削除' を有効にする", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "App Gateway", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由など、削除された情報をすぐに削除するようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナに対して「論理的な削除」を選択的に無効にすることを検討してください。", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "中程度", - "text": "ゲートウェイで管理される Cookie を使用して、ユーザーセッションからのトラフィックを同じサーバーに転送して処理する", - "waf": "オペレーションズ" + "text": "BLOB の '論理的な削除' を無効にする", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "App Gateway", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "コンテナの論理的な削除を使用すると、コンテナが削除された後に、たとえば、誤って削除した操作から回復するなどして、コンテナを回復できます。", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "severity": "高い", - "text": "計画されたサービス更新中に接続ドレインを有効にして、バックエンド プールの既存のメンバーへの接続が失われないようにします", + "text": "コンテナの「論理的な削除」を有効にする", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "App Gateway", - "severity": "低い", - "text": "カスタムエラーページを作成して、パーソナライズされたユーザーエクスペリエンスを表示する", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由など、削除された情報をすぐに削除するようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナに対して「論理的な削除」を選択的に無効にすることを検討してください。", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "中程度", + "text": "コンテナの「論理的な削除」を無効にする", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "App Gateway", - "severity": "中程度", - "text": "HTTP 要求と応答ヘッダーを編集して、クライアントとサーバー間のルーティングと情報交換を容易にします", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "削除する前に、ユーザーに削除ロックを最初に解除するように強制することで、ストレージ アカウントが誤って削除されるのを防ぎます", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", + "severity": "高い", + "text": "ストレージ アカウントでのリソース ロックの有効化", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "App Gateway", - "severity": "中程度", - "text": "Front Door を構成して、グローバル Web トラフィックのルーティングと最上位のエンドユーザーのパフォーマンス、および迅速なグローバル フェイルオーバーによる信頼性を最適化する", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "BLOB の \"訴訟ホールド\" または \"時間ベースの保持\" ポリシーを検討して、BLOB、コンテナー、またはストレージ アカウントを削除できないようにします。「不可能」は実際には「不可能」を意味することに注意してください。ストレージ アカウントに不変 BLOB が含まれている場合、そのストレージ アカウントを \"削除\" する唯一の方法は、Azure サブスクリプションをキャンセルすることです。", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", + "severity": "高い", + "text": "不変ブロブについて考える", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", - "severity": "中程度", - "text": "トランスポート層の負荷分散を使用する", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "ストレージ アカウントへの保護されていない HTTP/80 アクセスを無効にして、すべてのデータ転送が暗号化され、整合性が保護され、サーバーが認証されるようにすることを検討してください。", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "高い", + "text": "HTTPS を要求する (つまり、ストレージ アカウントのポート 80 を無効にする)", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", - "severity": "中程度", - "text": "1 つのゲートウェイ上の複数の Web アプリケーションのホスト名またはドメイン名に基づいてルーティングを構成する", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "ストレージ アカウントでカスタム ドメイン (ホスト名) を構成する場合は、TLS/HTTPS が必要かどうかを確認します。その場合は、ストレージ アカウントの前に Azure CDN を配置する必要がある場合があります。", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", + "severity": "高い", + "text": "HTTPS を適用する (HTTP を無効にする) 場合は、ストレージ アカウントにカスタム ドメイン (CNAME) を使用していないことを確認します。", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "クライアントが SAS トークンを使用して BLOB データにアクセスするときに HTTPS を要求すると、資格情報の損失リスクを最小限に抑えるのに役立ちます。", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "severity": "中程度", - "text": "SSL証明書管理を一元化して、バックエンドサーバーファームからの暗号化と復号化のオーバーヘッドを削減します", + "text": "Shared Access Signature (SAS) トークンを HTTPS 接続のみに制限する", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", - "severity": "低い", - "text": "Application Gateway を使用して WebSocket プロトコルと HTTP/2 プロトコルをネイティブにサポートする", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": ".最新の TLS バージョンを適用すると、古いバージョンを使用しているクライアントからの要求が拒否されます。", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Azure Storage", + "severity": "高い", + "text": "ストレージ アカウントに最新の TLS バージョンを適用する", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Microsoft Entra ID トークンは、可能な限り、共有アクセス署名よりも優先する必要があります", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", "severity": "高い", - "text": "共鳴可能なAIのためのメタプロンプトガードレールに従う", - "waf": "オペレーショナルエクセレンス" + "text": "BLOB アクセスに Microsoft Entra ID トークンを使用する", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "Azure OpenAI", - "severity": "高い", - "text": "APIM や AI Central などのソリューションを使用したゲートウェイ パターンを検討して、レート制限、負荷分散、認証、ログ記録を改善します", - "waf": "オペレーショナルエクセレンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "ユーザー、グループ、またはアプリケーションにロールを割り当てる場合は、タスクの実行に必要なアクセス許可のみをそのセキュリティ プリンシパルに付与します。リソースへのアクセスを制限することで、意図しないデータの誤用と悪意のある誤用の両方を防ぐことができます。", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", + "severity": "中程度", + "text": "IaM アクセス許可の最小特権", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "ユーザー委任 SAS は、Azure Active Directory (Azure AD) 資格情報と、SAS に指定されたアクセス許可によって保護されます。ユーザー委任 SAS は、そのスコープと機能の点でサービス SAS に似ていますが、サービス SAS よりもセキュリティ上の利点があります。", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", "severity": "高い", - "text": "AOAI インスタンスの監視を有効にする", - "waf": "オペレーショナルエクセレンス" + "text": "SAS を使用する場合は、ストレージ アカウント キー ベースの SAS よりも \"ユーザー委任 SAS\" を優先します。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "ストレージ アカウント キー (\"共有キー\") には、監査機能がほとんどありません。誰が/いつキーのコピーをフェッチしたかを監視することはできますが、キーが複数の人の手に渡ると、特定のユーザーに使用状況を帰属させることはできなくなります。Entra ID認証のみに依存すると、ストレージアクセスをユーザーに結び付けることが容易になります。", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", "severity": "高い", - "text": "リソースに対して実行されたアクション (サブスクリプション キーの再生成など) によって作成されたアクティビティ ログのエントリや、1 時間に 10 を超えるエラー数などのメトリックしきい値によって作成されたアクティビティ ログのエントリなど、イベントを通知するアラートを作成します", - "waf": "オペレーショナルエクセレンス" + "text": "Microsoft Entra ID アクセス (およびユーザー委任 SAS) のみがサポートされるように、ストレージ アカウント キーを無効にすることを検討してください。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "アクティビティ ログ データを使用して、ストレージ アカウントのセキュリティが (ストレージ アカウント キー、アクセス ポリシーなど) 表示または変更されているのは「いつ」、「誰が」、「何を」、「どのように」特定します。", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", "severity": "高い", - "text": "トークンの使用状況を監視して、容量によるサービスの中断を防ぎます", - "waf": "オペレーショナルエクセレンス" + "text": "Azure Monitor を使用して、ストレージ アカウントでのコントロール プレーン操作を監査することを検討してください", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "キーの有効期限ポリシーを使用すると、アカウント アクセス キーのローテーションのリマインダーを設定できます。リマインダーは、指定した間隔が経過し、キーがまだローテーションされていない場合に表示されます。", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "中程度", - "text": "処理された推論トークン、生成された完了トークンなどのメトリックを観察し、レート制限を監視します", - "waf": "オペレーショナルエクセレンス" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "Azure OpenAI", - "severity": "低い", - "text": "診断が十分でない場合は、Azure OpenAI の前で Azure API Management などのゲートウェイを使用して、受信プロンプトと送信応答の両方をログに記録することを検討してください (許可されている場合)", - "waf": "オペレーショナルエクセレンス" + "text": "ストレージ アカウント キーを使用する場合は、\"キーの有効期限ポリシー\" を有効にすることを検討してください", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "Azure OpenAI", - "severity": "高い", - "text": "コードとしてのインフラストラクチャを使用して、Azure OpenAI Service、モデル デプロイ、およびすべての関連リソースをデプロイします", - "waf": "オペレーショナルエクセレンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS 有効期限ポリシーは、SAS が有効である推奨間隔を指定します。SAS 有効期限ポリシーは、サービス SAS またはアカウント SAS に適用されます。ユーザーが、推奨間隔よりも長い有効期間でサービス SAS またはアカウント SAS を生成すると、警告が表示されます。", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", + "severity": "中程度", + "text": "SAS 有効期限ポリシーの構成を検討する", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "高い", - "text": "API キーの代わりにマネージド ID で Microsoft Entra 認証を使用する", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "保存されているアクセス ポリシーでは、ストレージ アカウント キーを再生成しなくても、サービス SAS のアクセス許可を取り消すことができます。", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", + "severity": "中程度", + "text": "SASを保存されたアクセスポリシーにリンクすることを検討する", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "高い", - "text": "入力と正しい答えを持つ既知のゴールデンデータセットを使用して、システムのパフォーマンス/精度を評価します。PromptFlowの機能を評価に活用します。", - "waf": "オペレーショナルエクセレンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", + "severity": "中程度", + "text": "チェックインされた接続文字列とストレージ アカウント キーを検出するように、アプリケーションのソース コード リポジトリを構成することを検討してください。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "理想的には、アプリケーションでマネージド ID を使用して Azure Storage に対する認証を行う必要があります。それが不可能な場合は、ストレージ資格情報 (接続文字列、ストレージ アカウント キー、SAS、サービス プリンシパル資格情報) を Azure KeyVault または同等のサービスに持つことを検討してください。", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", "severity": "高い", - "text": "プロビジョニング済みスループットモデルの使用状況の評価", - "waf": "パフォーマンス" + "text": "Azure KeyVault に接続文字列を格納することを検討してください (マネージド ID が不可能なシナリオの場合)", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "アドホック SAS サービス SAS またはアカウント SAS で短期的な有効期限を使用します。このように、SASが侵害された場合でも、SASは短時間しか有効ではありません。この方法は、保存されたアクセス ポリシーを参照できない場合に特に重要です。有効期限が近いと、BLOB にアップロードできる時間を制限することで、BLOB に書き込むことができるデータの量も制限されます。", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "高い", - "text": "Azure AI コンテンツの安全性を確認して実装する", - "waf": "オペレーショナルエクセレンス" + "text": "アドホックSASの有効期間を短くするよう努める", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "Azure OpenAI", - "severity": "高い", - "text": "トークンと1分あたりのレスポンスに基づいてシステムのスループットを定義および評価し、要件に合わせます", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SASを作成するときは、できるだけ具体的で制限的にしてください。1 つのリソースと操作には、より広範なアクセスを提供する SAS よりも SAS を優先します。", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "中程度", + "text": "SAS に狭いスコープを適用する", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS には、SAS を使用してリソースを要求する権限を与えられたクライアントの IP アドレスまたはアドレス範囲のパラメーターを含めることができます。", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", "severity": "中程度", - "text": "トークンサイズ、ストリーミングオプションを制限することにより、システムのレイテンシーを改善します", - "waf": "パフォーマンス" + "text": "可能な限り、SAS のスコープを特定のクライアント IP アドレスに設定することを検討してください", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "弾力性の要求を見積もり、優先順位に基づいて同期要求とバッチ要求の分離を決定します。優先度が高い場合は同期アプローチを使用し、優先度が低い場合はキューを使用した非同期バッチ処理が推奨されます", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS は、クライアントがアップロードするデータの量を制限することはできません。時間の経過に伴うストレージ量の価格設定モデルを考えると、クライアントが悪意を持って大きなコンテンツをアップロードしたかどうかを検証することは理にかなっているかもしれません。", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "低い", + "text": "クライアントが SAS を使用してファイルをアップロードした後、アップロードされたデータを確認することを検討してください。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "「ローカル ユーザー アカウント」を使用して SFTP 経由で BLOB ストレージにアクセスする場合、「通常の」RBAC コントロールは適用されません。NFS または REST 経由の BLOB アクセスは、SFTP アクセスよりも制限が厳しい場合があります。残念ながら、2023 年初頭の時点で、SFTP エンドポイントで現在サポートされている ID 管理の形式は、ローカル ユーザーのみです", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "severity": "高い", - "text": "消費者からの推定需要に基づくトークン消費要件のベンチマーク。プロビジョニングされたスループット ユニットのデプロイを使用している場合は、Azure OpenAI ベンチマーク ツールを使用してスループットを検証することを検討してください", - "waf": "パフォーマンス" + "text": "SFTP: SFTP アクセスの「ローカル ユーザー」の数を制限し、アクセスが必要かどうかを経時的に監査します。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "severity": "中程度", - "text": "プロビジョニングされたスループットユニット (PTU) を使用している場合は、オーバーフローリクエストに対して Token-Per Minute (TPM) デプロイメントをデプロイすることを検討してください。ゲートウェイを使用して、PTU の制限に達したときに要求を TPM デプロイにルーティングします。", - "waf": "パフォーマンス" + "text": "SFTP: SFTP エンドポイントは POSIX のような ACL をサポートしていません。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "ストレージは、CORS(Cross-Origin Resource Sharing)、つまり、異なるドメインのWebアプリが同一生成元ポリシーを緩和できるようにするHTTP機能をサポートしています。CORS を有効にするときは、CorsRules を最小限の特権に保ちます。", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", "severity": "高い", - "text": "適切なタスクに適したモデルを選択してください。速度、応答の品質、出力の複雑さの間で適切なトレードオフを持つモデルを選択する", - "waf": "パフォーマンス" + "text": "過度に広範なCORSポリシーを避ける", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "微調整によってモデルのパフォーマンスが向上したかどうかを知るための微調整を行わずに、パフォーマンスのベースラインを設定する", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "保存データは常にサーバー側で暗号化され、さらにクライアント側でも暗号化される場合があります。サーバー側の暗号化は、プラットフォーム管理キー (デフォルト) またはカスタマー管理キーを使用して行われる場合があります。クライアント側の暗号化は、クライアントが BLOB ごとに暗号化/暗号化解除キーを Azure ストレージに提供するか、クライアント側で暗号化を完全に処理することによって行われます。したがって、機密性の保証については Azure Storage にまったく依存しません。", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", + "severity": "高い", + "text": "保存データの暗号化方法を決定します。データのスレッドモデルを理解する。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", - "severity": "低い", - "text": "複数のOAIインスタンスを複数のリージョンにデプロイする", - "waf": "確実" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", + "severity": "中程度", + "text": "プラットフォームの暗号化を使用するかどうかを決定します。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", + "severity": "中程度", + "text": "クライアント側の暗号化を使用するかどうかを決定します。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Resource Graph エクスプローラー (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) を利用して、匿名 BLOB アクセスを許可するストレージ アカウントを見つけます。", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", "severity": "高い", - "text": "APIM のようなゲートウェイ パターンを使用した再試行とヘルスチェックの実装", + "text": "パブリック BLOB の匿名アクセスが必要かどうか、または特定のストレージ アカウントに対して無効にできるかどうかを検討します。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", + "severity": "高い", + "text": "storagev2 アカウントタイプを活用して、パフォーマンスと信頼性を向上させます", "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", + "severity": "高い", + "text": "GRS、ZRS、またはGZRSストレージを活用して、最高の可用性を実現", + "waf": "確実" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Azure Storage", "severity": "中程度", - "text": "ワークロードに対してTPMとRPMの適切なクォータがあることを確認します", + "text": "フェールオーバー後の書き込み操作には、顧客管理のフェールオーバーを使用します", "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Azure Storage", "severity": "中程度", - "text": "HAIツールキットガイダンスの考慮事項を確認し、それらの相互作用の実践をslutionに適用します", - "waf": "オペレーショナルエクセレンス" + "text": "Microsoft マネージド フェールオーバーの詳細を理解する", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Azure Storage", "severity": "中程度", - "text": "ファインチューニングが採用されている場合は、リージョン間で個別の微調整モデルをデプロイします", + "text": "ソフト削除を有効にする", "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "Azure OpenAI", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", "severity": "中程度", - "text": "重要なデータを定期的にバックアップおよびレプリケートして、データの損失やシステム障害が発生した場合のデータの可用性と回復性を確保します。Azure のバックアップおよびディザスター リカバリー サービスを活用して、データを保護します。", + "text": "Azure Bot Service の信頼性サポートの推奨事項に従う", "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "Azure OpenAI", - "severity": "高い", - "text": "Azure AI Search サービス レベルは、SLA を持つために選択する必要があります", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", + "severity": "中程度", + "text": "ローカル データ所在地とリージョン コンプライアンスを備えたボットのデプロイ", "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "Azure OpenAI", - "severity": "低い", - "text": "データと機密性を分類し、埋め込みを生成する前に Microsoft Purview でラベル付けし、生成された埋め込みを同じ感度と分類で処理するようにしてください", - "waf": "安全" + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", + "severity": "中程度", + "text": "Azure Bot Service は、グローバル サービスとリージョン サービスの両方に対してアクティブ/アクティブ モードで実行されます。停止が発生した場合、エラーを検出したり、サービスを管理したりする必要はありません。Azure Bot Service は、複数リージョンの地理的アーキテクチャで自動フェールオーバーと自動復旧を自動的に実行します。EU ボット リージョン サービスの場合、Azure Bot Service は、冗長性を確保するために、アクティブ/アクティブ レプリケーションを備えたヨーロッパ内の 2 つの完全なリージョンを提供します。グローバル ボット サービスの場合、使用可能なすべてのリージョン/地域をグローバル フットプリントとして提供できます。", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "Azure OpenAI", - "severity": "高い", - "text": "SSE/ディスク暗号化(オプションのBYOKを使用)を使用してRAGに使用されるデータを暗号化", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus Premium は、保存データの暗号化を提供します。独自のキーを使用する場合、データは引き続き Microsoft マネージド キーを使用して暗号化されますが、さらに Microsoft マネージド キーはカスタマー マネージド キーを使用して暗号化されます。", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", + "severity": "低い", + "text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "Azure OpenAI", - "severity": "高い", - "text": "データソース間で転送されるデータ、Retrieval-Augmented Generation(RAG)およびLLM通信に使用されるAI検索にTLSが適用されていることを確認します", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "クライアント アプリケーションと Azure Service Bus 名前空間間の通信は、トランスポート層セキュリティ (TLS) を使用して暗号化されます。Azure Service Bus 名前空間を使用すると、クライアントは TLS 1.0 以上でデータを送受信できます。より厳格なセキュリティ対策を適用するために、クライアントが新しいバージョンの TLS を使用してデータを送受信することを要求するように Service Bus 名前空間を構成できます。", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", + "severity": "中程度", + "text": "要求に対して最低限必要なバージョンの Transport Layer Security (TLS) を適用する", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", - "severity": "高い", - "text": "RBAC を使用して、Azure OpenAI サービスへのアクセスを管理します。ユーザーに適切な権限を割り当て、ユーザーの役割と責任に基づいてアクセスを制限します", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Service Bus 名前空間を作成すると、名前空間に対して RootManageSharedAccessKey という名前の SAS ルールが自動的に作成されます。このポリシーには、名前空間全体に対する Manage アクセス許可があります。このルールは管理ルート アカウントのように扱い、アプリケーションで使用しないことをお勧めします。 RBAC を使用した認証プロバイダーとして AAD を使用することをお勧めします。", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", + "severity": "中程度", + "text": "必要のないときに root アカウントを使用することは避けてください", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "Azure OpenAI", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure App Service アプリケーション内、または Azure リソースのサポートに対して有効なマネージド エンティティを持つ仮想マシンで実行されている Service Bus クライアント アプリは、SAS のルールとキー、またはその他のアクセス トークンを処理する必要はありません。クライアント アプリに必要なのは、Service Bus メッセージング名前空間のエンドポイント アドレスのみです。", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", + "service": "Service Bus", "severity": "中程度", - "text": "データの暗号化、マスキング、または編集技術を実装して、機密データを非表示にしたり、非本番環境で難読化された値に置き換えたり、テストやトラブルシューティングの目的でデータを共有する場合", + "text": "可能な場合は、アプリケーションでマネージド ID を使用して Azure Service Bus に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに持つことを検討してください", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", - "service": "Azure OpenAI", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus のアクセス許可は、キュー、トピック、サブスクリプションなどの個々のリソース レベルにスコープを設定でき、またそうする必要があります。", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", "severity": "高い", - "text": "Azure Defender を利用して、セキュリティの脅威を検出して対応し、監視とアラートのメカニズムを設定して、疑わしいアクティビティや侵害を特定します。Azure Sentinel を活用して高度な脅威の検出と対応を実現", + "text": "最小特権データ プレーン RBAC を使用する", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "Azure OpenAI", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus リソース ログには、操作ログ、仮想ネットワーク、IP フィルタリング ログが含まれます。ランタイム監査ログは、Service Bus でのさまざまなデータ プレーン アクセス操作 (メッセージの送受信など) の集計された診断情報をキャプチャします。", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", "severity": "中程度", - "text": "コンプライアンス規制を遵守するためのデータ保持および廃棄ポリシーを確立します。不要になったデータに対して安全な削除方法を実装し、データの保持と廃棄活動の監査証跡を維持します", + "text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用してリソース ログとランタイム監査ログをトレースする (現在は Premium レベルでのみ使用できます)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", - "severity": "高い", - "text": "Content Safety を使用した Prompt シールドと接地検出の実装", - "waf": "オペレーショナルエクセレンス" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "Azure OpenAI", - "severity": "高い", - "text": "GDPRやHIPAAなどの関連するデータ保護規制への準拠を確保するには、プライバシー制御を実装し、データ処理活動に必要な同意または許可を取得します。", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus は、既定ではパブリック IP アドレスを持ち、インターネットからアクセスできます。プライベート エンドポイントを使用すると、仮想ネットワークと Azure Service Bus の間のトラフィックは、Microsoft のバックボーン ネットワークを経由します。それに加えて、パブリックエンドポイントが使用されていない場合は無効にする必要があります。", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", + "severity": "中程度", + "text": "プライベート エンドポイントを使用して Azure Service Bus にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "Azure OpenAI", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "IP ファイアウォールを使用すると、パブリック エンドポイントを IPv4 アドレスのセットのみ、または CIDR (Classless Inter-Domain Routing) 表記の IPv4 アドレス範囲のみにさらに制限できます。", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", "severity": "中程度", - "text": "データセキュリティのベストプラクティス、データの安全な取り扱いの重要性、データ侵害に関連する潜在的なリスクについて、従業員を教育します。データセキュリティプロトコルに熱心に従うように促します。", + "text": "特定の IP アドレスまたは範囲からのみ Azure Service Bus 名前空間へのアクセスを許可することを検討してください", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "Azure OpenAI", - "severity": "高い", - "text": "運用データを開発データやテストデータから分離します。本番環境では実際の機密データのみを使用し、開発環境やテスト環境では匿名化されたデータや合成データを利用します。", - "waf": "安全" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "データの機密性のレベルが異なる場合は、レベルごとに個別のインデックスを作成することを検討してください。たとえば、一般的なデータ用に 1 つのインデックスを作成し、機密データ用に別のインデックスを作成し、それぞれ異なるアクセス プロトコルで管理することができます", - "waf": "安全" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", + "severity": "低い", + "text": "ベスト プラクティスについては、「ベースラインの高可用性ゾーン冗長 Web アプリケーション アーキテクチャ」を参照してください", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", + "service": "App Services", "severity": "中程度", - "text": "分離をさらに一歩進めて、機密性の高いデータセットをサービスの異なるインスタンスに配置します。各インスタンスは、独自のRBACポリシーのセットで制御できます", - "waf": "安全" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "Azure OpenAI", - "severity": "高い", - "text": "機密情報から生成された埋め込みとベクトルは、それ自体が機密性が高いことを認識します。このデータには、ソースマテリアルと同じ保護対策を提供する必要があります", - "waf": "安全" + "text": "Premium レベルと Standard レベルを使用します。これらの層では、ステージング スロットと自動バックアップがサポートされています。", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", + "service": "App Services", "severity": "高い", - "text": "埋め込みとベクトルを持つデータストアに RBAC を適用し、ロールのアクセス要件に基づいてアクセスのスコープを設定します", - "waf": "安全" + "text": "リージョンで適用可能な場合は Availability Zones を活用します (Premium v2 または v3 レベルが必要)", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "Azure OpenAI", - "severity": "高い", - "text": "AI サービスのプライベート エンドポイントを構成して、ネットワーク内のサービス アクセスを制限します", - "waf": "安全" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "中程度", + "text": "ヘルスチェックの実装", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", + "service": "App Services", "severity": "高い", - "text": "Azure Firewall と UDR を使用して受信と送信のトラフィック制御を厳密に適用し、外部統合ポイントを制限します", - "waf": "安全" + "text": "「Azure App Service のバックアップと復元のベスト プラクティス」を参照してください", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", "severity": "高い", - "text": "ネットワークのセグメンテーションとアクセス制御を実装して、LLMアプリケーションへのアクセスを許可されたユーザーとシステムのみに制限し、横方向の移動を防ぎます", - "waf": "安全" + "text": "Azure App Service の信頼性に関するベスト プラクティスを実装する", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "LLMLingua や gprtrim などのプロンプト圧縮ツールを使用します", - "waf": "コストの最適化" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", + "severity": "低い", + "text": "災害時に App Service アプリを別のリージョンに移動する方法を理解する", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", + "service": "App Services", "severity": "高い", - "text": "LLM アプリケーションで使用される API とエンドポイントが、マネージド ID、API キー、OAuth などの認証および承認メカニズムで適切に保護され、不正アクセスを防止します。", - "waf": "安全" + "text": "Azure App Service の信頼性サポートについて理解する", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", "severity": "中程度", - "text": "多要素認証などの強力なエンドユーザー認証メカニズムを適用して、LLMアプリケーションおよび関連するネットワークリソースへの不正アクセスを防止します", - "waf": "安全" + "text": "App Service プランで実行されている Function Apps に対して \"Always On\" が有効になっていることを確認する", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", "severity": "中程度", - "text": "ネットワーク監視ツールを実装して、疑わしいアクティビティや悪意のあるアクティビティのネットワークトラフィックを検出および分析します。ロギングを有効にしてネットワークイベントをキャプチャし、セキュリティインシデントが発生した場合のフォレンジック分析を容易にします", - "waf": "安全" + "text": "正常性チェックを使用した App Service インスタンスの監視", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", + "service": "App Services", "severity": "中程度", - "text": "セキュリティ監査と侵入テストを実施して、LLMアプリケーションのネットワークインフラストラクチャのネットワークセキュリティの弱点または脆弱性を特定して対処します", - "waf": "安全" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "Azure OpenAI", - "severity": "低い", - "text": "Azure AI Services は、管理を改善するために適切にタグ付けされています", - "waf": "オペレーショナルエクセレンス" + "text": "Application Insights の可用性テストを使用して Web アプリまたは Web サイトの可用性と応答性を監視する", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", "severity": "低い", - "text": "Azure AI Service アカウントは、組織の名前付け規則に従います", - "waf": "オペレーショナルエクセレンス" + "text": "Application Insights Standard テストを使用して、Web アプリまたは Web サイトの可用性と応答性を監視する", + "waf": "確実" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Key Vault を使用して、アプリケーションに必要なシークレットを格納します。 Key Vault は、シークレットを格納するための安全で監査された環境を提供し、Key Vault SDK または App Service Key Vault リファレンスを通じて App Service と適切に統合されています。", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "severity": "高い", - "text": "Azure AI サービス リソースの診断ログを有効にする必要がある", - "waf": "オペレーショナルエクセレンス" + "text": "Key Vault を使用してシークレットを格納する", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "マネージド ID を使用して、Key Vault SDK または App Service Key Vault 参照を使用して Key Vault に接続します。", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "severity": "高い", - "text": "セキュリティのため、キーアクセス(ローカル認証)を無効にすることをお勧めします。 キーベースのアクセスを無効にすると、Microsoft Entra IDが唯一のアクセス方法になり、最小限の特権原則ときめ細かな制御を維持できます。", + "text": "マネージド ID を使用して Key Vault に接続する", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service TLS 証明書を Key Vault に格納します。", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", "severity": "高い", - "text": "Azure Key Vault を使用して、キーを安全に保存および管理します。LLM アプリケーションのコード内で機密性の高いキーをハードコーディングしたり埋め込んだりすることを避け、マネージド ID を使用して Azure Key Vault から安全に取得します", + "text": "Key Vault を使用して TLS 証明書を格納します。", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", - "severity": "高い", - "text": "Azure Key Vault に格納されているキーを定期的にローテーションして期限切れにすることで、不正アクセスのリスクを最小限に抑えます。", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "機密情報を処理するシステムは分離する必要があります。 そのためには、個別の App Service プランまたは App Service Environment を使用し、異なるサブスクリプションまたは管理グループの使用を検討してください。", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "中程度", + "text": "機密情報を処理するシステムを分離する", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "Azure OpenAI", - "severity": "高い", - "text": "tiktokenを使用して、会話モードでのトークン最適化のためのトークンサイズを理解します", - "waf": "コストの最適化" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service のローカル ディスクは暗号化されていないため、機密データを格納しないでください。 (例: D:\\\\Local and %TMP%)。", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", + "severity": "中程度", + "text": "機密データをローカルディスクに保存しない", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "Azure OpenAI", - "severity": "高い", - "text": "安全なコーディング手法に従って、インジェクション攻撃、クロスサイトスクリプティング(XSS)、セキュリティ設定の誤りなどの一般的な脆弱性を防止します", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "認証された Web アプリケーションの場合は、Azure AD や Azure AD B2C などの確立された ID プロバイダーを使用します。 選択したアプリケーション フレームワークを利用して、このプロバイダーと統合するか、App Service の認証/承認機能を使用します。", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", + "severity": "中程度", + "text": "認証に確立された ID プロバイダーを使用する", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "適切に管理され、セキュリティで保護された DevOps デプロイ パイプラインなど、制御された信頼できる環境から App Service にコードをデプロイします。これにより、バージョン管理されておらず、悪意のあるホストからデプロイされることが確認されていないコードが回避されます。", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", "severity": "高い", - "text": "LLM ライブラリとその他のシステム コンポーネントを定期的に更新し、パッチを適用するプロセスを設定します", + "text": "信頼できる環境からのデプロイ", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "FTP/FTPS と WebDeploy/SCM の両方の基本認証を無効にします。 これにより、これらのサービスへのアクセスが無効になり、デプロイに Azure AD で保護されたエンドポイントの使用が強制されます。 SCM サイトは、Azure AD 資格情報を使用して開くこともできます。", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", "severity": "高い", - "text": "Azure OpenAI またはその他の LLM の利用規約、ポリシー、ガイダンス、および許可されたユース ケースを順守する", - "waf": "オペレーショナルエクセレンス" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "基本モデルと微調整されたモデルおよびトークンのステップサイズのコストの違いを理解する", - "waf": "コストの最適化" + "text": "基本認証の無効化", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "可能な場合は、マネージド ID を使用して Azure AD のセキュリティで保護されたリソースに接続します。 これが不可能な場合は、Key Vault にシークレットを格納し、代わりにマネージド ID を使用して Key Vault に接続します。", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", "severity": "高い", - "text": "可能であれば、呼び出しごとのオーバーヘッドを最小限に抑え、全体的なコストを削減できるバッチ要求。バッチサイズを確実に最適化する", - "waf": "コストの最適化" + "text": "マネージド ID を使用してリソースに接続する", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "モデルの使用状況を監視するコスト追跡システムを設定し、その情報を使用してモデルの選択とプロンプトのサイズを通知します", - "waf": "コストの最適化" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Container Registry に格納されているイメージを使用する場合は、マネージド ID を使用してこれらをプルします。", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", + "severity": "高い", + "text": "マネージド ID を使用してコンテナーをプルするPull containers using a Managed Identity", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service の診断設定を構成することで、ログ記録と監視の中央の宛先として、すべてのテレメトリを Log Analytics に送信できます。これにより、HTTP ログ、アプリケーション ログ、プラットフォーム ログなどの App Service のランタイム アクティビティを監視できます。", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", "severity": "中程度", - "text": "モデル応答あたりのトークン数に上限を設定します。サイズを最適化して、有効な応答に十分な大きさになるようにします", - "waf": "コストの最適化" + "text": "App Service ランタイム ログを Log Analytics に送信する", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "ログ記録と監視の中央の宛先としてアクティビティ ログを Log Analytics に送信するための診断設定を設定します。これにより、App Service リソース自体のコントロール プレーンのアクティビティを監視できます。", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", "severity": "中程度", - "text": "信頼性のための AI 検索の設定に関するガイダンスを確認します", - "waf": "オペレーショナルエクセレンス" + "text": "App Service アクティビティ ログを Log Analytics に送信する", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "リージョンの VNet 統合、ネットワーク セキュリティ グループ、および UDR の組み合わせを使用して、送信ネットワーク アクセスを制御します。 トラフィックは、Azure Firewall などの NVA にルーティングする必要があります。 ファイアウォールのログを必ず監視してください。", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", "severity": "中程度", - "text": "AI Search Vector ストレージの計画と管理", - "waf": "オペレーショナルエクセレンス" + "text": "送信ネットワーク アクセスを制御する必要がある", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "LLMOpsプラクティスを適用して、GenAIアプリケーションのライフサイクル管理を自動化します", - "waf": "オペレーショナルエクセレンス" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "VNet 統合を使用し、VNet NAT ゲートウェイまたは Azure Firewall などの NVA を使用することで、安定した送信 IP を提供できます。 これにより、受信側は必要に応じて IP に基づいて許可リストに登録できます。 多くの場合、Azure サービスへの通信では、IP アドレスに依存する必要はなく、代わりにサービス エンドポイントなどのメカニズムを使用する必要があります。 (また、受信側でプライベート エンドポイントを使用すると、SNAT の発生が回避され、安定した送信 IP 範囲が提供されます)。", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", + "severity": "低い", + "text": "インターネットアドレスへの送信通信のIPを安定させる", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service のアクセス制限、サービス エンドポイント、またはプライベート エンドポイントの組み合わせを使用して、受信ネットワーク アクセスを制御します。Web アプリ自体と SCM サイトに対して異なるアクセス制限を要求し、構成できます。", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "severity": "高い", - "text": "請求モデルの使用状況の評価 - PAYG と PTU の比較", - "waf": "コストの最適化" + "text": "受信ネットワーク アクセスを制御する必要がある", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "モデルバージョンを切り替える際のプロンプトとアプリケーションの品質を評価する", - "waf": "オペレーショナルエクセレンス" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Application Gateway や Azure Front Door などの Web アプリケーション ファイアウォールを使用して、悪意のある受信トラフィックから保護します。 WAFのログを必ず監視してください。", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", + "severity": "高い", + "text": "App Service の前で WAF を使用するUse a WAF in Front of App Service", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "GenAIアプリを評価、監視、改良して、接地性、関連性、精度、一貫性、流暢さなどの機能を確認します。", - "waf": "オペレーショナルエクセレンス" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "WAFのみへのアクセスをロックダウンすることで、WAFをバイパスできないようにします。 アクセス制限、サービス・エンドポイントおよびプライベート・エンドポイントを組み合わせて使用します。", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", + "severity": "高い", + "text": "WAFをバイパスすることは避けてください", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service の構成で最小 TLS ポリシーを 1.2 に設定します。", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", "severity": "中程度", - "text": "さまざまな検索パラメーターに基づいて Azure AI Search の結果を評価する", - "waf": "オペレーショナルエクセレンス" + "text": "最小 TLS ポリシーを 1.2 に設定します。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "精度を向上させる方法としてモデルの微調整を検討するのは、データを使用してプロンプトエンジニアリングやRAGなどの他の基本的なアプローチを試した場合のみです", - "waf": "オペレーショナルエクセレンス" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "HTTPS のみを使用するように App Service を構成します。 これにより、App Service は HTTP から HTTPS にリダイレクトされます。 HTTP Strict Transport Security (HSTS) をコード内または WAF から使用して、サイトに HTTPS を使用してのみアクセスする必要があることをブラウザーに通知することを強く検討してください。", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", + "severity": "高い", + "text": "HTTPS のみを使用", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Azure OpenAI", - "severity": "中程度", - "text": "プロンプトエンジニアリング手法を使用して、LLM応答の精度を向上させる", - "waf": "オペレーショナルエクセレンス" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "CORS 構成では、すべての配信元がサービスにアクセスできるため、ワイルドカードを使用しないでください (これにより、CORS の目的が損なわれます)。具体的には、サービスにアクセスできると予想される配信元のみを許可します。", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", + "severity": "高い", + "text": "ワイルドカードは CORS に使用しないでください", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "リモート デバッグは、サービスに追加のポートが開き、攻撃対象領域が増加するため、運用環境でオンにしないでください。このサービスは、48 時間後に自動的にリモート デバッグをオフにすることに注意してください。", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", + "severity": "高い", + "text": "リモートデバッグをオフにする", + "waf": "安全" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Defender for App Service を有効にします。 これは(他の脅威の中でも)既知の悪意のあるIPアドレスへの通信を検出します。 操作の一環として、Defender for App Service からの推奨事項を確認します。", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", "severity": "中程度", - "text": "GenAIアプリケーションをレッドチーム化", + "text": "Defender for Cloud を有効にする - Defender for App Service", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure は、ネットワーク上で DDoS Basic 保護を提供しており、通常のトラフィック パターンを学習し、異常な動作を検出できるインテリジェントな DDoS Standard 機能によって改善できます。DDoS Standard は仮想ネットワークに適用されるため、Application Gateway や NVA など、アプリの前にあるネットワーク リソース用に構成する必要があります。", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", "severity": "中程度", - "text": "エンドユーザーにLLM応答のスコアリングオプションを提供し、これらのスコアを追跡します。", - "waf": "オペレーショナルエクセレンス" + "text": "WAF VNet で DDoS Protection Standard を有効にするEnable DDOS Protection Standard on the WAF VNet", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", - "severity": "高い", - "text": "クォータ管理の実践を検討する", - "waf": "コストの最適化" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Container Registry に格納されているイメージを使用する場合は、プライベート エンドポイントとアプリ設定 \"WEBSITE_PULL_IMAGE_OVER_VNET\" を使用して、Azure Container Registry から仮想ネットワーク経由でイメージをプルします。", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", + "severity": "中程度", + "text": "Virtual Network 経由でコンテナーをプルする", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "ペネトレーションテストのルールに従って、Webアプリケーションでペネトレーションテストを実施します。", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", "severity": "中程度", - "text": "APIM ベースのゲートウェイなどのロード バランサー ソリューションを使用して、サービスやリージョン間で負荷と容量を分散します", - "waf": "オペレーショナルエクセレンス" + "text": "ペネトレーションテストの実施", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", - "severity": "低い", - "text": "AKS Windows ワークロードで必要な場合は、HostProcess コンテナーを使用できます", - "waf": "確実" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "DevSecOps プラクティスに従って脆弱性が検証およびスキャンされた信頼できるコードをデプロイします。", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", + "severity": "中程度", + "text": "検証済みコードのデプロイ", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", - "severity": "低い", - "text": "イベント ドリブン ワークロードを実行する場合は KEDA を使用します", - "waf": "パフォーマンス" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "サポートされているプラットフォーム、プログラミング言語、プロトコル、およびフレームワークの最新バージョンを使用します。", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", + "severity": "高い", + "text": "最新のプラットフォーム、言語、プロトコル、フレームワークを使用", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", - "severity": "低い", - "text": "Dapr を使用してマイクロサービス開発を容易にする", + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", + "severity": "中程度", + "text": "Azure Center for SAP solutions (ACSS) は、SAP を Azure 上の最上位のワークロードにする Azure オファリングです。ACSS は、Azure 上の統合ワークロードとして SAP システムを作成および実行し、イノベーションのためのよりシームレスな基盤を提供するエンドツーエンドのソリューションです。新しい Azure ベースの SAP システムと既存の SAP システムの両方の管理機能を利用できます。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", - "severity": "高い", - "text": "SLA でサポートされる AKS オファリングを使用する", + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", + "severity": "中程度", + "text": "Azure では、Linux と Windows での SAP デプロイの自動化がサポートされています。SAP Deployment Automation Framework は、SAP 環境をデプロイ、インストール、保守できるオープンソースのオーケストレーションツールです。", + "training": "https://github.com/Azure/sap-automation", + "waf": "オペレーションズ" + }, + { + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", + "severity": "中程度", + "text": "運用データベースのポイントインタイムリカバリを、RTOを満たす任意の時点と時間枠で実行します。ポイントインタイムリカバリには、通常、DBMSレイヤーまたはSAPを介してデータを削除するオペレーターのエラーが含まれます", "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "低い", - "text": "ポッドとデプロイ定義でのディスラプション バジェットの使用", + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", + "severity": "中程度", + "text": "バックアップ時間とリカバリ時間をテストして、災害後にすべてのシステムを同時にリストアするための RTO 要件を満たしていることを確認します。", "waf": "確実" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", "severity": "高い", - "text": "プライベート レジストリを使用する場合は、複数のリージョンにイメージを格納するようにリージョン レプリケーションを構成します", + "text": "ペアになっているリージョン間で標準ストレージをレプリケートすることはできますが、データベースや仮想ハード ディスクの保存に標準ストレージを使用することはできません。バックアップをレプリケートできるのは、使用するペアのリージョン間でのみです。他のすべてのデータについては、SQL Server Always On や SAP HANA システム レプリケーションなどのネイティブ DBMS 機能を使用してレプリケーションを実行します。SAP アプリケーション層には、Site Recovery、rsync または robocopy、およびその他のサードパーティ ソフトウェアを組み合わせて使用します。", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", - "severity": "低い", - "text": "kubecost などの外部アプリケーションを使用して、さまざまなユーザーにコストを割り当てます", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "中程度", + "text": "Azure Availability Zones を使用して高可用性を実現する場合は、SAP アプリケーション サーバーとデータベース サーバー間の待機時間を考慮する必要があります。レイテンシーの高いゾーンでは、SAP アプリケーション・サーバーとデータベース・サーバーが常に同じゾーンで実行されていることを確認するための運用手順を整備する必要があります。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", + "severity": "高い", + "text": "オンプレミスからプライマリおよびセカンダリの Azure ディザスター リカバリー リージョンへの ExpressRoute 接続を設定します。また、ExpressRoute を使用する代わりに、オンプレミスからプライマリおよびセカンダリの Azure ディザスター リカバリー リージョンへの VPN 接続を設定することを検討してください。", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "確実" + }, + { + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", "severity": "低い", - "text": "スケールダウンモードを使用してノードを削除/割り当て解除する", - "waf": "費用" + "text": "証明書、シークレット、キーなどのキー コンテナーの内容をリージョン間でレプリケートして、DR リージョンのデータを復号化できるようにします。", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", "severity": "中程度", - "text": "必要に応じて、AKS クラスターで複数インスタンスの分割 GPU を使用する", - "waf": "費用" + "text": "プライマリ仮想ネットワークとディザスター リカバリー仮想ネットワークをピアリングします。たとえば、HANA システム レプリケーションの場合、SAP HANA DB 仮想ネットワークをディザスター リカバリー サイトの SAP HANA DB 仮想ネットワークにピアリングする必要があります。", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", "severity": "低い", - "text": "Dev/Test クラスターを実行している場合は、NodePool Start/Stop を使用します。", - "waf": "費用" + "text": "SAP デプロイに Azure NetApp Files ストレージを使用する場合は、少なくとも Premium レベルの 2 つのリージョンに 2 つの Azure NetApp Files アカウントを作成します。", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", - "severity": "中程度", - "text": "Azure Policy for Kubernetes を使用してクラスターのコンプライアンスを確保する", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "高い", + "text": "ネイティブ・データベース・レプリケーション・テクノロジーを使用して、HAペアのデータベースを同期する必要があります。", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", - "severity": "中程度", - "text": "ユーザー/システムノードプールを使用してコントロールプレーンからアプリケーションを分離する", - "waf": "安全" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", - "severity": "低い", - "text": "システム ノードプールにテイントを追加して専用にする", - "waf": "安全" + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", + "severity": "高い", + "text": "プライマリ仮想ネットワーク (VNet) の CIDR は、DR サイトの VNet の CIDR と競合したり、重複したりしないようにする必要があります", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", - "severity": "中程度", - "text": "イメージにはプライベート レジストリ (ACR など) を使用する", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", + "severity": "高い", + "text": "Site Recovery を使用して、アプリケーション サーバーを DR サイトにレプリケートします。Site Recovery は、セントラル サービス クラスター VM を DR サイトにレプリケートするのにも役立ちます。DR を呼び出すときは、DR サイトで Linux Pacemaker クラスターを再構成する必要があります (たとえば、VIP または SBD の置き換え、corosync.conf の実行など)。", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "確実" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", - "severity": "中程度", - "text": "イメージをスキャンして脆弱性を検出する", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "高い", + "text": "単一障害点に対する SAP ソフトウェアの可用性を検討します。これには、SAP NetWeaver や SAP S/4HANA アーキテクチャ、SAP ABAP や ASCS + SCS で使用される DBMS などのアプリケーション内の単一障害点が含まれます。また、SAP Web Dispatcher などの他のツールも含みます。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", "severity": "高い", - "text": "アプリの分離要件を定義する (名前空間/ノードプール/クラスター)", - "waf": "安全" + "text": "SAP および SAP データベースの場合は、自動フェールオーバー クラスターの実装を検討してください。Windows では、Windows Server フェールオーバー クラスタリングはフェールオーバーをサポートします。Linux では、Linux Pacemaker や SIOS Protection Suite や Veritas InfoScale などのサードパーティツールがフェイルオーバーをサポートしています。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", - "severity": "中程度", - "text": "CSI シークレット ストア ドライバーを使用して Azure Key Vault にシークレットを格納する", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "高い", + "text": "Azure では、プライマリ VM とセカンダリ VM が DBMS データのストレージを共有するアーキテクチャはサポートされていません。DBMS レイヤーの一般的なアーキテクチャ パターンは、プライマリ VM とセカンダリ VM が使用するものとは異なるストレージ スタックを使用して、データベースを同時にレプリケートすることです。", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", "severity": "高い", - "text": "クラスターにサービス プリンシパルを使用する場合は、資格情報を定期的に (四半期ごとなど) 更新します", - "waf": "安全" + "text": "DBMS データとトランザクション/再実行ログ ファイルは、Azure でサポートされているブロック ストレージまたは Azure NetApp Files に格納されます。Azure Files または Azure Premium Files は、SAP ワークロードでの DBMS データや再実行ログ ファイルのストレージとしてサポートされていません。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", - "severity": "中程度", - "text": "必要に応じて、キー管理サービスの etcd 暗号化を追加します", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", + "severity": "高い", + "text": "Windows の Azure 共有ディスクは、ASCS + SCS コンポーネントと特定の高可用性シナリオに使用できます。フェールオーバー クラスターは、SAP アプリケーション レイヤー コンポーネントと DBMS レイヤー用に別々に設定します。Azure では現在、SAP アプリケーション レイヤー コンポーネントと DBMS レイヤーを 1 つのフェールオーバー クラスターに結合する高可用性アーキテクチャはサポートされていません。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", - "severity": "低い", - "text": "必要に応じて、Confidential Compute for AKS の使用を検討してください", - "waf": "安全" + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", + "severity": "高い", + "text": "SAP アプリケーション レイヤー コンポーネント (ASCS) と DBMS レイヤーのほとんどのフェールオーバー クラスターには、フェールオーバー クラスターの仮想 IP アドレスが必要です。 Azure Load Balancer は、他のすべてのケースで仮想 IP アドレスを処理する必要があります。設計原則の 1 つは、クラスター構成ごとに 1 つのロード バランサーを使用することです。ロード バランサーの Standard バージョン (Standard Load Balancer SKU) を使用することをお勧めします。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", - "severity": "中程度", - "text": "Defender for Containers の使用を検討する", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", + "severity": "高い", + "text": "フローティング IP がロードバランサーで有効になっていることを確認します", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", "severity": "高い", - "text": "サービス プリンシパルの代わりにマネージド ID を使用するUse managed identities instead of Service Principals", - "waf": "安全" + "text": "高可用性インフラストラクチャをデプロイする前に、選択したリージョンに応じて、Azure 可用性セットと可用性ゾーンのどちらを使用してデプロイするかを決定します。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", - "severity": "中程度", - "text": "認証と AAD の統合 (マネージド統合を使用)", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", + "severity": "高い", + "text": "SAP コンポーネント (セントラル サービス、アプリケーション サーバー、データベース) のアプリケーションのインフラストラクチャ SLA を満たす場合は、すべてのコンポーネントに対して同じ高可用性オプション (VM、可用性セット、可用性ゾーン) を選択する必要があります。", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", - "severity": "中程度", - "text": "管理者 kubeconfig へのアクセスを制限する (get-credentials --admin)", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "高い", + "text": "同じ可用性セットに異なる役割のサーバーを混在させないでください。中央サービス VM、データベース VM、アプリケーション VM を独自の可用性セットに保持します", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", "severity": "中程度", - "text": "承認と AAD RBAC の統合", - "waf": "安全" + "text": "近接配置グループを使用しない限り、Azure 可用性ゾーン内に Azure 可用性セットをデプロイすることはできません。", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "severity": "高い", - "text": "Kubernetes で RBAC 特権を制限するために名前空間を使用する", - "waf": "安全" + "text": "可用性セットを作成するときは、使用可能な障害ドメインと更新ドメインの最大数を使用します。たとえば、1 つの可用性セットに 2 つ以上の VM をデプロイする場合は、Azure の計画メンテナンスに加えて、潜在的な物理ハードウェア障害、ネットワーク停止、または電源中断の影響を制限するために、最大数の障害ドメイン (3) と十分な更新ドメインを使用します。障害ドメインのデフォルトの数は 2 で、後でオンラインで変更することはできません。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", - "severity": "中程度", - "text": "ポッド ID アクセス管理の場合は、Azure AD ワークロード ID (プレビュー) を使用します", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "高い", + "text": "可用性セットのデプロイで Azure 近接配置グループを使用する場合、3 つの SAP コンポーネント (中央サービス、アプリケーション サーバー、データベース) すべてが同じ近接配置グループに存在する必要があります。", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", - "severity": "中程度", - "text": "AKS 非対話型ログインの場合は、kubelogin (プレビュー) を使用します", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "高い", + "text": "SAP SID ごとに 1 つの近接配置グループを使用します。グループは Availability Zones または Azure リージョンにまたがっていません", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", - "severity": "中程度", - "text": "AKS ローカル アカウントを無効にする", - "waf": "安全" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "低い", - "text": "必要に応じて Just-In-Time クラスター アクセスを構成する", - "waf": "安全" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "低い", - "text": "必要に応じて AKS の AAD 条件付きアクセスを構成する", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "高い", + "text": "次のいずれかのサービスを使用して、オペレーティング システムに応じて SAP セントラル サービス クラスターを実行します。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", - "severity": "低い", - "text": "Windows AKS ワークロードで必要な場合は、gMSA を構成します", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", + "severity": "中程度", + "text": "現在、Azure では、同じ Linux Pacemaker クラスターでの ASCS と DB HA の組み合わせはサポートされていません。それらを個々のクラスターに分割します。ただし、最大 5 つの複数の中央サービス クラスターを 1 つの VM のペアに結合できます。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "中程度", - "text": "より細かく制御するには、マネージドKubelet Identityの使用を検討してください", - "waf": "安全" + "text": "両方の VM を高可用性ペア、可用性セット、または可用性ゾーンにデプロイします。これらの VM は、同じサイズで、同じストレージ構成である必要があります。", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", "severity": "中程度", - "text": "AGIC を使用している場合は、クラスター間で AppGW を共有しないでください", + "text": "Azure では、Red Hat Enterprise Linux (RHEL) で実行されている同じ高可用性クラスター上での SAP HANA インスタンスと ASCS/SCS インスタンスと ERS インスタンスのインストールと構成がサポートされています。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "高い", - "text": "AKS HTTP ルーティング アドオンを使用せず、代わりにアプリケーション ルーティング アドオンでマネージド NGINX イングレスを使用します。", + "text": "すべての運用システムを Premium マネージド SSD で実行し、Azure NetApp Files または Ultra Disk Storage を使用します。少なくとも、OS ディスクは Premium レベルにある必要があるため、パフォーマンスの向上と最高の SLA を実現できます。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", - "severity": "中程度", - "text": "Windows ワークロードの場合は、高速ネットワークを使用します", - "waf": "パフォーマンス" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", "severity": "高い", - "text": "標準のALBを使用する(基本的なALBとは対照的)", + "text": "Azure で SAP HANA を実行するのは、SAP によって認定されたストレージの種類のみにしてください。特定のボリュームは、該当する場合、特定のディスク構成で実行する必要があることに注意してください。これらの構成には、書き込みアクセラレータの有効化と Premium ストレージの使用が含まれます。また、ストレージ上で実行されるファイルシステムが、マシン上で実行される DBMS と互換性があることを確認する必要があります。", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", - "severity": "中程度", - "text": "Azure CNI を使用する場合は、NodePool に異なるサブネットを使用することを検討してください", - "waf": "安全" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", - "severity": "中程度", - "text": "プライベート エンドポイント (推奨) または Virtual Network サービス エンドポイントを使用して、クラスターから PaaS サービスにアクセスする", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", + "severity": "高い", + "text": "SAP ワークロードに使用するストレージのタイプに応じて、高可用性を構成することを検討してください。Azure で使用できる一部のストレージ サービスは Azure Site Recovery でサポートされていないため、高可用性の構成が異なる場合があります。", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", "severity": "高い", - "text": "要件に最適な CNI ネットワーク プラグインを選択する (Azure CNI を推奨)", + "text": "さまざまなネイティブ Azure ストレージ サービス (Azure Files、Azure NetApp Files、Azure Shared Disk など) は、すべてのリージョンで使用できるとは限りません。そのため、フェールオーバー後に DR リージョンで同様の SAP を設定するには、それぞれのストレージ サービスが DR サイトで提供されていることを確認します。", "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "高い", - "text": "Azure CNI を使用する場合は、ノードあたりのポッドの最大数を考慮して、サブネットのサイズを適切に設定します", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", + "severity": "中程度", + "text": "SAPシステムのStart-Stopを自動化してコストを管理します。", + "waf": "費用" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "高い", - "text": "Azure CNI を使用している場合は、最大ポッド数/ノード (既定値は 30) を確認します", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "低い", + "text": "Azure Premium Storage を SAP HANA と共に使用する場合、Azure Standard SSD ストレージを使用して、コストを意識したストレージ ソリューションを選択できます。ただし、Standard SSD または Standard HDD Azure ストレージを選択すると、個々の VM の SLA に影響することに注意してください。また、非本番環境など、I/O スループットが低く、レイテンシが低いシステムでは、下位シリーズの VM を使用できます。", + "waf": "費用" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "内部アプリの場合、組織は多くの場合、ファイアウォールで AKS サブネット全体を開きます。これにより、ノードへのネットワーク アクセスも開かれ、場合によってはポッドへのネットワーク アクセスも開かれます (Azure CNI を使用している場合)。LoadBalancer の IP が別のサブネットにある場合は、この IP のみをアプリ クライアントで使用できる必要があります。もう 1 つの理由は、AKS サブネット内の IP アドレスが希少なリソースである場合、その IP アドレスをサービスに使用すると、クラスターの最大スケーラビリティが低下することです。", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "severity": "低い", - "text": "プライベート IP LoadBalancer サービスを使用する場合は、(AKS サブネットではなく) 専用サブネットを使用します", - "waf": "安全" + "text": "低コストの代替構成 (多目的) として、非運用 HANA データベース サーバー VM に低パフォーマンスの SKU を選択できます。ただし、E シリーズなどの一部の VM タイプは、HANA 認定 (SAP HANA ハードウェア ディレクトリ) されていないか、1 ミリ秒未満のストレージ待機時間を実現できないことに注意してください。", + "waf": "費用" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", "severity": "高い", - "text": "それに応じて、サービスの IP アドレス範囲のサイズを設定します (クラスターのスケーラビリティが制限されます)。", - "waf": "確実" + "text": "管理グループ、サブスクリプション、リソース グループ、リソースに RBAC モデルを適用する", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", - "severity": "低い", - "text": "必要に応じて、独自のCNIプラグインを追加します", + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "中程度", + "text": "クラウド コネクタを介して SAP クラウド アプリケーションから SAP オンプレミス (IaaS を含む) に ID を転送するためのプリンシパル伝達の強制", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", - "severity": "低い", - "text": "必要に応じて、AKS でノードごとにパブリック IP を構成する", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "中程度", + "text": "SAML を使用して、SAP Analytics Cloud、SAP Cloud Platform、Business by Design、SAP Qualtrics、SAP C4C with Azure AD などの SAP SaaS アプリケーションに SSO を実装します。", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "severity": "中程度", - "text": "イングレス コントローラーを使用して、LoadBalancer タイプのサービスで公開する代わりに、Web ベースのアプリを公開します", - "waf": "確実" + "text": "SAML を使用して、SAP Fiori や SAP Web GUI などの SAP NetWeaver ベースの Web アプリケーションに SSO を実装します。", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", - "severity": "低い", - "text": "エグレス トラフィックをスケーリングするために Azure NAT Gateway を outboundType として使用する", - "waf": "確実" + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", + "severity": "中程度", + "text": "SAML を使用して、SAP Fiori や SAP Web GUI などの SAP NetWeaver ベースの Web アプリケーションに SSO を実装します。", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "severity": "中程度", - "text": "Azure CNI IP の枯渇を回避するために IP の動的割り当てを使用する", - "waf": "確実" + "text": "SAP NetWeaver SSO またはパートナソリューションを使用して、SAP GUI への SSO を実装することができます。", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", - "severity": "高い", - "text": "セキュリティ要件で義務付けられている場合は、AzFW/NVA を使用してエグレス トラフィックをフィルター処理します", + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", + "severity": "中程度", + "text": "SAP GUIおよびWebブラウザアクセスのSSOには、構成と保守が容易なSNC / Kerberos / SPNEGO(シンプルで保護されたGSSAPIネゴシエーションメカニズム)を実装します。X.509 クライアント証明書を使用した SSO の場合は、SAP SSO ソリューションのコンポーネントである SAP Secure Login Server を検討してください。", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", "severity": "中程度", - "text": "パブリック API エンドポイントを使用している場合は、アクセスできる IP アドレスを制限します", + "text": "SAP GUIおよびWebブラウザアクセスのSSOには、構成と保守が容易なSNC / Kerberos / SPNEGO(シンプルで保護されたGSSAPIネゴシエーションメカニズム)を実装します。X.509 クライアント証明書を使用した SSO の場合は、SAP SSO ソリューションのコンポーネントである SAP Secure Login Server を検討してください。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", - "severity": "高い", - "text": "要件で必要な場合は、プライベート クラスターを使用します", + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", + "severity": "中程度", + "text": "SAP NetWeaver の OAuth を使用して SSO を実装し、サードパーティまたはカスタムアプリケーションが SAP NetWeaver OData サービスにアクセスできるようにします。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", "severity": "中程度", - "text": "Windows 2019 および 2022 AKS ノードでは、Calico ネットワーク ポリシーを使用できます", + "text": "SAP HANA への SSO の実装", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", - "severity": "高い", - "text": "Kubernetes ネットワーク ポリシー オプションを有効にする (Calico/Azure)", + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", + "severity": "中程度", + "text": "Azure AD は、RISE でホストされている SAP システムの ID プロバイダーと考えてください。詳細については、「サービスと Azure AD の統合」を参照してください。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "高い", - "text": "Kubernetesネットワークポリシーを使用してクラスタ内のセキュリティを強化", + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", + "severity": "中程度", + "text": "SAP にアクセスするアプリケーションの場合は、プリンシパル伝搬を使用して SSO を確立することができます。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "高い", - "text": "Web ワークロード (UI または API) に WAF を使用するUse a WAF for a web workloads (UI or API)", + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", + "severity": "中程度", + "text": "SAP Identity Authentication Service (IAS) を必要とする SAP BTP サービスまたは SaaS ソリューションを使用している場合は、SAP Cloud Identity Authentication サービスと Azure AD の間に SSO を実装して、それらの SAP サービスにアクセスすることを検討してください。この統合により、SAP IAS はプロキシ ID プロバイダーとして機能し、認証要求を中央ユーザー ストアおよび ID プロバイダーとして Azure AD に転送できます。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", "severity": "中程度", - "text": "AKS Virtual Network で DDoS Standard を使用するUse DDoS Standard in the AKS Virtual Network", + "text": "SAP BTP への SSO の実装", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", - "severity": "低い", - "text": "必要に応じて、会社の HTTP プロキシを追加します", + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", + "severity": "中程度", + "text": "SAP SuccessFactors を使用している場合は、Azure AD 自動ユーザー プロビジョニングの使用を検討してください。この統合により、新しい従業員を SAP SuccessFactors に追加すると、Azure AD でそのユーザー アカウントを自動的に作成できます。必要に応じて、Microsoft 365 または Azure AD でサポートされている他の SaaS アプリケーションでユーザー アカウントを作成できます。メール アドレスを SAP SuccessFactors に書き戻します。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", + "checklist": "SAP Checklist", + "description": "管理グループの階層を適度にフラットに保ちます (4 つ以下)。", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", "severity": "中程度", - "text": "高度なマイクロサービス通信管理にサービスメッシュの使用を検討する", - "waf": "安全" + "text": "既存の管理グループポリシーをSAPサブスクリプションに適用", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "severity": "高い", - "text": "最も重要なメトリックに関するアラートを構成します (推奨事項については、「Container Insights」を参照してください)", + "text": "緊密に結合されたアプリケーションを同じSAPサブスクリプションに統合して、ルーティングと管理の複雑さを回避", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", - "severity": "低い", - "text": "Azure Advisor でクラスターの推奨事項を定期的に確認する", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "高い", + "text": "サブスクリプションをスケールユニットとして活用し、リソースをスケーリングし、環境ごとにサブスクリプションをデプロイすることを検討してください。サンドボックス、非製品、製品", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", - "severity": "低い", - "text": "AKS 自動証明書のローテーションを有効にする", + "checklist": "SAP Checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", + "severity": "高い", + "text": "サブスクリプションのプロビジョニングの一部としてクォータの増加を確認する (例: サブスクリプション内の使用可能な VM コアの合計)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", - "severity": "高い", - "text": "kubernetes のバージョンを定期的に (四半期ごとなど) アップグレードする定期的なプロセスを行うか、AKS 自動アップグレード機能を使用します", + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", + "severity": "低い", + "text": "Quota API は、Azure サービスのクォータを表示および管理するために使用できる REST API です。必要に応じて使用を検討してください。", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", "severity": "高い", - "text": "ノードイメージのアップグレードを使用していない場合は、Linuxノードのアップグレードにkuredを使用します", + "text": "可用性ゾーンにデプロイする場合は、クォータが承認されたら、VM のゾーン デプロイが使用可能であることを確認してください。サブスクリプション、VM シリーズ、CPU の数、必要な可用性ゾーンを含むサポート リクエストを送信します。", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", "severity": "高い", - "text": "クラスタノードイメージを定期的に(毎週など)アップグレードする定期的なプロセスを用意します", + "text": "必要なサービスと機能が、選択したデプロイ リージョン内で使用できることを確認します。ANF、ゾーンなど", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", - "severity": "低い", - "text": "アプリケーションまたはクラスター構成を複数のクラスターにデプロイするために gitop を検討してください", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", + "severity": "中程度", + "text": "コストの分類とリソースのグループ化に Azure リソース タグを活用します (: BillTo、部門 (または部署)、環境 (運用、ステージ、開発)、階層 (Web 層、アプリケーション層)、アプリケーション所有者、ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", - "severity": "低い", - "text": "プライベート クラスターで AKS コマンド呼び出しを使用することを検討する", - "waf": "オペレーションズ" + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "高い", + "text": "Azure Backup サービスを使用して HANA データベースを保護します。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", - "service": "AKS", - "severity": "低い", - "text": "計画されたイベントの場合は、ノードの自動ドレインの使用を検討してください", - "waf": "オペレーションズ" + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", + "severity": "中程度", + "text": "HANA 、 Oracle 、または DB2 データベースに Azure NetApp Files をデプロイする場合は、 Azure アプリケーション整合性スナップショット ツール (AzAcSnap) を使用して、アプリケーション整合性スナップショットを作成します。AzAcSnap は Oracle データベースもサポートしています。AzAcSnap は、個々の VM ではなく、中央の VM で使用することを検討してください。", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "severity": "高い", - "text": "独自のガバナンスプラクティスを開発して、ノードRG(別名「インフラRG」)のオペレーターによって変更が実行されないようにします", - "waf": "オペレーションズ" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "低い", - "text": "カスタムノードRG(別名「インフラRG」)名を使用", + "text": "オペレーティングシステムと SAP システムの間でタイムゾーンが一致していることを確認します。", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", "severity": "中程度", - "text": "非推奨の Kubernetes API を YAML マニフェストで使用しないでください", - "waf": "オペレーションズ" + "text": "同じクラスター内で異なるアプリケーション サービスをグループ化しないでください。たとえば、DRBDと中央サービスクラスタを同じクラスタに組み合わせないでください。ただし、同じ Pacemaker クラスターを使用して、約 5 つの異なる中央サービス (マルチ SID クラスター) を管理できます。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", "severity": "低い", - "text": "Windows ノードのテイント", - "waf": "オペレーションズ" + "text": "Azure の実行コストを節約して最適化するために、スヌーズ モデルで開発/テスト システムを実行することを検討してください。", + "waf": "費用" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", - "severity": "低い", - "text": "Windows コンテナーのパッチ レベルをホストのパッチ レベルと同期させる", + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", + "severity": "中程度", + "text": "お客様の SAP 資産を管理することでお客様と提携する場合は、Azure Lighthouse をご検討ください。Azure Lighthouse を使用すると、マネージド サービス プロバイダーは Azure ネイティブ ID サービスを使用して、顧客の環境に対して認証を行うことができます。これにより、顧客はいつでもアクセスを取り消し、サービスプロバイダーの行動を監査できるため、制御が顧客の手に委ねられます。", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "クラスタレベルでの診断設定経由", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", - "severity": "低い", - "text": "マスター ログ (API ログ) を Azure Monitor または任意のログ管理ソリューションに送信する", + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", + "severity": "中程度", + "text": "Azure Update Manager を使用して、1 つまたは複数の VM で利用可能な更新プログラムの状態を確認し、定期的な修正プログラムの適用をスケジュールすることを検討してください。", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", - "severity": "低い", - "text": "必要に応じて、nodePool スナップショットを使用します", - "waf": "費用" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", "severity": "低い", - "text": "時間的制約のないワークロードのスポット ノード プールを検討する", + "text": "SAP Landscape Management (LaMa) を使用して、SAP Basis の運用を最適化および管理します。Azure 用の SAP LaMa コネクタを使用して、SAP システムの再配置、コピー、複製、更新を行います。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "低い", - "text": "クイック バーストのために AKS 仮想ノードを検討する", + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", + "severity": "中程度", + "text": "Azure Monitor for SAP solutions を使用して、Azure 上の SAP ワークロード (SAP HANA、高可用性 SUSE クラスター、SQL システム) を監視します。SAP Solution Manager を使用して Azure Monitor for SAP solutions を補完することを検討してください。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", "severity": "高い", - "text": "Container Insights (または Prometheus などの他のツール) を使用してクラスター メトリックを監視する", + "text": "SAP の VM 拡張機能チェックを実行します。VM Extension for SAP は、仮想マシン (VM) の割り当てられたマネージド ID を使用して、VM の監視データと構成データにアクセスします。このチェックにより、SAP アプリケーションのすべてのパフォーマンス メトリックが、基になる Azure Extension for SAP からのものであることが保証されます。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", - "severity": "高い", - "text": "Container Insights(またはTelegraf/ElasticSearchなどの他のツール)を使用してクラスターログを保存および分析します", + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", + "severity": "中程度", + "text": "Azure Policy を使用して、アクセス制御とコンプライアンス レポートを作成します。Azure Policy には、組織全体の設定を適用して、一貫したポリシーの遵守と迅速な違反検出を確保する機能があります。", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", "severity": "中程度", - "text": "ノードの CPU とメモリの使用率を監視する", + "text": "Azure Network Watcher の接続モニターを使用して、SAP データベースとアプリケーション サーバーの待機時間メトリックを監視します。または、Azure Monitor を使用してネットワーク待機時間の測定値を収集して表示します。", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", "severity": "中程度", - "text": "Azure CNI を使用している場合は、ノードごとに消費されるポッド IP の割合を監視します", + "text": "プロビジョニングされた Azure インフラストラクチャで SAP HANA の品質チェックを実行し、プロビジョニングされた VM が SAP HANA on Azure のベスト プラクティスに準拠していることを確認します。", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "OS ディスクの I/O は重要なリソースです。ノード内の OS が I/O で調整されると、予期しない動作が発生し、通常はノードが NotReady と宣言される可能性があります", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", - "severity": "中程度", - "text": "ノード内の OS ディスク キューの深さを監視する", - "waf": "オペレーションズ" + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "高い", + "text": "Azure サブスクリプションごとに、ゾーン デプロイの前に Azure 可用性ゾーンで待機時間テストを実行して、Azure 上の SAP のデプロイに待機時間の短いゾーンを選択します。", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "パフォーマンス" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", "severity": "中程度", - "text": "AzFW/NVA でエグレス フィルター処理を使用しない場合は、標準の ALB によって割り当てられた SNAT ポートを監視します", - "waf": "オペレーションズ" + "text": "回復性レポートを実行して、プロビジョニングされた Azure インフラストラクチャ全体 (コンピューティング、データベース、ネットワーク、ストレージ、Site Recovery) の構成が、Cloud Adaption Framework for Azure で定義された構成に準拠していることを確認します。", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", "severity": "中程度", - "text": "AKS クラスターのリソース正常性通知をサブスクライブするSubscribe to resource health notifications for your AKS cluster", - "waf": "オペレーションズ" + "text": "SAP 用の Microsoft Sentinel ソリューションを使用して脅威保護を実装します。このソリューションを使用して、SAPシステムを監視し、ビジネスロジックとアプリケーションレイヤー全体で高度な脅威を検出します。", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "高い", - "text": "ポッド仕様で要求と制限を構成する", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", + "severity": "中程度", + "text": "Azure のタグ付けを活用すると、リソースを論理的にグループ化して追跡し、デプロイを自動化し、最も重要なこととして、発生したコストを可視化できます。", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "中程度", - "text": "名前空間のリソースクォータを適用する", - "waf": "オペレーションズ" + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", + "severity": "低い", + "text": "レイテンシの影響を受けやすいアプリケーションには、VM 間のレイテンシ監視を使用します。", + "waf": "パフォーマンス" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", - "severity": "高い", - "text": "サブスクリプションにノードプールをスケールアウトするのに十分なクォータがあることを確認する", - "waf": "オペレーションズ" + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "中程度", + "text": "Azure Site Recovery の監視を使用して、SAP アプリケーション サーバーのディザスター リカバリー サービスの正常性を維持します。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "severity": "中程度", - "text": "Cluster Autoscaler を使用する", + "text": "すべてのデータベース・ファイル・システムと実行可能プログラムをアンチウィルス・スキャンから除外します。それらを含めると、パフォーマンスの問題が発生する可能性があります。除外リストに関する規定の詳細については、データベースベンダーに確認してください。たとえば、Oracle では、ウイルス対策スキャンから /oracle//sapdata を除外することをお薦めします。", "waf": "パフォーマンス" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", "severity": "低い", - "text": "AKS ノード プールのノード構成をカスタマイズする", + "text": "移行後に、HANA 以外のデータベースの完全なデータベース統計を収集することを検討してください。たとえば、SAP ノート 1020260 - Oracle 統計の配信を実装します。", "waf": "パフォーマンス" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", "severity": "中程度", - "text": "必要に応じてHorizontal Pod Autoscalerを使用します", + "text": "SAP on Azure を使用するすべての Oracle デプロイに Oracle Automatic Storage Management (ASM) を使用することを検討してください。", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", "waf": "パフォーマンス" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "ノードが大きくなると、パフォーマンスが向上し、エフェメラル ディスクや高速ネットワークなどの機能が提供されますが、爆発半径が大きくなり、スケーリングの粒度が低下します", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", - "service": "AKS", - "severity": "高い", - "text": "大きすぎず小さすぎない適切なノードサイズを検討してください", + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", + "severity": "中程度", + "text": "Oracle を実行している SAP on Azure の場合、SQL スクリプトのコレクションはパフォーマンスの問題の診断に役立ちます。 自動ワークロード・リポジトリ(AWR)レポートには、Oracleシステムの問題を診断するための貴重な情報が含まれています。AWR レポートは、複数のセッションで実行し、ピーク時間を選択して、分析の範囲を広く設定することをお勧めします。", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", "waf": "パフォーマンス" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", - "service": "AKS", - "severity": "低い", - "text": "スケーラビリティのために 5,000 を超えるノードが必要な場合は、追加の AKS クラスターの使用を検討してください", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", + "severity": "高い", + "text": "Azure Site Recovery の監視を使用して、SAP アプリケーション サーバーのディザスター リカバリー サービスの正常性を維持します。", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", - "service": "AKS", - "severity": "低い", - "text": "AKS 自動化のために EventGrid イベントをサブスクライブすることを検討する", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", + "severity": "中程度", + "text": "HTTP/S アプリを安全に配信するには、Application Gateway v2 を使用し、WAF の保護とポリシーが有効になっていることを確認します。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", - "service": "AKS", - "severity": "低い", - "text": "AKS クラスターで実行時間の長い操作を行う場合は、イベントの終了を検討してください", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", + "severity": "中程度", + "text": "Azure への移行中に仮想マシンの DNS または仮想名が変更されない場合、バックグラウンド DNS と仮想名は SAP ランドスケープ内の多くのシステム インターフェイスに接続され、開発者は時間の経過と共に定義するインターフェイスをお客様が認識することがよくあります。移行後に仮想名やDNS名が変更されると、さまざまなシステム間で接続の問題が発生するため、この種の問題を防ぐためにDNSエイリアスを保持することをお勧めします。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", - "severity": "低い", - "text": "必要に応じて、AKS ノードに Azure Dedicated Hosts を使用することを検討してください", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", + "severity": "中程度", + "text": "異なるDNSゾーンを使用して、各環境(サンドボックス、開発、プリプロダクション、およびプロダクション)を相互に区別します。例外は、独自の VNet を持つ SAP デプロイです。ここでは、プライベート DNS ゾーンは必要ないかもしれません。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "高い", - "text": "エフェメラル OS ディスクを使用する", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "description": "VNet ピアリングを構成する場合は、 [リモート仮想ネットワークへのトラフィックを許可する] 設定を使用します。", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", + "severity": "中程度", + "text": "ローカルおよびグローバル VNet ピアリングは接続を提供し、複数の Azure リージョンにまたがる SAP デプロイのランディング ゾーン間の接続を確保するための推奨されるアプローチです", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "確実" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "severity": "高い", - "text": "非エフェメラル ディスクの場合、複数のポッドを実行するには高いパフォーマンスが必要であり、既定の AKS ログ ローテーションしきい値で巨大なログが生成されるため、多くのポッド/ノードを実行する場合は、ノードに高い IOPS とより大きな OS ディスクを使用します", + "text": "SAP アプリケーションと SAP データベース サーバー間の NVA のデプロイはサポートされていません", + "training": "https://me.sap.com/notes/2731110", "waf": "パフォーマンス" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", - "severity": "低い", - "text": "ハイパー パフォーマンス ストレージ オプションの場合は、AKS 上の Ultra Disks を使用します", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", + "severity": "中程度", + "text": "Virtual WAN は、Azure リージョンとオンプレミスの場所間でグローバルなトランジット接続が必要な新しいネットワーク、大規模ネットワーク、またはグローバル ネットワークでの Azure デプロイに使用します。このアプローチでは、Azure ネットワークの推移的なルーティングを手動で設定する必要がなく、SAP on Azure デプロイの標準に従うことができます。", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", "severity": "中程度", - "text": "クラスター内に状態を保持することは避け、外部 (AzStorage、AzSQL、Cosmos など) にデータを格納します", - "waf": "パフォーマンス" + "text": "リージョン間でネットワーク仮想アプライアンス (NVA) をデプロイするのは、パートナーの NVA が使用されている場合にのみ検討してください。ネイティブ NVA が存在する場合、リージョン間または VNet 間の NVA は必要ありません。パートナー ネットワーク テクノロジと NVA をデプロイする場合は、ベンダーのガイダンスに従って、Azure ネットワークと競合する構成を確認します。", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", "severity": "中程度", - "text": "AzFiles Standard を使用する場合は、パフォーマンス上の理由から AzFiles Premium や ANF を検討してください", - "waf": "パフォーマンス" + "text": "Virtual WAN は、Virtual WAN ベースのトポロジのスポーク VNet 間の接続を管理し (ユーザー定義ルーティング (UDR) や NVA を設定する必要はありません)、同じ仮想ハブ内の VNet 間トラフィックの最大ネットワーク スループットは 50 ギガビット/秒です。必要に応じて、SAP ランディング ゾーンでは VNet ピアリングを使用して他のランディング ゾーンに接続し、この帯域幅の制限を克服できます。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", - "severity": "中程度", - "text": "Azure ディスクと AZ を使用する場合は、適切なゾーンにストレージをプロビジョニングするために VolumeBindingMode:WaitForFirstConsumer を使用して LRS ディスクのゾーン内にノードプールを配置するか、複数のゾーンにまたがるノードプールに ZRS ディスクを使用することを検討してください", - "waf": "パフォーマンス" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "高い", + "text": "SAP ワークロードを実行している VM へのパブリック IP の割り当てはお勧めしません。", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Azure Monitor", - "text": "Azure Monitor のデータ収集ルール - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "費用" + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", + "severity": "高い", + "text": "ASR を設定するときは、DR 側で IP アドレスを予約することを検討してください", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Azure Backup", - "text": "基になるデータソースが見つからないバックアップインスタンスを確認する", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", - "text": "関連づけられていないサービス(ディスク、NIC、IPアドレスなど)を削除またはアーカイブする", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "高い", + "text": "運用サイトと DR サイトで重複する IP アドレス範囲を使用しないでください。", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Azure Backup", - "text": "ミッション クリティカルでないアプリケーションの Site Recovery ストレージとバックアップのバランスを考慮する", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", + "severity": "中程度", + "text": "Azure では VNet に複数の委任サブネットを作成するのに役立ちますが、Azure NetApp Files の VNet に存在できる委任サブネットは 1 つだけです。Azure NetApp Files に複数の委任されたサブネットを使用すると、新しいボリュームを作成しようとすると失敗します。", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Azure Monitor", - "text": "40 の異なるログ分析ワークスペース間で支出と節約の機会を確認する - 非運用ワークスペースに異なる保持とデータ収集を使用する - 認識と階層サイズ設定のための日次上限を作成する - 日次上限を設定する場合は、上限に達したときにアラートを作成するだけでなく、ある割合 (90% など) に達したときに通知されるアラート ルールも作成してください。- 可能であればワークスペースの変革を検討する - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "費用" + "checklist": "SAP Checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", + "severity": "中程度", + "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルタリング (組織で必要な場合) を管理します", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Azure Monitor", - "text": "ログのパージポリシーと自動化を適用する(必要に応じて、ログをコールドストレージに移動できます)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", + "severity": "中程度", + "text": "Application Gateway、SAP Web Dispatcher、およびその他のサードパーティサービスの比較に示すように、Application Gateway が SAP Web アプリのリバースプロキシとして機能する場合、Application Gateway と Web Application Firewall には制限があります。", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", - "text": "ディスクが本当に必要かどうかを確認し、必要でない場合は削除します。必要な場合は、下位のストレージ階層を見つけるか、バックアップを使用します。", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "中程度", + "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン間でグローバルな保護を提供します。", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", - "text": "未使用のストレージを下位階層に移動し、カスタマイズされたルールを使用することを検討する - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", + "severity": "中程度", + "text": "Azure Front Door と Application Gateway を使用して HTTP/S アプリケーションを保護している場合は、Azure Front Door の Web アプリケーション ファイアウォール ポリシーを利用します。Azure Front Door からのトラフィックのみを受信するように Application Gateway をロックダウンします。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", - "text": "advisor が VM の適切なサイズ設定用に構成されていることを確認する", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "中程度", + "text": "Web アプリケーション ファイアウォールを使用して、インターネットに公開されているトラフィックをスキャンします。別のオプションは、ロード バランサーで使用するか、Application Gateway やサードパーティ ソリューションなどのファイアウォール機能が組み込まれているリソースで使用することです。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "description": "コスト分析でメーターカテゴリライセンスを検索して確認してください", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", - "service": "VM", - "text": "すべての Windows VM でスクリプトを実行する https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM が頻繁に作成される場合は、ポリシーの実装を検討してください", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", + "severity": "中程度", + "text": "Virtual WAN は、Azure リージョンとオンプレミスの場所間でグローバルなトランジット接続が必要な新しいネットワーク、大規模ネットワーク、またはグローバル ネットワークでの Azure デプロイに使用します。このアプローチでは、Azure ネットワークの推移的なルーティングを手動で設定する必要がなく、SAP on Azure デプロイの標準に従うことができます。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "VM", - "text": "これは、すでにライセンスを持っている場合は、AHUBの下に置くこともできます https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", + "severity": "中程度", + "text": "データ漏えいを防ぐには、Azure Private Link を使用して、Azure Blob Storage、Azure Files、Azure Data Lake Storage Gen2、Azure Data Factory などのサービスとしてのプラットフォーム リソースに安全にアクセスします。Azure プライベート エンドポイントは、VNet と Azure Storage、Azure Backup などのサービス間のトラフィックをセキュリティで保護するのにも役立ちます。VNet とプライベート エンドポイント対応サービス間のトラフィックは、Microsoft グローバル ネットワークを経由するため、パブリック インターネットに公開されるのを防ぎます。", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", - "text": "予約済み VM ファミリを柔軟性オプションで統合する (4 から 5 ファミリ以下)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "費用" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", + "severity": "高い", + "text": "SAP アプリケーションと DBMS レイヤーで使用される VM で Azure 高速ネットワークが有効になっていることを確認します。", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", - "text": "Azure 予約インスタンスを利用する: この機能を使用すると、VM を 1 年または 3 年間予約できるため、PAYG 価格と比較して大幅なコスト削減が実現します。", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", + "severity": "中程度", + "text": "Azure Load Balancer の内部デプロイが Direct Server Return (DSR) を使用するように設定されていることを確認します。この設定 (フローティング IP の有効化) は、DBMS レイヤーの高可用性構成に内部ロード バランサー構成を使用する場合のレイテンシを短縮します。", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", - "text": "より大きなディスクのみ予約できます => 1 TiB -", - "waf": "費用" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", + "severity": "中程度", + "text": "アプリケーション セキュリティ グループ (ASG) ルールと NSG ルールを使用して、SAP アプリケーションと DBMS レイヤー間のネットワーク セキュリティ アクセス制御リストを定義できます。ASG は、セキュリティの管理に役立つ仮想マシンをグループ化します。", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", - "text": "適切なサイズ最適化の後", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "高い", + "text": "ピアリングされていない異なる Azure VNet に SAP アプリケーション レイヤーと SAP DBMS を配置することはサポートされていません。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", - "text": "該当するかどうかを確認し、ポリシー/変更 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations を適用します", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "中程度", + "text": "SAP アプリケーションでのネットワーク待機時間を最適化するには、Azure 近接通信配置グループの使用を検討してください。", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", - "text": "VM +ライセンス部分の割引(ahub + 3YRI)は約70%の割引です", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "高い", + "text": "オンプレミスと Azure の間で分割された SAP アプリケーション サーバー レイヤーと DBMS レイヤーの実行はまったくサポートされていません。どちらのレイヤーも、オンプレミスまたは Azure に完全に存在する必要があります。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", - "text": "需要に合わせて、フラットなサイジングではなく、VMSS の使用を検討してください", + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "高い", + "text": "データベース管理システム (DBMS) と SAP システムのアプリケーション層を異なる VNet でホストし、それらを VNet ピアリングで接続することは、層間の過剰なネットワーク トラフィックによって大きなコストが発生する可能性があるため、お勧めしません。Azure 仮想ネットワーク内のサブネットを使用して、SAP アプリケーション レイヤーと DBMS レイヤーを分離することをお勧めします。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "waf": "費用" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", - "text": "AKS オートスケーラーを使用してクラスターの使用量に一致させる (ポッドの要件がスケーラーと一致していることを確認する)", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", + "severity": "高い", + "text": "Linux ゲスト・オペレーティング・システムで Load Balancer を使用する場合は、Linux ネットワーク・パラメーター net.ipv4.tcp_timestamps が 0 に設定されていることを確認します。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Azure Backup", - "text": "該当する場合は、復旧ポイントを vault-archive に移動します (検証)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", + "severity": "中程度", + "text": "SAP RISE/ECS デプロイの場合、仮想ピアリングは、お客様の既存の Azure 環境との接続を確立するための推奨される方法です。SAP vnet と顧客 vnet はどちらもネットワーク セキュリティ グループ (NSG) で保護されているため、vnet ピアリングを介して SAP ポートとデータベース ポートで通信できます", + "waf": "安全" }, { - "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", - "text": "可能な場合は、フォールバックでスポット VM を使用することを検討してください。クラスターの自動終了を検討してください。", + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "高い", + "text": "Azure VM の SAP HANA データベースのバックアップを確認します。", "waf": "費用" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Azure Functions", - "text": "関数 - 接続の再利用", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", + "severity": "中程度", + "text": "Site Recovery の組み込み監視 (SAP に使用されている場所) を確認します。", "waf": "費用" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Azure Functions", - "text": "関数 - データをローカルにキャッシュする", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", + "severity": "高い", + "text": "SAP HANA システムランドスケープの監視のガイダンスを確認します。", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Azure Functions", - "text": "関数 - コールド スタート - 「パッケージから実行」機能を使用します。このようにして、コードは単一のzipファイルとしてダウンロードされます。これにより、たとえば、多くのノードモジュールを持つJavascript関数が大幅に改善される可能性があります。言語固有のツールを使用してパッケージサイズを縮小します (ツリーを揺るがす Javascript アプリケーションなど)。", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", + "severity": "中程度", + "text": "Azure Linux VM のバックアップ戦略で Oracle Database を確認します。", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Azure Functions", - "text": "関数 - 関数を暖かく保つ", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", + "severity": "中程度", + "text": "SQL Server 2016 での Azure Blob Storage の使用を確認します。", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Azure Functions", - "text": "さまざまな関数で自動スケーリングを使用する場合、すべてのリソースのすべての自動スケーリングを駆動する 1 つが存在する可能性があるため、別の従量課金プランに移行することを検討してください (また、CPU のより高いプランを検討してください)", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", + "severity": "中程度", + "text": "Azure VM の自動バックアップ v2 の使用を確認します。", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Azure Functions", - "text": "特定のプランの関数アプリはすべて一緒にスケーリングされるため、スケーリングに関する問題はプラン内のすべてのアプリに影響を与える可能性があります。", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", + "severity": "高い", + "text": "Premium ディスク使用時の M シリーズの書き込みアクセラレータの有効化 (V1)", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Azure Functions", - "text": "「待機時間」に対して請求されますか?この質問は、通常、非同期操作を実行して結果を待機する C# 関数のコンテキストで尋ねられます (例: await Task.Delay(1000) や await client)。GetAsync('http://google.com') です。答えはイエスです-GB秒の計算は、関数の開始時刻と終了時刻、およびその期間のメモリ使用量に基づいています。その間に CPU アクティビティに関して実際に何が起こるかは、計算には考慮されません。この規則の 1 つの例外は、永続関数を使用している場合です。オーケストレーター関数で待機に費やされた時間に対しては課金されません。可能な場合は、デマンド シェーピング技術を適用します (開発環境?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", + "severity": "中程度", + "text": "可用性ゾーンの待機時間をテストします。", + "waf": "パフォーマンス" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", - "text": "Frontdoor - 既定のホームページをオフにするアプリのアプリケーション設定で、AzureWebJobsDisableHomepage を true に設定します。これにより、PoPに204(No Content)が返されるため、ヘッダーデータのみが返されます。", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", + "severity": "中程度", + "text": "すべての SAP コンポーネントに対して SAP EarlyWatch Alert を有効化します。", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "waf": "パフォーマンス" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", - "text": "Frontdoor - 何も返さないものへのルーティング。関数、関数プロキシを設定するか、200 (OK) を返し、コンテンツを送信しない、または最小限のコンテンツを送信 するルートを Web アプリに追加します。これの利点は、呼び出されたときにログアウトできることです。", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", + "severity": "中程度", + "text": "SAP ABAPMeter レポート /SSA/CAT を使用して、SAP アプリケーション サーバーとデータベース サーバー間の待機時間を確認します。", + "training": "https://me.sap.com/notes/0002879613", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", - "text": "使用頻度の低いデータの階層のアーカイブを検討する", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", + "severity": "中程度", + "text": "CCMS を使用した SQL Server パフォーマンス監視を確認します。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", - "text": "サイズが階層と一致しない場合は、ディスク サイズを確認します (つまり、513 GiB のディスクは P30 (1TiB) を支払います) と、サイズ変更を検討してください", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", + "severity": "中程度", + "text": "SAP アプリケーション レイヤー VM と DBMS VM 間のネットワーク遅延をテストします (NIPING)。", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", - "text": "可能な場合は、Premium や Ultra ではなく Standard SSD の使用を検討してください", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", + "severity": "中程度", + "text": "SAP HANA Studio のアラートを確認します。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", - "text": "ストレージ アカウントの場合は、選択したレベルによってトランザクション料金が加算されていないことを確認します (次のレベルに移動する方が安くなる可能性があります)", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", + "severity": "中程度", + "text": "HANA_Configuration_Minichecksを使用して SAP HANA ヘルスチェックを実行します。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", - "text": "ASR の場合、RPO/RTO とレプリケーション スループットで許可されている場合は、Standard SSD ディスクの使用を検討してください", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "中程度", + "text": "Azure、オンプレミス、またはその他のクラウド環境で Windows VM と Linux VM を実行している場合は、Azure Automation の更新管理センターを使用して、セキュリティ パッチを含むオペレーティング システムの更新プログラムを管理できます。", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", - "text": "ストレージ アカウント: 必要なホット層や GRS を確認する", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "中程度", + "text": "SAP は、SAP システムを保護するために即時のアクションが必要な非常に重要なセキュリティパッチ (ホットフィックス) をリリースするため、SAP セキュリティ OSS ノートを定期的に確認してください。", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "text": "ディスク - あらゆる場所で Premium SSD ディスクの使用を検証: たとえば、非運用環境を Standard SSD またはオンデマンド Premium SSD にスワップできます", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", - "text": "予算を作成してコストを管理し、支出の異常や過剰支出のリスクを関係者に自動的に通知するアラートを作成します。", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", - "text": "追加のデータ分析のために、コスト データをストレージ アカウントにエクスポートします。", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", - "text": "専用 SQL プールのコストを制御するには、リソースが使用されていないときに一時停止します。", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", - "text": "サーバーレス Apache Spark の自動一時停止機能を有効にし、それに応じてタイムアウト値を設定します。", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", - "text": "さまざまなサイズの複数の Apache Spark プール定義を作成します。", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", - "text": "Azure Synapse Analytics のコストを節約するために、事前購入プランで Azure Synapse コミット ユニット (SCU) を 1 年間購入します。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", - "text": "中断可能なジョブにスポット VM を使用する: これらは、割引価格で入札および購入できる VM であり、重要でないワークロードにコスト効率の高いソリューションを提供します。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "費用" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", - "text": "すべての VM の適切なサイズ設定", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "低い", + "text": "SQL Server 上の SAP システムではアカウントが使用されないため、SQL Server on SQL Server システム管理者アカウントを無効にすることができます。元のシステム管理者アカウントを無効にする前に、システム管理者権限を持つ別のユーザーがサーバーにアクセスできることを確認してください。", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", - "text": "正規化されたサイズと最新のサイズでサイズをスワップする VM", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "高い", + "text": "xp_cmdshellを無効にします。SQL Server 機能xp_cmdshellは、SQL Server 内部オペレーティング システム コマンド シェルを有効にします。これは、セキュリティ監査における潜在的なリスクです。", + "training": "https://me.sap.com/notes/3019299/E", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "VM の適切なサイズ設定 - 使用率を 5% 未満で監視することから始めて、その後 40% まで作業します", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "高い", + "text": "Azure 上の SAP HANA データベース サーバーの暗号化には、SAP HANA ネイティブの暗号化テクノロジが使用されます。さらに、Azure で SQL Server を使用している場合は、Transparent Data Encryption (TDE) を使用してデータとログ ファイルを保護し、バックアップも暗号化されるようにします。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "アプリケーションをコンテナー化すると、VM の密度が向上し、スケーリングにかかるコストを節約できます", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "費用" + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", + "severity": "中程度", + "text": "Azure Storage の暗号化は、すべての Azure Resource Manager アカウントとクラシック ストレージ アカウントに対して有効になっており、無効にすることはできません。データは既定で暗号化されるため、Azure Storage の暗号化を使用するためにコードやアプリケーションを変更する必要はありません。", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", - "service": "AVS", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", "severity": "高い", - "text": "ADDS ドメイン コントローラーがネイティブ Azure の ID サブスクリプションにデプロイされていることを確認する", + "text": "Azure Key Vault を使用してシークレットと資格情報を格納する", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "75089c20-990d-4927-b105-885576f76fc2", - "service": "AVS", + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "severity": "中程度", - "text": "Azure ベースのリソース (Azure VMware Solution を含む) からの認証要求を Azure にローカルに保持するように ADDS サイトとサービスが構成されていることを確認します", + "text": "デプロイが成功したら、承認されていない変更から保護するために、Azure リソースをロックすることをお勧めします。また、カスタマイズされた Azure ポリシー (カスタム ロール) を使用して、サブスクリプションごとに LOCK 制約とルールを適用することもできます。", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", - "service": "AVS", - "severity": "高い", - "text": "vCenterがADDに接続されていることを確認し、「名前付きユーザーアカウント」に基づく認証を有効にします", + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", + "severity": "中程度", + "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", - "service": "AVS", - "severity": "中程度", - "text": "vCenter から ADDS への接続でセキュア プロトコル (LDAPS) が使用されていることを確認します", + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", + "severity": "高い", + "text": "既存の要件、規制、コンプライアンス制御 (内部/外部) に基づいて - 必要な Azure ポリシーと Azure RBAC ロールを決定します", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", - "service": "AVS", - "severity": "中程度", - "text": "vCenter IdP の CloudAdmin アカウントは、緊急アカウント(非常用アカウント)としてのみ使用されます", + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "高い", + "text": "SAP 環境でMicrosoft Defender for Endpointを有効にする場合は、すべてのサーバーをターゲットにするのではなく、DBMS サーバー上のデータ ファイルとログ ファイルを除外することをお勧めします。ターゲット ファイルを除外する場合は、DBMS ベンダーの推奨事項に従ってください。", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", - "service": "AVS", + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", "severity": "高い", - "text": "NSX-Manager が外部 ID プロバイダ (LDAPS) と統合されていることを確認します。", + "text": "Microsoft Defender for Cloud の Just-In-Time アクセス権を持つ SAP 管理者カスタム ロールを委任します。", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", - "service": "AVS", - "severity": "中程度", - "text": "VMware vSphere 内で使用するために RBAC モデルが作成されているか", + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "低い", + "text": "サードパーティのセキュリティ製品を DIAG (SAP GUI)、RFC、HTTPS の SPNEGO の Secure Network Communications (SNC) と統合することで、転送中のデータを暗号化します。", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", - "service": "AVS", + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "severity": "中程度", - "text": "RBAC アクセス許可は、特定のユーザーではなく、ADDS グループに付与する必要があります", + "text": "プリンシパル暗号化機能には Microsoft マネージド キーが既定で設定され、必要に応じてカスタマー マネージド キーが使用されます。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", - "service": "AVS", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", "severity": "高い", - "text": "Azure の Azure VMware Solution リソースに対する RBAC アクセス許可は、限られた所有者のセットのみに \"ロックダウン\" されます", + "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", - "service": "AVS", + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", "severity": "高い", - "text": "すべてのカスタム ロールのスコープが CloudAdmin で許可された承認で設定されていることを確認する", + "text": "HANA 以外の Windows および Windows 以外のオペレーティング システムのディスク暗号化キーとシークレットを制御および管理するには、Azure Key Vault を使用します。SAP HANA は Azure Key Vault ではサポートされていないため、SAP ABAP キーや SSH キーなどの別の方法を使用する必要があります。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", - "service": "AVS", + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", "severity": "高い", - "text": "お客様のユース ケースに適した Azure VMware Solution 接続モデルが選択されているか", - "waf": "パフォーマンス" + "text": "SAP on Azure スポーク サブスクリプションのロールベースのアクセス制御 (RBAC) ロールをカスタマイズして、ネットワーク関連の偶発的な変更を回避する", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", - "service": "AVS", + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", "severity": "高い", - "text": "オンプレミスから Azure への ExpressRoute または VPN 接続が \"接続モニター\" を使用して監視されていることを確認する", - "waf": "オペレーションズ" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", - "service": "AVS", - "severity": "中程度", - "text": "Azure VMware Solution バックエンドの ExpressRoute 接続を監視するために、Azure ネイティブ リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します", - "waf": "オペレーションズ" + "text": "DMZ と NVA を他の SAP 資産から分離し、Azure Private Link を構成し、SAP on Azure リソースを安全に管理および制御します", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", - "service": "AVS", - "severity": "中程度", - "text": "エンド 2 エンドの接続を監視するために、オンプレミス リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します", - "waf": "オペレーションズ" + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", + "severity": "低い", + "text": "Azure で Microsoft マルウェア対策ソフトウェアを使用して、悪意のあるファイル、アドウェア、その他の脅威から仮想マシンを保護することを検討してください。", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", - "service": "AVS", - "severity": "高い", - "text": "ルート サーバーを使用する場合は、ルート サーバーから ExR ゲートウェイ、オンプレミスに伝達されるルートが 1000 を超えないようにします (ARS 制限)。", - "waf": "オペレーションズ" + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", + "severity": "低い", + "text": "さらに強力な保護を行うには、Microsoft Defender for Endpoint の使用を検討してください。", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", - "service": "AVS", + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "severity": "高い", - "text": "Azure Portal で Azure VMware Solution リソースを管理するロールに対して Privileged Identity Management が実装されていますか (永続的なアクセス許可は許可されません)", + "text": "仮想ネットワーク ピアリングによってスポーク ネットワークに接続されているハブ仮想ネットワークを介してすべてのトラフィックを通過させることにより、SAP アプリケーション サーバーとデータベース サーバーをインターネットまたはオンプレミス ネットワークから分離します。ピアリングされた仮想ネットワークにより、SAP on Azure ソリューションがパブリック インターネットから分離されることが保証されます。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", - "service": "AVS", - "severity": "高い", - "text": "Privileged Identity Management 監査レポートは、Azure VMware Solution PIM ロールに対して実装する必要がある", + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "低い", + "text": "SAP Fiori のようなインターネットに接続するアプリケーションの場合は、セキュリティレベルを維持しながら、アプリケーション要件ごとに負荷を分散してください。レイヤー 7 セキュリティのために、Azure Marketplace で入手できるサードパーティの Web アプリケーション ファイアウォール (WAF) を使用できます。", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", - "service": "AVS", + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "severity": "中程度", - "text": "Privileged Identity Management を使用している場合は、Azure VMware Solution のホストの自動置換通知用の有効な SMTP レコードを使用して、有効な Entra ID が有効なアカウントが作成されていることを確認します。(常任許可が必要)", + "text": "Azure Monitor for SAP solutions でセキュリティで保護された通信を有効にするには、ルート証明書またはサーバー証明書のどちらを使用するかを選択できます。ルート証明書を使用することを強くお勧めします。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", - "service": "AVS", - "severity": "高い", - "text": "CloudAdmin アカウントの使用を緊急アクセスのみに制限する", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub は、保存データの暗号化を提供します。独自のキーを使用する場合、データは引き続き Microsoft マネージド キーを使用して暗号化されますが、さらに Microsoft マネージド キーはカスタマー マネージド キーを使用して暗号化されます。", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", + "severity": "低い", + "text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hubs 名前空間を使用すると、クライアントは TLS 1.0 以降でデータを送受信できます。より厳格なセキュリティ対策を適用するには、クライアントが新しいバージョンの TLS を使用してデータを送受信するように Event Hubs 名前空間を構成できます。Event Hubs 名前空間で TLS の最小バージョンが必要な場合、古いバージョンで行われた要求はすべて失敗します。", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", "severity": "中程度", - "text": "vCenter Server でカスタム RBAC ロールを作成して、vCenter 内に最小特権モデルを実装します", + "text": "要求に最低限必要なバージョンのトランスポート層セキュリティ (TLS) を適用する", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Event Hubs 名前空間を作成すると、名前空間に対して RootManageSharedAccessKey という名前のポリシー規則が自動的に作成されます。このポリシーには、名前空間全体に対する管理アクセス許可があります。このルールは、管理ルートアカウントのように扱い、アプリケーションでは使用しないことをお勧めします。RBAC で認証プロバイダーとして AAD を使用することをお勧めします。", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", "severity": "中程度", - "text": "cloudadmin (vCenter) と admin (NSX) の資格情報を定期的にローテーションするように定義されたプロセスです。", - "waf": "安全" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", - "service": "AVS", - "severity": "高い", - "text": "一元化された ID プロバイダーを使用して、Azure VMware Solution で実行されているワークロード (VM) に使用する", + "text": "必要のない場合はrootアカウントの使用を避けてください", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure リソースのマネージド ID は、Azure Virtual Machines (VM)、関数アプリ、Virtual Machine Scale Sets、その他のサービスで実行されているアプリケーションから Azure AD 資格情報を使用して、Event Hubs リソースへのアクセスを承認できます。Azure リソースのマネージド ID を Azure AD 認証と共に使用することで、クラウドで実行されるアプリケーションに資格情報を格納することを回避できます。", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", "severity": "中程度", - "text": "East-West トラフィック フィルタリングは NSX-T 内に実装されていますか", + "text": "可能な場合は、アプリケーションでマネージド ID を使用して Azure Event Hub に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに用意することを検討してください", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "アクセス許可を作成するときは、Azure Event Hub へのクライアントのアクセスをきめ細かく制御します。Azure Event Hub のアクセス許可は、個々のリソース レベル (コンシューマー グループ、イベント ハブ エンティティ、イベント ハブ名前空間など) にスコープを設定する必要があり、またそうする必要があります。", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", "severity": "高い", - "text": "Azure VMware Solution 上のワークロードは、インターネットに直接公開されません。トラフィックは、Azure Application Gateway、Azure Firewall、またはサード パーティのソリューションによってフィルター処理され、検査されます", + "text": "最小特権データ プレーン RBAC を使用する", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", - "service": "AVS", - "severity": "高い", - "text": "監査とログ記録は、Azure VMware Solution および Azure VMware Solution ベースのワークロードへの受信インターネット要求に対して実装されます", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub リソース ログには、操作ログ、仮想ネットワーク、Kafka ログが含まれます。ランタイム監査ログは、Event Hubs のすべてのデータ プレーン アクセス操作 (イベントの送受信など) に関する集計された診断情報をキャプチャします。", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", + "severity": "中程度", + "text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用して、リソース ログ、ランタイム監査ログ、Kafka ログなどのメトリックとログをキャプチャします", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "既定では、Azure Event Hub にはパブリック IP アドレスがあり、インターネットに到達できます。プライベート エンドポイントを使用すると、仮想ネットワークと Azure Event Hub の間のトラフィックが Microsoft のバックボーン ネットワークを経由するようになります。それに加えて、パブリックエンドポイントを使用しない場合は無効にする必要があります。", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", "severity": "中程度", - "text": "セッション監視は、疑わしい/悪意のあるアクティビティを特定するために、Azure VMware Solution または Azure VMware Solution ベースのワークロードからの送信インターネット接続に実装されます", + "text": "プライベート エンドポイントを使用して Azure Event Hub にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "334fdf91-c234-4182-a652-75269440b4be", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "IP ファイアウォールを使用すると、パブリック エンドポイントを、CIDR (Classless Inter-Domain Routing) 表記の一連の IPv4 アドレスまたは IPv4 アドレス範囲のみに制限できます。", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", "severity": "中程度", - "text": "Azure の ExR/VPN Gateway サブネットで DDoS Standard 保護が有効になっているか", + "text": "特定の IP アドレスまたは範囲からの Azure Event Hub 名前空間へのアクセスのみを許可することを検討してください", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", "severity": "中程度", - "text": "専用の特権アクセス ワークステーション (PAW) を使用して、Azure VMware Solution、vCenter、NSX Manager、HCX Manager を管理する", - "waf": "安全" + "text": "FTAレジリエンシーハンドブックの活用", + "waf": "確実" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", - "service": "AVS", - "severity": "中程度", - "text": "Azure VMware Solution で実行されているワークロードに対して Advanced Threat Detection (Microsoft Defender for Cloud 別名 ASC) を有効にする", - "waf": "安全" + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "これは、ゾーン対応リージョンの Premium、Dedicated、または Standard SKU を使用してポータルから作成された新しい EH 名前空間に対して自動的にオンになります。EH メタデータとイベント データ自体の両方がゾーン間でレプリケートされます", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", + "severity": "高い", + "text": "Availability Zones の活用 (地域的に適用可能な場合)", + "waf": "確実" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", "severity": "中程度", - "text": "Azure ARC for Servers を使用して、Azure ネイティブ テクノロジを使用して Azure VMware Solution で実行されているワークロードを適切に管理します (Azure ARC for Azure VMware Solution はまだ利用できません)", - "waf": "安全" + "text": "予測可能なパフォーマンスのために Premium または Dedicated SKU を使用する", + "waf": "確実" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", - "service": "AVS", - "severity": "低い", - "text": "Azure VMware Solution 上のワークロードで、実行時に十分なデータ暗号化 (ゲスト内ディスク暗号化や SQL TDE など) が使用されるようにします。(保存時の vSAN 暗号化がデフォルトです)", - "waf": "安全" + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "組み込みの geo ディザスター リカバリー機能を有効にすると、名前空間の構成全体 (Event Hubs、コンシューマー グループ、設定) がプライマリ名前空間からセカンダリ名前空間に継続的にレプリケートされ、プライマリからセカンダリへのフェールオーバーをいつでも 1 回だけ行うことができます。アクティブ/パッシブ機能は、アプリケーション構成を変更することなく、障害が発生した Azure リージョンからの復旧と破棄を容易にするように設計されています", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", + "severity": "高い", + "text": "アクティブ パッシブ構成を使用した Geo ディザスター リカバリーの計画", + "waf": "確実" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", - "service": "AVS", - "severity": "低い", - "text": "ゲスト内暗号化を使用する場合は、可能な場合は Azure Key Vault に暗号化キーを格納します", - "waf": "安全" + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "ダウンしたリージョンでのイベントデータの停止または損失を許容できない DR 構成に使用する必要があります。このような場合は、レプリケーションのガイダンスに従い、組み込みの geo ディザスター リカバリー機能 (アクティブ/パッシブ) を使用しないでください。アクティブ/アクティブでは、異なるリージョンと名前空間で複数の Event Hubs を保持し、イベントはハブ間でレプリケートされます", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", + "severity": "中程度", + "text": "ビジネス クリティカルなアプリケーションの場合は、アクティブ アクティブ構成を使用します", + "waf": "確実" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5ac94222-3e13-4810-9230-81a941741583", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", "severity": "中程度", - "text": "Azure VMware Solution で実行されているワークロードには、拡張セキュリティ更新プログラムのサポートの使用を検討してください (Azure VMware Solution は ESU の対象です)", - "waf": "安全" + "text": "回復力のある Event Hubs の設計", + "waf": "確実" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "データ プレーン アクセスのローカル認証方法の使用を制限します。代わりに、データ プレーン アクセスを制御するための既定の認証方法として Microsoft Entra ID を使用します。", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "service": "Azure Synapse Analytics", "severity": "高い", - "text": "適切な vSAN データ冗長化方式(RAID 仕様)が使用されていることを確認します。", - "waf": "確実" + "text": "Synapse 上の sql ワークロードでのローカル ユーザーの使用を制限する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "service": "AVS", - "severity": "高い", - "text": "許容障害ポリシーが vSAN ストレージのニーズを満たすために設定されていることを確認します", - "waf": "確実" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Microsoft Entra ID を既定の認証方法として使用して、データ プレーン アクセスを制御します。", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "text": "マネージド ID を使用してサービスに対して認証する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "日常的な管理操作に必要ない場合は、緊急時のみの使用のためにローカル管理者アカウントを無効または制限します。", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "service": "Azure Synapse Analytics", "severity": "高い", - "text": "十分なクォータを要求し、拡張とディザスタリカバリの要件を考慮していることを確認します", - "waf": "確実" + "text": "高い権限を持つユーザーや管理ユーザーを分離して制限し、MFAと条件付きポリシーを有効にする", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse には、Synapse Studio のさまざまな側面を管理するための Synapse ロールベースのアクセス制御 (RBAC) ロールも含まれています。これらの組み込みロールを活用して、ユーザー、グループ、またはその他のセキュリティ プリンシパルにアクセス許可を割り当て、コード成果物の発行、公開されたコード成果物の一覧表示またはアクセス、Apache Spark プールと統合ランタイムでのコードの実行、資格情報で保護されているリンクされた (データ) サービスへのアクセス、ジョブ実行の監視またはキャンセル、ジョブ出力と実行ログの確認を行うことができます。", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", "severity": "中程度", - "text": "ESXiへのアクセス制限を理解し、サードパーティのソリューションに影響を与える可能性のあるアクセス制限があることを確認してください。", - "waf": "オペレーションズ" + "text": "Azure RBAC を使用してストレージへのアクセスを制御し、Synapse RBAC を使用してチームのペルソナに応じてワークスペース レベルでアクセスを制御して、データとコンピューティングへのアクセスをきめ細かくします", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "severity": "中程度", - "text": "ESXi ホストの密度と効率に関するポリシーがあることを確認し、新しいノードを要求するためのリード タイムを念頭に置いてください", - "waf": "オペレーションズ" + "text": "RLS、CLS、データ マスキングを専用の SQL プール内の SQL ワークロードに実装して、セキュリティのレイヤーを追加する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse ワークスペースを作成するときに、Microsoft Azure Virtual Network に関連付けることを選択できます。ワークスペースに関連付けられている仮想ネットワークは、Azure Synapse によって管理されます。この仮想ネットワークは、マネージド ワークスペース仮想ネットワークと呼ばれます。これは、ワークスペースをデプロイするときに選択できます", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "中程度", - "text": "Azure VMware Solution の適切なコスト管理プロセスが整っていることを確認する - Azure Cost Management を使用できます", - "waf": "費用" + "text": "マネージド vnet ワークスペースを使用して、パブリック インターネット経由のアクセスを制限する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "service": "AVS", - "severity": "低い", - "text": "Azure VMware Solution を使用するためのコストを最適化するために Azure 予約インスタンスが使用されているか", - "waf": "費用" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "機密データを保護するために、ワークスペース エンドポイントへのパブリック アクセスを完全に無効にすることをお勧めします。これにより、すべてのワークスペース エンドポイントにプライベート エンドポイントを使用してのみアクセスできるようになります。", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "text": "外部サービスに接続し、パブリックアクセスを無効にするようにプライベートエンドポイントを設定します", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "パブリック アクセスを有効にする必要がある場合は、指定したパブリック IP アドレスの一覧からの受信接続のみを許可するように IP ファイアウォール規則を構成することを強くお勧めします。", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "text": "パブリック アクセスを有効にする場合は、IP ファイアウォール ルールを構成することを強くお勧めします", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", "severity": "中程度", - "text": "他の Azure Native Services を使用する場合は、Azure Private-Link の使用を検討してください", + "text": "企業ネットワークから離れるべきではない機密データを扱っている場合は、vnet に SHIR VM をデプロイします", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", - "service": "AVS", - "severity": "高い", - "text": "必要なすべてのリソースが同じ Azure 可用性ゾーン内に存在することを確認する", - "waf": "パフォーマンス" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "これはワークスペースをデプロイするときにのみ実行できますが、PyPI などのパブリック リポジトリからインストールされた Python ライブラリはサポートされていません。(有効にする前に制限について考えてください)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "中程度", + "text": "データ流出防止 (DEP) を有効にする", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "暗号化の最初のレイヤーは Microsoft マネージド キーによって行われますが、カスタマー マネージド キーを使用して 2 番目の暗号化レイヤーを追加できます", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", "severity": "中程度", - "text": "Azure VMware Solution ゲスト VM ワークロードに対して Microsoft Defender for Cloud を有効にする", + "text": "ワークスペースのカスタマー マネージド キーを使用した保存時のデータ暗号化", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse は TLS を利用して、移動中のデータが暗号化されるようにします。SQL 専用プールでは、暗号化のために TLS 1.0、TLS 1.1、TLS 1.2 バージョンがサポートされています。このバージョンでは、Microsoft が提供するドライバーでは既定で TLS 1.2 が使用されます。サーバーレス SQL プールと Apache Spark プールでは、すべての送信接続に TLS 1.2 が使用されます。", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", "severity": "中程度", - "text": "Azure Arc 対応サーバーを使用して Azure VMware Solution ゲスト VM のワークロードを管理する", + "text": "転送中のデータ暗号化", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Keyvaults を使用してシークレットと資格情報を格納する", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "service": "Azure Synapse Analytics", "severity": "高い", - "text": "Azure VMware Solution での診断ログとメトリック ログを有効にするEnable Diagnostic and metric logging on Azure VMware Solution", - "waf": "オペレーションズ" + "text": "パスワード、セキュリティ、キーを Azure Key Vault に格納する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", - "service": "AVS", - "severity": "中程度", - "text": "Log Analytics エージェントを Azure VMware Solution ゲスト VM ワークロードにデプロイする", - "waf": "オペレーションズ" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "データ プレーン アクセスのローカル認証方法の使用を制限します。代わりに、データ プレーン アクセスを制御するための既定の認証方法として Microsoft Entra ID を使用します。", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "service": "Azure Data Factory", + "severity": "高い", + "text": "必要に応じてローカルユーザーの使用を制限する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "マネージド ID を使用すると、資格情報を管理する必要がなくなります。マネージド ID は、Microsoft Entra 認証をサポートするリソースに接続するときに、サービス インスタンスの ID を提供します。", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", "severity": "中程度", - "text": "Azure VMware Solution VM ワークロードのバックアップ ポリシーとソリューションが文書化され、実装されていることを確認します", - "waf": "オペレーションズ" + "text": "マネージド ID を使用してサービスに対して認証する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "日常的な管理操作に必要ない場合は、緊急時のみの使用のためにローカル管理者アカウントを無効または制限します。", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "service": "Azure Data Factory", + "severity": "高い", + "text": "高い権限を持つユーザーや管理ユーザーを分離して制限し、MFAと条件付きポリシーを有効にする", + "waf": "安全" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "service": "Azure Data Factory", "severity": "中程度", - "text": "Microsoft Defender for Cloud を使用して、Azure VMware Solution で実行されているワークロードのコンプライアンス監視を行う", + "text": "企業ネットワークから離れるべきではない機密データを扱っている場合は、vnet に SHIR VM をデプロイします", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Data Factory マネージド仮想ネットワーク内に Azure 統合ランタイムを作成すると、統合ランタイムはマネージド仮想ネットワークと共にプロビジョニングされます。プライベート エンドポイントを使用して、サポートされているデータ ストアに安全に接続します。", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "service": "Azure Data Factory", "severity": "中程度", - "text": "適用可能なコンプライアンス ベースラインは Microsoft Defender for Cloud に追加されていますか", + "text": "マネージド vnet IR を使用して、Azure Integration Runtime のパブリック インターネット経由のアクセスを制限する", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "service": "AVS", - "severity": "高い", - "text": "Azure VMware Solution のデプロイに使用する Azure リージョンを選択するときにデータ所在地が評価されましたか", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "マネージド プライベート エンドポイントは、Azure リソースへのプライベート リンクを確立する Data Factory マネージド仮想ネットワークで作成されたプライベート エンドポイントです。Data Factory は、ユーザーに代わってこれらのプライベート エンドポイントを管理します。", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", + "severity": "中程度", + "text": "マネージド プライベート エンドポイントを構成して、マネージド Azure IR を使用してリソースに接続する", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "service": "AVS", - "severity": "高い", - "text": "データ処理への影響 (サービス プロバイダー/サービス コンシューマー モデル) が明確で文書化されているか", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "これはデフォルト設定です", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "service": "Azure Data Factory", + "severity": "中程度", + "text": "Microsoft マネージド キーによる保存時のデータ暗号化", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "これはデフォルト設定です", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "service": "Azure Data Factory", "severity": "中程度", - "text": "コンプライアンス上の理由で必要な場合にのみ、vSAN に CMK (カスタマー マネージド キー) を使用することを検討してください。", + "text": "Microsoft マネージド キーによる転送中のデータ暗号化", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", - "service": "AVS", - "severity": "高い", - "text": "Azure VMware Solution のコア監視分析情報を有効にするダッシュボードを作成するCreate dashboards to enable a core Azure VMware Solution monitoring insights", - "waf": "オペレーションズ" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "カスタマー マネージド キーを指定すると、Data Factory はファクトリ システム キーと CMK の両方を使用して顧客データを暗号化します。どちらかが欠落していると、データとファクトリへのアクセスが拒否されます。", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", + "severity": "中程度", + "text": "BYOK (カスタマー マネージド キー) による転送中のデータ暗号化", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", "severity": "高い", - "text": "Azure VMware Solution のパフォーマンス (CPU >80%、平均メモリ >80%、vSAN >70%) に関する自動アラートの重大しきい値の警告アラートを作成する", - "waf": "オペレーションズ" + "text": "パスワードとシークレットを Azure Key Vault に格納する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", - "service": "AVS", - "severity": "高い", - "text": "vSAN の消費量が 75% を下回っているかどうかを監視するための重要なアラートが作成されていることを確認します (これは VMware からのサポートしきい値です)。", - "waf": "オペレーションズ" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "service": "Microsoft Purview", + "severity": "中程度", + "text": "コントロール プレーンとデータ プレーンで Microsoft Purview を管理するためのロールと責任を定義する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", - "service": "AVS", - "severity": "高い", - "text": "Azure Service Health のアラートと通知に対してアラートが構成されていることを確認する", - "waf": "オペレーションズ" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "これには Azure RBAC を使用します", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "中程度", + "text": "Azure サブスクリプション (コントロール プレーン) 内で Microsoft Purview をデプロイおよび管理するために必要なロールとタスクを定義する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "これには、Microsoft Purview ロールを使用します。", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "severity": "中程度", - "text": "処理のために Azure Storage アカウントまたは Azure EventHub に送信するように Azure VMware Solution ログを構成する", - "waf": "オペレーションズ" + "text": "Microsoft Purview を使用してデータ管理とガバナンスを実行するために必要なロールとタスクを定義します。(Data Map と Data Catalog のデータ プレーン。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", - "severity": "低い", - "text": "VMware vSphere での詳細な分析情報が必要な場合:vRealize Operations や vRealize Network Insights がソリューションで使用されていますか?", - "waf": "オペレーションズ" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "service": "Microsoft Purview", + "severity": "中程度", + "text": "個々のユーザーにロールを割り当てるのではなく、Microsoft Entra グループにロールを割り当てます。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", - "severity": "高い", - "text": "仮想マシンの vSAN ストレージ ポリシーはシック プロビジョニングを適用するため、このポリシーがデフォルトのストレージ ポリシーではないことを確認します", - "waf": "オペレーションズ" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "中程度", + "text": "Azure Active Directory エンタイトルメント管理を使用して、アクセス パッケージを使用してユーザー アクセスを Microsoft Entra グループにマップします。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", - "service": "AVS", - "severity": "中程度", - "text": "vSAN は有限のリソースであるため、vSphere コンテンツ ライブラリが vSAN に配置されていないことを確認する", - "waf": "オペレーションズ" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "service": "Microsoft Purview", + "severity": "高い", + "text": "Microsoft Purview ユーザー (特に、コレクション管理者、データ ソース管理者、データ キュレーターなどの特権ロールを持つユーザー) に対して多要素認証を適用します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", - "service": "AVS", - "severity": "中程度", - "text": "バックアップ ソリューションのデータ リポジトリが vSAN ストレージの外部に保存されていることを確認します。Azure ネイティブまたはディスク プールでバックアップされるデータストア上", - "waf": "オペレーションズ" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "service": "Microsoft Purview", + "severity": "高い", + "text": "Microsoft Entra ID を使用して、すべてのユーザー、Entra に登録されているセキュリティ グループ、Microsoft Purview のコレクション内のサービス プリンシパルとマネージド ID に認証と承認を提供します", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", - "service": "AVS", - "severity": "中程度", - "text": "Azure Arc for Servers を使用して Azure VMware Solution で実行されているワークロードがハイブリッド管理されていることを確認する (Arc for Azure VMware Solution はプレビュー段階です)", - "waf": "オペレーションズ" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "service": "Microsoft Purview", + "severity": "高い", + "text": "最小特権モデルを定義し、特権アカウントの露出を減らす", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", "severity": "中程度", - "text": "Azure VMware Solution で実行されているワークロードが Azure Log Analytics と Azure Monitor を使用して監視されていることを確認する", - "waf": "オペレーションズ" + "text": "Private Link サービスを使用して、エンドツーエンドのネットワーク分離を有効にします。(Microsoft Purview データ マップ)", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", "severity": "中程度", - "text": "Azure VMware Solution で実行されているワークロードを、既存の更新プログラム管理ツールまたは Azure Update Management に含める", - "waf": "オペレーションズ" + "text": "Microsoft Purview ファイアウォールを使用して、パブリック アクセスを無効にします。(Microsoft Purview データ マップ)", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "severity": "中程度", - "text": "Azure Policy を使用して、Azure の管理、監視、セキュリティ ソリューションに Azure VMware Solution ワークロードをオンボードする", - "waf": "オペレーションズ" + "text": "Azure データ ソースのプライベート エンドポイント、Microsoft Purview プライベート エンドポイント、セルフホステッド ランタイム VM がデプロイされるサブネットのネットワーク セキュリティ グループ (NSG) ルールをデプロイします。(Microsoft Purview データ マップ)", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", "severity": "中程度", - "text": "Azure VMware Solution で実行されているワークロードが Microsoft Defender for Cloud にオンボードされていることを確認する", + "text": "ネットワーク検査やネットワーク フィルタリングのための Azure Firewall など、ネットワーク仮想アプライアンスによって管理されるプライベート エンドポイントを使用して Microsoft Purview を実装します。(Microsoft Purview データ マップ)", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "このプライベート エンドポイントは、ポータルのプライベート エンドポイントの前提条件でもあります。プライベート ネットワークを使用して Microsoft Purview ガバナンス ポータルへの接続を有効にするには、Microsoft Purview ポータルのプライベート エンドポイントが必要です。Microsoft Purview では、インジェスト プライベート エンドポイントを使用して、Azure またはオンプレミス環境のデータ ソースをスキャンできます。プライベートエンドポイントの使用に関する制限 https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", "severity": "中程度", - "text": "vSAN は有限のリソースであるため、バックアップが vSAN に保存されないようにする", - "waf": "確実" + "text": "Microsoft Purview アカウントのプライベート エンドポイントをデプロイしてセキュリティの別のレイヤーを追加し、仮想ネットワーク内から発信されたクライアント呼び出しのみが Microsoft Purview アカウントにアクセスできるようにします", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access。確認すべき制限: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "service": "Microsoft Purview", "severity": "中程度", - "text": "すべてのDRソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[SRM/JetStream/Zerto/Veeam/...]", - "waf": "確実" + "text": "Microsoft Purview ファイアウォールを使用してパブリック アクセスをブロックする", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "severity": "中程度", - "text": "ディザスター リカバリー テクノロジがネイティブの Azure IaaS の場合は、Azure Site Recovery を使用します", - "waf": "確実" + "text": "ネットワーク セキュリティ グループを使用して、Azure 仮想ネットワーク内の Azure リソースとの間のネットワーク トラフィックをフィルター処理します", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "service": "Microsoft Purview", "severity": "高い", - "text": "いずれかの災害ソリューションで自動復旧計画を使用し、手動タスクを可能な限り回避します", - "waf": "確実" + "text": "オンプレミスの vnet の境界を離れることができない機密データがある場合は、企業の vnet 内で SHIR VM を使用してメタデータを抽出することを強くお勧めします", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "メタデータは抽出されて Microsoft Purview Data Map に格納されますが、Purview アカウントにマネージド ストレージ アカウントを使用していない場合は、すべてのユーザーがアクセスできるように公開されているため、適切な RBAC を実装し、データへのアクセスを目的のユーザーのみに制限します。2023 年 12 月 15 日以降にデプロイされたアカウント (または API バージョン 2023-05-01-preview 以降を使用してデプロイされたアカウント) に適用されます", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "service": "Microsoft Purview", "severity": "中程度", - "text": "地政学的リージョンのペアをセカンダリディザスタリカバリ環境として使用する", - "waf": "確実" + "text": "Azure RBAC を使用して、ストレージ アカウント (MS によって管理されていない) のアクセスを目的のユーザーのみに制限します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "service": "AVS", - "severity": "高い", - "text": "リージョン間で 2 つの異なるアドレス空間を使用します (例: 10.0.0.0/16 と 192.168.0.0/16)。", - "waf": "確実" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "service": "Microsoft Purview", + "severity": "中程度", + "text": "保存データは、Microsoft マネージド キーによって暗号化されます", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "service": "Microsoft Purview", "severity": "中程度", - "text": "ExpressRoute Global Reach は、プライマリとセカンダリの Azure VMware Solution プライベート クラウド間の接続に使用されますか、それともネットワーク仮想アプライアンスを介してルーティングされますか?", - "waf": "確実" + "text": "転送中のデータは TLS 1.3 によって暗号化されます", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "service": "Microsoft Purview", + "severity": "高い", + "text": "マネージド ID を使用していない場合、またはパスワードが必要なメソッドを使用しない場合は、常に Azure Key Vault を使用してすべての資格情報を格納します", + "waf": "安全" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "service": "Microsoft Purview", "severity": "中程度", - "text": "すべてのバックアップソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[ MABS/CommVault/Metallic.io/Veeam/ . ]", - "waf": "確実" + "text": "リソース ロックを適用して Microsoft Purview アカウントの誤削除を防ぐ", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", "severity": "中程度", - "text": "バックアップ ソリューションを Azure VMware Solution プライベート クラウドと同じリージョンにデプロイする", - "waf": "確実" + "text": "テナント全体のアカウント ロックアウトを防ぐために、Microsoft Entra テナント、Azure サブスクリプション、Microsoft Purview アカウントの非常用戦略を計画します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "service": "Microsoft Purview", "severity": "中程度", - "text": "バックアップ ソリューションを vSan の外部の Azure ネイティブ コンポーネントにデプロイする", - "waf": "確実" + "text": "Microsoft 365 および Microsoft Defender for Cloud と統合する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", - "severity": "低い", - "text": "Azure プラットフォームによって管理されている VMware コンポーネントの復元を要求するプロセスは用意されていますか?", - "waf": "確実" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "管理者アカウントを通常のユーザーアカウントから分離します。", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "service": "Azure Databricks", + "severity": "高い", + "text": "最小特権モデルを定義し、特権アカウントの露出を減らす", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "service": "AVS", - "severity": "低い", - "text": "手動デプロイの場合、すべての構成とデプロイを文書化する必要があります", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Databricks では Microsoft Entra ID の条件付きアクセスがサポートされているため、管理者はユーザーが Azure Databricks にサインインできる場所とタイミングを制御できます。条件付きアクセス ポリシーでは、企業ネットワークへのサインインを制限したり、多要素認証 (MFA) を要求したりできます。", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "高い", + "text": "シングルサインオンと統合ログインを設定します。多要素認証を有効にします。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "service": "AVS", - "severity": "低い", - "text": "手動デプロイの場合は、Azure VMware Solution プライベート クラウドでの偶発的なアクションを防ぐために、リソース ロックの実装を検討してください", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "お客様は、トークン管理 API または UI コントロールを使用して、REST API 認証のパーソナル アクセス トークン (PAT) を有効または無効にしたり、PAT を使用できるユーザーの制限を行ったり、新しいトークンの最大有効期間を設定したり、既存のトークンを管理したりできます。安全性の高いお客様は、通常、ワークスペースの新しいトークンに対してトークンの最大有効期間をプロビジョニングします。この機能には、Premium 価格レベルが必要です。", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", + "severity": "中程度", + "text": "トークン管理を使用します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "service": "AVS", - "severity": "低い", - "text": "自動デプロイの場合は、最小限のプライベート クラウドをデプロイし、必要に応じてスケーリングします", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Databricks プラットフォームの通常のユーザーでもある Databricks 管理者がいる場合 (たとえば、プラットフォームを管理し、データ エンジニアリング作業も行うリード データ エンジニアがいる場合)、Databricks では管理タスク用に別のアカウントを作成することをお勧めします。Azure RBAC モデルの一部として、デプロイされた Azure Databricks ワークスペースのリソース グループに対する共同作成者以上のアクセス許可を付与されたユーザーは、そのワークスペースにログインすると自動的に管理者になることに注意してください。したがって、上記で説明したのと同じ考慮事項を Azure portal ユーザーにも適用する必要があります。", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "service": "Azure Databricks", + "severity": "高い", + "text": "管理者アカウントを通常のユーザーアカウントから分離する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "service": "AVS", - "severity": "低い", - "text": "自動デプロイの場合は、デプロイを開始する前にクォータを要求または予約します", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "SCIM (System for Cross-domain Identity Management) を使用すると、ユーザーとグループを Microsoft Entra ID から Azure Databricks に同期できます。このアプローチには、主に 3 つの利点があります: 1. ユーザーを削除すると、そのユーザーは Databricks から自動的に削除されます。2. ユーザーは、SCIMを介して一時的に無効にすることもできます。お客様は、アカウントが侵害された可能性があり、調査する必要があるとお客様が考えるシナリオで、この機能を使用しています 3.グループは自動的に同期されます Azure Databricks の SCIM を構成する方法の詳細については、ドキュメントを参照してください。この機能には Premium 価格レベルが必要です", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "中程度", + "text": "ユーザーとグループの SCIM 同期。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "service": "AVS", - "severity": "低い", - "text": "自動デプロイの場合は、適切なガバナンスのために、自動化または Azure Policy を使用して関連するリソース ロックが作成されていることを確認します", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "管理者は、クラスターポリシーまたは古いクラスター ACL を使用して、組織内のどのユーザーまたはグループがクラスターを作成できるかを定義できます。クラスター ACL を使用すると、特定のクラスターにノートブックをアタッチできるユーザーを指定できます。ユーザーが標準モードのクラスターに既にアタッチされているノートブックを共有している場合、受信者もそのクラスターでコードを実行できることに注意してください。これは、ユーザーの分離を強制するクラスター (SQL ウェアハウス、テーブル ACL クラスターによる高いコンカレンシー、資格情報パススルー クラスターによる高いコンカレンシー) には適用されません。Unity Catalog を使用しているお客様は、シングルユーザー クラスターを有効にして、分離クラスターを適用することもできます。", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "service": "Azure Databricks", + "severity": "中程度", + "text": "クラスターの作成権限を制限します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "service": "AVS", - "severity": "低い", - "text": "ExR 認証キーに人間が理解できる名前を実装して、キーの目的/用途を簡単に識別できるようにします", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "お客様が Azure Key Vault を使用してシークレットを格納する場合でも、アクセス制御は Azure Databricks 内で定義する必要があることに注意することが重要です。これは、同じサービス ID を使用して、Azure Databricks ワークスペースのすべてのユーザーのシークレットが取得されるためです。", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "service": "Azure Databricks", + "severity": "高い", + "text": "パスワードとシークレットを Azure Key Vault に格納する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "service": "AVS", - "severity": "低い", - "text": "Azure VMware Solution と ExpressRoute のデプロイに個別のサービス プリンシパルを使用する場合は、キー コンテナーを使用してシークレットと承認キーを格納します", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "ユーザー分離が設定されたクラスターには、各ユーザーがクラスター ホスト上で異なる非特権ユーザー アカウントとして実行されるような強制が含まれます。また、言語は分離された方法で実装できる言語 (SQL と Python) に限定されており、Spark API は分離セーフであると思われる言語の許可リストに含まれている必要があります。", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "service": "Azure Databricks", + "severity": "中程度", + "text": "ユーザーの分離をサポートするクラスターを使用します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "service": "AVS", - "severity": "低い", - "text": "Azure VMware Solution では限られた数の並列操作しかサポートされないため、Azure VMware Solution に多くのリソースをデプロイする必要がある場合に、IaC でアクションをシリアル化するためのリソースの依存関係を定義します。", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "運用ワークロードを個々のユーザー アカウントに関連付けることはセキュリティのベスト プラクティスに反するため、Databricks 内でサービス プリンシパルを構成することをお勧めします。サービス原則は、管理者とユーザーのアクションをワークロードから分離し、ユーザーが組織を離れた場合にワークロードが影響を受けるのを防ぎます。Databricks を使用すると、ジョブをサービス プリンシパルとして実行するように構成し、サービス プリンシパルの個人用アクセス トークンを生成できます。", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "中程度", + "text": "サービス プリンシパルを使用して、運用ジョブを実行します。ワークスペース レベル (ACL)、アカウント レベル (RBAC)、データ レベル (Unity カタログ) のセキュリティ制御に適切なアクセス制御を使用する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "service": "AVS", - "severity": "低い", - "text": "単一の Tier-1 ゲートウェイで NSX-T セグメントの自動構成を実行する場合は、NSX-Manager API ではなく Azure Portal API を使用します", - "waf": "オペレーションズ" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "デフォルトでは、DBFSは、特定のワークスペースのすべてのユーザーがアクセスでき、APIを介してアクセスできるファイルシステムです。IP アクセス リストまたはプライベート ネットワーク アクセスを使用して、DBFS API または Databricks cli を介したデータへのアクセスを制限できるため、これは必ずしもデータ流出の大きな懸念事項ではありません。ただし、Azure Databricks の使用が拡大し、ワークスペースに参加するユーザーが増えると、それらのユーザーは DBFS に格納されている任意のデータにアクセスできるようになり、望ましくない情報共有が発生する可能性があります。Databricks では、お客様が運用データを DBFS に保存しないことをお勧めします。", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "service": "Azure Databricks", + "severity": "高い", + "text": "運用データを DBFS に格納しないでください。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "service": "AVS", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "管理するストレージ アカウントについては、要件に従ってストレージ アカウントが保護されていることを確認するのは、ユーザーの責任です。例としては、カスタマー マネージド キーによる暗号化、ストレージ ファイアウォールによる信頼できるネットワークへのアクセスの制限、匿名のパブリック アクセスは許可されないなどがあります", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", "severity": "中程度", - "text": "自動スケールアウトを使用する場合は、Azure VMware Solution を実行しているサブスクリプションに対して十分な Azure VMware Solution クォータを申請してください", - "waf": "パフォーマンス" + "text": "ストレージを暗号化し、アクセスを制限します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "service": "AVS", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Databricks コントロール プレーン内に格納されている選択データ (ノートブック、シークレット、Databricks SQL クエリ、Databricks SQL クエリ履歴など) と、DBFS に使用されるルート ストレージ アカウントに対して、カスタマー マネージド キーを追加します。Azure Databricks では、継続的な操作のためにこのキーにアクセスする必要があります。キーへのアクセスを取り消すと、Azure Databricks がコントロール プレーン内 (またはバックアップ内) の暗号化データにアクセスできないようにすることができます。これは、ワークスペースが機能しなくなる核オプションのようなものですが、極端な状況に対する緊急制御を提供します。この機能には、Premium 価格レベルが必要です。", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", "severity": "中程度", - "text": "自動スケールインを使用する場合は、そのようなアクションを実行する前に、ストレージ ポリシーの要件を必ず考慮してください", - "waf": "パフォーマンス" + "text": "マネージド サービスとワークスペース ストレージのカスタマー マネージド キーを追加する", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "service": "AVS", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "アカウント コンソールとワークスペース レベルで Databricks に対して認証できる IP アドレスを制限する IP アクセス リストを構成するには、ユーザーまたは API クライアントが VPN やオフィス ネットワークなどの既知の良好な IP アドレス範囲から来ているかどうかを確認します。確立されたユーザーセッションは、VPNから切断するときなど、ユーザーが不正なIPアドレスに移動した場合、機能しません。", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", "severity": "中程度", - "text": "スケーリング操作は、一度に 1 つのスケール操作しか実行できないため、常に 1 つの SDDC 内でシリアル化する必要があります (複数のクラスタが使用されている場合でも)", - "waf": "パフォーマンス" + "text": "IP アクセス リストを有効にして、特定の IP アドレスへのアクセスを制限します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "service": "AVS", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Private Link は、ある Azure 環境から別の Azure 環境へのプライベート ネットワーク ルートを提供します。Private Link は、Azure Databricks ユーザーとコントロール プレーンの間、およびコントロール プレーンとデータ プレーンの間の両方で構成できます。Databricks ユーザーとコントロール プレーンの間では、Private Link は受信要求のソースを制限する強力な制御を提供します。企業が既に Azure 環境経由でトラフィックをルーティングしている場合は、Private Link を使用して、ユーザーと Azure Databricks コントロール プレーン間の通信がパブリック IP アドレスを経由しないようにすることができます。この機能には、Premium 価格レベルが必要です。Azure Private Link を使用して、Azure Databricks から Azure リソースに接続します。Private Link は、", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", "severity": "中程度", - "text": "アーキテクチャで使用されるサードパーティソリューションでのスケーリング操作を検討および検証します(サポートされているかどうか)", - "waf": "パフォーマンス" + "text": "Azure Private Link を構成して使用し、Azure リソースにアクセスします。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", "severity": "中程度", - "text": "自動化で環境のスケールイン/スケールアウトの上限を定義して適用する", - "waf": "パフォーマンス" + "text": "Azure Front Door でカスタマー マネージド TLS 証明書を使用する場合は、\"最新\" の証明書バージョンを使用します。証明書の手動更新による停止のリスクを軽減します。", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", "severity": "中程度", - "text": "監視ルールを実装して、自動スケーリング操作を監視し、成功と失敗を監視して、適切な (自動化された) 応答を有効にします", - "waf": "オペレーションズ" + "text": "Azure Front Door と WAF ポリシーを使用して、複数の Azure リージョンにまたがるグローバル HTTP/S アプリを提供し、保護します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", + "service": "Front Door", + "severity": "中程度", + "text": "Front Door と Application Gateway を使用して HTTP/S アプリを保護する場合は、Front Door で WAF ポリシーを使用します。Application Gateway をロックダウンして、Front Door からのトラフィックのみを受信します。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", "severity": "高い", - "text": "MONを使用する場合は、同時に構成されたVMの制限(HCXのMON制限[400 - 標準、1000 - 大規模アプライアンス])に注意してください", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "確実" + "text": "Front Door の WAF ポリシーを \"防止\" モードでデプロイし、Web アプリケーション ファイアウォールがトラフィックを許可または拒否するための適切なアクションを実行するようにします。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", "severity": "高い", - "text": "MON を使用する場合、100 を超えるネットワーク拡張で MON を有効にすることはできません", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "確実" + "text": "Traffic Manager を Front Door の後ろに配置しないでください。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", - "service": "AVS", - "severity": "中程度", - "text": "移行に VPN 接続を使用する場合は、それに応じて MTU サイズを調整します。", - "waf": "パフォーマンス" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", + "severity": "高い", + "text": "Azure Front Door と配信元で同じドメイン名を使用します。ホスト名が一致しないと、微妙なバグが発生する可能性があります。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", - "service": "AVS", - "severity": "中程度", - "text": "Azure に接続する接続性の低いリージョン (500 Mbps 以下) の場合は、HCX WAN 最適化アプライアンスのデプロイを検討してください", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "低い", + "text": "Azure Front Door の配信元グループに配信元が 1 つしかない場合は、正常性プローブを無効にします。", "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", "severity": "中程度", - "text": "移行がオンプレミスアプライアンスから開始され、クラウドアプライアンスから開始されていないことを確認します(逆移行は実行しないでください)", + "text": "Azure Front Door の適切な正常性プローブ エンドポイントを選択します。アプリケーションのすべての依存関係をチェックする正常性エンドポイントの構築を検討してください。", "waf": "確実" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "AVS", - "severity": "中程度", - "text": "Azure NetApp Files を使用して Azure VMware Solution のストレージを拡張する場合は、VM に直接接続するのではなく、これを VMware データストアとして使用することを検討してください。", - "waf": "確実" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", + "severity": "低い", + "text": "Azure Front Door で HEAD 正常性プローブを使用して、Front Door がアプリケーションに送信するトラフィックを減らします。", + "waf": "パフォーマンス" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "AVS", - "severity": "中程度", - "text": "専用の ExpressRoute ゲートウェイが外部データ ストレージ ソリューションに使用されていることを確認する", - "waf": "確実" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "Front Door", + "severity": "高い", + "text": "Azure Front Door でマネージド TLS 証明書を使用します。運用コストと、証明書の更新による停止のリスクを軽減します。", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", "severity": "中程度", - "text": "外部データ ストレージ ソリューションに使用されている ExpressRoute ゲートウェイで FastPath が有効になっていることを確認します", - "waf": "確実" + "text": "Azure Front Door WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。", + "waf": "オペレーションズ" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", "severity": "高い", - "text": "ストレッチ クラスタを使用している場合は、選択したディザスタ リカバリ ソリューションがベンダーによってサポートされていることを確認します", - "waf": "確実" + "text": "Azure Front Door でエンド ツー エンド TLS を使用します。クライアントから Front Door への接続、および Front Door から配信元への接続には TLS を使用します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", + "severity": "中程度", + "text": "Azure Front Door で HTTP から HTTPS へのリダイレクトを使用します。古いクライアントを自動的に HTTPS リクエストにリダイレクトすることで、クライアントをサポートします。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", "severity": "高い", - "text": "ストレッチ クラスターを使用する場合は、提供される SLA が要件を満たしていることを確認します", - "waf": "確実" + "text": "Azure Front Door WAF を有効にします。さまざまな攻撃からアプリケーションを保護します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", "severity": "高い", - "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線が接続ハブに接続されていることを確認します。", - "waf": "確実" + "text": "ワークロードに合わせて Azure Front Door WAF を調整するには、検出モードで WAF を構成して誤検知の検出を減らして修正します。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", "severity": "高い", - "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線で GlobalReach が有効になっていることを確認します。", - "waf": "確実" + "text": "Azure Front Door WAF ポリシーで有効になっている要求本文の検査機能を有効にします。", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "AVS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", "severity": "高い", - "text": "サイトの耐障害性の設定を適切に検討し、必要に応じてビジネスに合わせて変更しましたか?", - "waf": "確実" + "text": "Azure Front Door WAF の既定のルール セットを有効にします。デフォルトのルールセットは、一般的な攻撃を検出してブロックします。", + "waf": "安全" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", "severity": "高い", - "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する", + "text": "Azure Front Door WAF ボット保護ルール セットを有効にします。ボット ルールは、良いボットと悪いボットを検出します。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", + "severity": "中程度", + "text": "最新の Azure Front Door WAF ルール セット バージョンを使用します。ルールセットの更新は、現在の脅威の状況を考慮して定期的に更新されます。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", + "severity": "中程度", + "text": "Azure Front Door WAF にレート制限を追加します。レート制限は、クライアントが誤ってまたは意図的に短時間に大量のトラフィックを送信するのをブロックします。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", + "severity": "中程度", + "text": "Azure Front Door WAF のレート制限には高いしきい値を使用します。レート制限のしきい値を高くすると、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多くのリクエストに対する保護を提供します。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", + "severity": "低い", + "text": "すべての地理的地域からのトラフィックを想定していない場合は、geo フィルタを使用して、想定外の国からのトラフィックをブロックします。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", + "severity": "中程度", + "text": "Azure Front Door WAF を使用してトラフィックを geo フィルタリングする場合は、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致できない場合に、正当な要求を誤ってブロックしないようにします。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", + "severity": "中程度", + "text": "ログとメトリックをキャプチャするには、診断設定をオンにします。リソース アクティビティ ログ、アクセス ログ、正常性プローブ ログ、WAF ログを含めます。アラートを設定します。", + "waf": "オペレーションズ" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", + "severity": "中程度", + "text": "Azure Front Door WAF ログを Microsoft Sentinel に送信します。", + "waf": "オペレーションズ" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", + "service": "Front Door", + "severity": "中程度", + "text": "デプロイ戦略をサポートするルーティング方法を選択します。設定された重み係数に基づいてトラフィックを分散する加重方式は、アクティブ/アクティブモデルをサポートします。プライマリ リージョンがすべてのトラフィックを受信し、バックアップとしてセカンダリ リージョンにトラフィックを送信するように設定する優先度ベースの値は、アクティブ/パッシブ モデルをサポートします。上記の方法とレイテンシを組み合わせて、レイテンシが最も低いオリジンがトラフィックを受信するようにします。", "waf": "確実" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", + "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", + "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", + "service": "Front Door", "severity": "高い", - "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する", + "text": "1 つ以上のバックエンド プールに複数の配信元を持つことで冗長性をサポートします。アプリケーションの冗長インスタンスを常に用意し、各インスタンスがエンドポイントまたはオリジンを公開していることを確認します。これらの配信元は、1 つ以上のバックエンド プールに配置できます。", "waf": "確実" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", - "severity": "高い", - "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", + "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", + "service": "Front Door", + "severity": "中程度", + "text": "バックエンドへの要求の転送にタイムアウトを設定します。エンドポイントのニーズに応じてタイムアウト設定を調整します。そうしないと、配信元が応答を送信する前に Azure Front Door が接続を閉じる可能性があります。また、すべての配信元のタイムアウトが短い場合は、Azure Front Door の既定のタイムアウトを下げることもできます。", "waf": "確実" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", - "severity": "高い", - "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", + "service": "Front Door", + "severity": "中程度", + "text": "アプリケーションにセッション アフィニティが必要かどうかを判断します。高い信頼性要件がある場合は、セッション アフィニティを無効にすることをお勧めします。", "waf": "確実" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", + "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", + "service": "Front Door", "severity": "中程度", - "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護", + "text": "ホストヘッダーをバックエンドに送信します。バックエンド サービスは、そのホストからのトラフィックのみを受け入れるルールを作成できるように、ホスト名を認識する必要があります。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", + "severity": "中程度", + "text": "キャッシュをサポートするエンドポイントにはキャッシュを使用します。", + "waf": "費用" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", + "guid": "34069d73-e4de-46c5-a36f-625f87575a56", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "低い", + "text": "単一のバックエンド・プールのヘルス・チェックを無効にします。Azure Front Door の配信元グループに配信元が 1 つしか構成されていない場合、これらの呼び出しは不要です。これは、エンドポイントに複数のオリジンを持てない場合にのみ推奨されます。", + "waf": "費用" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", + "service": "Front Door", + "severity": "中程度", + "text": "セキュリティ レポートを活用するには Premium レベルを使用することをお勧めしますが、Standard Azure Front Door プロファイルでは、組み込みの分析/レポートでトラフィック レポートのみが提供されます。", "waf": "オペレーションズ" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", - "severity": "高い", - "text": "Azure Cache for Redis のゾーン冗長を有効にします。Azure Cache for Redis では、Premium レベルと Enterprise レベルでゾーン冗長構成がサポートされています。ゾーン冗長キャッシュでは、同じリージョン内の異なる Azure Availability Zones にノードを配置できます。これにより、データセンターや AZ の停止が単一障害点として排除され、キャッシュの全体的な可用性が向上します。", - "waf": "確実" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", + "service": "Front Door", + "severity": "中程度", + "text": "可能な場合は、ワイルドカード TLS 証明書を使用します。", + "waf": "オペレーションズ" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "中程度", - "text": "Azure Cache for Redis インスタンスのデータ永続化を構成します。キャッシュ データはメモリに格納されるため、まれに複数のノードで計画外の障害が発生すると、すべてのデータがドロップされる可能性があります。データの完全な損失を回避するために、Redis 永続化では、メモリ内データのスナップショットを定期的に取得し、ストレージ アカウントに格納できます。", - "waf": "確実" + "text": "キャッシュ用にアプリケーションのクエリ文字列を最適化します。純粋に静的なコンテンツの場合は、クエリ文字列を無視して、キャッシュを最大限に活用します。アプリケーションでクエリ文字列を使用する場合は、それらをキャッシュキーに含めることを検討してください。キャッシュ キーにクエリ文字列を含めると、Azure Front Door は、構成に基づいてキャッシュされた応答またはその他の応答を提供できます。", + "waf": "パフォーマンス" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", + "service": "Front Door", "severity": "中程度", - "text": "geo 冗長ストレージ アカウントを使用して Azure Cache for Redis データを保持するか、geo 冗長性を使用できない場合はゾーン冗長を使用します", - "waf": "確実" + "text": "ダウンロード可能なコンテンツにアクセスするときは、ファイル圧縮を使用します。", + "waf": "パフォーマンス" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", + "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", + "link": "https://learn.microsoft.com/azure/cdn/tier-migration", + "service": "Front Door", + "severity": "高い", + "text": "現在クラシック Azure Front Door を使用している場合は、クラシック Azure Front Door は 2027 年 3 月までに非推奨になるため、Standard SKU または Premium SKU への移行を検討してください。", + "waf": "オペレーションズ" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", + "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", + "service": "Front Door", "severity": "中程度", - "text": "Premium Azure Cache for Redis インスタンスのパッシブ geo レプリケーションを構成します。geo レプリケーションは、2 つ以上の Azure Cache for Redis インスタンス (通常は 2 つの Azure リージョンにまたがる) をリンクするためのメカニズムです。geo レプリケーションは、主にリージョン間のディザスター リカバリー用に設計されています。2 つの Premium レベルのキャッシュ インスタンスは、プライマリ キャッシュへの読み取りと書き込みを提供する方法で geo レプリケーションを介して接続され、そのデータはセカンダリ キャッシュにレプリケートされます。", + "text": "ミッション クリティカルな高可用性シナリオには、Traffic Manager の負荷分散 Azure Front Door とサード パーティの CDN プロバイダー CDN プロファイルの使用を検討してください。", "waf": "確実" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", + "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", + "service": "Front Door", + "severity": "高い", + "text": "配信元を App Services として Front Door を使用する場合は、アクセス制限を使用して Azure Front Door 経由でのみアプリ サービスへのトラフィックをロックダウンすることを検討してください。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "Azure OpenAI", + "severity": "高い", + "text": "共鳴可能なAIのためのメタプロンプトガードレールに従う", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "Azure OpenAI", + "severity": "高い", + "text": "APIM や AI Central などのソリューションを使用したゲートウェイ パターンを検討して、レート制限、負荷分散、認証、ログ記録を改善します", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "Azure OpenAI", + "severity": "高い", + "text": "AOAI インスタンスの監視を有効にする", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "Azure OpenAI", + "severity": "高い", + "text": "リソースに対して実行されたアクション (サブスクリプション キーの再生成など) によって作成されたアクティビティ ログのエントリや、1 時間に 10 を超えるエラー数などのメトリックしきい値によって作成されたアクティビティ ログのエントリなど、イベントを通知するアラートを作成します", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", + "severity": "高い", + "text": "トークンの使用状況を監視して、容量によるサービスの中断を防ぎます", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "処理された推論トークン、生成された完了トークンなどのメトリックを観察し、レート制限を監視します", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "Azure OpenAI", + "severity": "低い", + "text": "診断が十分でない場合は、Azure OpenAI の前で Azure API Management などのゲートウェイを使用して、受信プロンプトと送信応答の両方をログに記録することを検討してください (許可されている場合)", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "Azure OpenAI", + "severity": "高い", + "text": "コードとしてのインフラストラクチャを使用して、Azure OpenAI Service、モデル デプロイ、およびすべての関連リソースをデプロイします", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", + "severity": "高い", + "text": "API キーの代わりにマネージド ID で Microsoft Entra 認証を使用する", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "高い", + "text": "入力と正しい答えを持つ既知のゴールデンデータセットを使用して、システムのパフォーマンス/精度を評価します。PromptFlowの機能を評価に活用します。", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "Azure OpenAI", + "severity": "高い", + "text": "プロビジョニング済みスループットモデルの使用状況の評価", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Azure AI コンテンツの安全性を確認して実装する", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "Azure OpenAI", + "severity": "高い", + "text": "トークンと1分あたりのレスポンスに基づいてシステムのスループットを定義および評価し、要件に合わせます", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "トークンサイズ、ストリーミングオプションを制限することにより、システムのレイテンシーを改善します", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "弾力性の要求を見積もり、優先順位に基づいて同期要求とバッチ要求の分離を決定します。優先度が高い場合は同期アプローチを使用し、優先度が低い場合はキューを使用した非同期バッチ処理が推奨されます", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", + "severity": "高い", + "text": "消費者からの推定需要に基づくトークン消費要件のベンチマーク。プロビジョニングされたスループット ユニットのデプロイを使用している場合は、Azure OpenAI ベンチマーク ツールを使用してスループットを検証することを検討してください", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "プロビジョニングされたスループットユニット (PTU) を使用している場合は、オーバーフローリクエストに対して Token-Per Minute (TPM) デプロイメントをデプロイすることを検討してください。ゲートウェイを使用して、PTU の制限に達したときに要求を TPM デプロイにルーティングします。", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "Azure OpenAI", + "severity": "高い", + "text": "適切なタスクに適したモデルを選択してください。速度、応答の品質、出力の複雑さの間で適切なトレードオフを持つモデルを選択する", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "微調整によってモデルのパフォーマンスが向上したかどうかを知るための微調整を行わずに、パフォーマンスのベースラインを設定する", + "waf": "パフォーマンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", + "severity": "低い", + "text": "複数のOAIインスタンスを複数のリージョンにデプロイする", + "waf": "確実" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", + "severity": "高い", + "text": "APIM のようなゲートウェイ パターンを使用した再試行とヘルスチェックの実装", + "waf": "確実" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "ワークロードに対してTPMとRPMの適切なクォータがあることを確認します", + "waf": "確実" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "HAIツールキットガイダンスの考慮事項を確認し、それらの相互作用の実践をslutionに適用します", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "ファインチューニングが採用されている場合は、リージョン間で個別の微調整モデルをデプロイします", + "waf": "確実" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "重要なデータを定期的にバックアップおよびレプリケートして、データの損失やシステム障害が発生した場合のデータの可用性と回復性を確保します。Azure のバックアップおよびディザスター リカバリー サービスを活用して、データを保護します。", + "waf": "確実" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Azure AI Search サービス レベルは、SLA を持つために選択する必要があります", + "waf": "確実" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "Azure OpenAI", + "severity": "低い", + "text": "データと機密性を分類し、埋め込みを生成する前に Microsoft Purview でラベル付けし、生成された埋め込みを同じ感度と分類で処理するようにしてください", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "Azure OpenAI", + "severity": "高い", + "text": "SSE/ディスク暗号化(オプションのBYOKを使用)を使用してRAGに使用されるデータを暗号化", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "Azure OpenAI", + "severity": "高い", + "text": "データソース間で転送されるデータ、Retrieval-Augmented Generation(RAG)およびLLM通信に使用されるAI検索にTLSが適用されていることを確認します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "高い", + "text": "RBAC を使用して、Azure OpenAI サービスへのアクセスを管理します。ユーザーに適切な権限を割り当て、ユーザーの役割と責任に基づいてアクセスを制限します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "データの暗号化、マスキング、または編集技術を実装して、機密データを非表示にしたり、非本番環境で難読化された値に置き換えたり、テストやトラブルシューティングの目的でデータを共有する場合", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Azure Defender を利用して、セキュリティの脅威を検出して対応し、監視とアラートのメカニズムを設定して、疑わしいアクティビティや侵害を特定します。Azure Sentinel を活用して高度な脅威の検出と対応を実現", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "コンプライアンス規制を遵守するためのデータ保持および廃棄ポリシーを確立します。不要になったデータに対して安全な削除方法を実装し、データの保持と廃棄活動の監査証跡を維持します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Content Safety を使用した Prompt シールドと接地検出の実装", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "Azure OpenAI", + "severity": "高い", + "text": "GDPRやHIPAAなどの関連するデータ保護規制への準拠を確保するには、プライバシー制御を実装し、データ処理活動に必要な同意または許可を取得します。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "データセキュリティのベストプラクティス、データの安全な取り扱いの重要性、データ侵害に関連する潜在的なリスクについて、従業員を教育します。データセキュリティプロトコルに熱心に従うように促します。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "Azure OpenAI", + "severity": "高い", + "text": "運用データを開発データやテストデータから分離します。本番環境では実際の機密データのみを使用し、開発環境やテスト環境では匿名化されたデータや合成データを利用します。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "データの機密性のレベルが異なる場合は、レベルごとに個別のインデックスを作成することを検討してください。たとえば、一般的なデータ用に 1 つのインデックスを作成し、機密データ用に別のインデックスを作成し、それぞれ異なるアクセス プロトコルで管理することができます", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "分離をさらに一歩進めて、機密性の高いデータセットをサービスの異なるインスタンスに配置します。各インスタンスは、独自のRBACポリシーのセットで制御できます", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "Azure OpenAI", + "severity": "高い", + "text": "機密情報から生成された埋め込みとベクトルは、それ自体が機密性が高いことを認識します。このデータには、ソースマテリアルと同じ保護対策を提供する必要があります", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "高い", + "text": "埋め込みとベクトルを持つデータストアに RBAC を適用し、ロールのアクセス要件に基づいてアクセスのスコープを設定します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "Azure OpenAI", + "severity": "高い", + "text": "AI サービスのプライベート エンドポイントを構成して、ネットワーク内のサービス アクセスを制限します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Azure Firewall と UDR を使用して受信と送信のトラフィック制御を厳密に適用し、外部統合ポイントを制限します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "Azure OpenAI", + "severity": "高い", + "text": "ネットワークのセグメンテーションとアクセス制御を実装して、LLMアプリケーションへのアクセスを許可されたユーザーとシステムのみに制限し、横方向の移動を防ぎます", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "LLMLingua や gprtrim などのプロンプト圧縮ツールを使用します", + "waf": "コストの最適化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", + "severity": "高い", + "text": "LLM アプリケーションで使用される API とエンドポイントが、マネージド ID、API キー、OAuth などの認証および承認メカニズムで適切に保護され、不正アクセスを防止します。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "多要素認証などの強力なエンドユーザー認証メカニズムを適用して、LLMアプリケーションおよび関連するネットワークリソースへの不正アクセスを防止します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "ネットワーク監視ツールを実装して、疑わしいアクティビティや悪意のあるアクティビティのネットワークトラフィックを検出および分析します。ロギングを有効にしてネットワークイベントをキャプチャし、セキュリティインシデントが発生した場合のフォレンジック分析を容易にします", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "セキュリティ監査と侵入テストを実施して、LLMアプリケーションのネットワークインフラストラクチャのネットワークセキュリティの弱点または脆弱性を特定して対処します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "Azure OpenAI", + "severity": "低い", + "text": "Azure AI Services は、管理を改善するために適切にタグ付けされています", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "Azure OpenAI", + "severity": "低い", + "text": "Azure AI Service アカウントは、組織の名前付け規則に従います", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Azure AI サービス リソースの診断ログを有効にする必要がある", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "Azure OpenAI", + "severity": "高い", + "text": "セキュリティのため、キーアクセス(ローカル認証)を無効にすることをお勧めします。 キーベースのアクセスを無効にすると、Microsoft Entra IDが唯一のアクセス方法になり、最小限の特権原則ときめ細かな制御を維持できます。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Azure Key Vault を使用して、キーを安全に保存および管理します。LLM アプリケーションのコード内で機密性の高いキーをハードコーディングしたり埋め込んだりすることを避け、マネージド ID を使用して Azure Key Vault から安全に取得します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Azure Key Vault に格納されているキーを定期的にローテーションして期限切れにすることで、不正アクセスのリスクを最小限に抑えます。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "Azure OpenAI", + "severity": "高い", + "text": "tiktokenを使用して、会話モードでのトークン最適化のためのトークンサイズを理解します", + "waf": "コストの最適化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "Azure OpenAI", + "severity": "高い", + "text": "安全なコーディング手法に従って、インジェクション攻撃、クロスサイトスクリプティング(XSS)、セキュリティ設定の誤りなどの一般的な脆弱性を防止します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "Azure OpenAI", + "severity": "高い", + "text": "LLM ライブラリとその他のシステム コンポーネントを定期的に更新し、パッチを適用するプロセスを設定します", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "Azure OpenAI", + "severity": "高い", + "text": "Azure OpenAI またはその他の LLM の利用規約、ポリシー、ガイダンス、および許可されたユース ケースを順守する", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "基本モデルと微調整されたモデルおよびトークンのステップサイズのコストの違いを理解する", + "waf": "コストの最適化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", + "severity": "高い", + "text": "可能であれば、呼び出しごとのオーバーヘッドを最小限に抑え、全体的なコストを削減できるバッチ要求。バッチサイズを確実に最適化する", + "waf": "コストの最適化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "モデルの使用状況を監視するコスト追跡システムを設定し、その情報を使用してモデルの選択とプロンプトのサイズを通知します", + "waf": "コストの最適化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "モデル応答あたりのトークン数に上限を設定します。サイズを最適化して、有効な応答に十分な大きさになるようにします", + "waf": "コストの最適化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "信頼性のための AI 検索の設定に関するガイダンスを確認します", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "AI Search Vector ストレージの計画と管理", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "LLMOpsプラクティスを適用して、GenAIアプリケーションのライフサイクル管理を自動化します", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "Azure OpenAI", + "severity": "高い", + "text": "請求モデルの使用状況の評価 - PAYG と PTU の比較", + "waf": "コストの最適化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "モデルバージョンを切り替える際のプロンプトとアプリケーションの品質を評価する", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "GenAIアプリを評価、監視、改良して、接地性、関連性、精度、一貫性、流暢さなどの機能を確認します。", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "さまざまな検索パラメーターに基づいて Azure AI Search の結果を評価する", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "精度を向上させる方法としてモデルの微調整を検討するのは、データを使用してプロンプトエンジニアリングやRAGなどの他の基本的なアプローチを試した場合のみです", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "プロンプトエンジニアリング手法を使用して、LLM応答の精度を向上させる", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "GenAIアプリケーションをレッドチーム化", + "waf": "安全" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "エンドユーザーにLLM応答のスコアリングオプションを提供し、これらのスコアを追跡します。", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", + "severity": "高い", + "text": "クォータ管理の実践を検討する", + "waf": "コストの最適化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "Azure OpenAI", + "severity": "中程度", + "text": "APIM ベースのゲートウェイなどのロード バランサー ソリューションを使用して、サービスやリージョン間で負荷と容量を分散します", + "waf": "オペレーショナルエクセレンス" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", + "text": "Azure Monitor のデータ収集ルール - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", + "text": "基になるデータソースが見つからないバックアップインスタンスを確認する", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", + "text": "関連づけられていないサービス(ディスク、NIC、IPアドレスなど)を削除またはアーカイブする", + "waf": "費用" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", + "text": "ミッション クリティカルでないアプリケーションの Site Recovery ストレージとバックアップのバランスを考慮する", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", + "text": "40 の異なるログ分析ワークスペース間で支出と節約の機会を確認する - 非運用ワークスペースに異なる保持とデータ収集を使用する - 認識と階層サイズ設定のための日次上限を作成する - 日次上限を設定する場合は、上限に達したときにアラートを作成するだけでなく、ある割合 (90% など) に達したときに通知されるアラート ルールも作成してください。- 可能であればワークスペースの変革を検討する - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", + "text": "ログのパージポリシーと自動化を適用する(必要に応じて、ログをコールドストレージに移動できます)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", + "text": "ディスクが本当に必要かどうかを確認し、必要でない場合は削除します。必要な場合は、下位のストレージ階層を見つけるか、バックアップを使用します。", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", + "text": "未使用のストレージを下位階層に移動し、カスタマイズされたルールを使用することを検討する - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", + "text": "advisor が VM の適切なサイズ設定用に構成されていることを確認する", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "description": "コスト分析でメーターカテゴリライセンスを検索して確認してください", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", + "text": "すべての Windows VM でスクリプトを実行する https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM が頻繁に作成される場合は、ポリシーの実装を検討してください", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", + "text": "これは、すでにライセンスを持っている場合は、AHUBの下に置くこともできます https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", + "text": "予約済み VM ファミリを柔軟性オプションで統合する (4 から 5 ファミリ以下)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", + "text": "Azure 予約インスタンスを利用する: この機能を使用すると、VM を 1 年または 3 年間予約できるため、PAYG 価格と比較して大幅なコスト削減が実現します。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", + "text": "より大きなディスクのみ予約できます => 1 TiB -", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", + "text": "適切なサイズ最適化の後", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", + "text": "該当するかどうかを確認し、ポリシー/変更 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations を適用します", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", + "text": "VM +ライセンス部分の割引(ahub + 3YRI)は約70%の割引です", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", + "text": "需要に合わせて、フラットなサイジングではなく、VMSS の使用を検討してください", + "waf": "費用" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", + "text": "AKS オートスケーラーを使用してクラスターの使用量に一致させる (ポッドの要件がスケーラーと一致していることを確認する)", + "waf": "費用" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", + "text": "該当する場合は、復旧ポイントを vault-archive に移動します (検証)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", + "text": "可能な場合は、フォールバックでスポット VM を使用することを検討してください。クラスターの自動終了を検討してください。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", + "text": "関数 - 接続の再利用", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", + "text": "関数 - データをローカルにキャッシュする", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", + "text": "関数 - コールド スタート - 「パッケージから実行」機能を使用します。このようにして、コードは単一のzipファイルとしてダウンロードされます。これにより、たとえば、多くのノードモジュールを持つJavascript関数が大幅に改善される可能性があります。言語固有のツールを使用してパッケージサイズを縮小します (ツリーを揺るがす Javascript アプリケーションなど)。", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", + "text": "関数 - 関数を暖かく保つ", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", + "text": "さまざまな関数で自動スケーリングを使用する場合、すべてのリソースのすべての自動スケーリングを駆動する 1 つが存在する可能性があるため、別の従量課金プランに移行することを検討してください (また、CPU のより高いプランを検討してください)", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", + "text": "特定のプランの関数アプリはすべて一緒にスケーリングされるため、スケーリングに関する問題はプラン内のすべてのアプリに影響を与える可能性があります。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", + "text": "「待機時間」に対して請求されますか?この質問は、通常、非同期操作を実行して結果を待機する C# 関数のコンテキストで尋ねられます (例: await Task.Delay(1000) や await client)。GetAsync('http://google.com') です。答えはイエスです-GB秒の計算は、関数の開始時刻と終了時刻、およびその期間のメモリ使用量に基づいています。その間に CPU アクティビティに関して実際に何が起こるかは、計算には考慮されません。この規則の 1 つの例外は、永続関数を使用している場合です。オーケストレーター関数で待機に費やされた時間に対しては課金されません。可能な場合は、デマンド シェーピング技術を適用します (開発環境?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "費用" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", + "text": "Frontdoor - 既定のホームページをオフにするアプリのアプリケーション設定で、AzureWebJobsDisableHomepage を true に設定します。これにより、PoPに204(No Content)が返されるため、ヘッダーデータのみが返されます。", + "waf": "費用" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", + "text": "Frontdoor - 何も返さないものへのルーティング。関数、関数プロキシを設定するか、200 (OK) を返し、コンテンツを送信しない、または最小限のコンテンツを送信 するルートを Web アプリに追加します。これの利点は、呼び出されたときにログアウトできることです。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", + "text": "使用頻度の低いデータの階層のアーカイブを検討する", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", + "text": "サイズが階層と一致しない場合は、ディスク サイズを確認します (つまり、513 GiB のディスクは P30 (1TiB) を支払います) と、サイズ変更を検討してください", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", + "text": "可能な場合は、Premium や Ultra ではなく Standard SSD の使用を検討してください", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", + "text": "ストレージ アカウントの場合は、選択したレベルによってトランザクション料金が加算されていないことを確認します (次のレベルに移動する方が安くなる可能性があります)", + "waf": "費用" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", + "text": "ASR の場合、RPO/RTO とレプリケーション スループットで許可されている場合は、Standard SSD ディスクの使用を検討してください", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", + "text": "ストレージ アカウント: 必要なホット層や GRS を確認する", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", + "text": "ディスク - あらゆる場所で Premium SSD ディスクの使用を検証: たとえば、非運用環境を Standard SSD またはオンデマンド Premium SSD にスワップできます", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", + "text": "予算を作成してコストを管理し、支出の異常や過剰支出のリスクを関係者に自動的に通知するアラートを作成します。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", + "text": "追加のデータ分析のために、コスト データをストレージ アカウントにエクスポートします。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", + "text": "専用 SQL プールのコストを制御するには、リソースが使用されていないときに一時停止します。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", + "text": "サーバーレス Apache Spark の自動一時停止機能を有効にし、それに応じてタイムアウト値を設定します。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", + "text": "さまざまなサイズの複数の Apache Spark プール定義を作成します。", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", + "text": "Azure Synapse Analytics のコストを節約するために、事前購入プランで Azure Synapse コミット ユニット (SCU) を 1 年間購入します。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", + "text": "中断可能なジョブにスポット VM を使用する: これらは、割引価格で入札および購入できる VM であり、重要でないワークロードにコスト効率の高いソリューションを提供します。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", + "text": "すべての VM の適切なサイズ設定", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", + "text": "正規化されたサイズと最新のサイズでサイズをスワップする VM", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "VM の適切なサイズ設定 - 使用率を 5% 未満で監視することから始めて、その後 40% まで作業します", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "費用" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "アプリケーションをコンテナー化すると、VM の密度が向上し、スケーリングにかかるコストを節約できます", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "費用" } ], "metadata": { "name": "WAF checklist", - "timestamp": "October 02, 2024" + "timestamp": "October 21, 2024" }, "severities": [ { diff --git a/checklists/waf_checklist.ko.json b/checklists/waf_checklist.ko.json index 3727c709f..14560dac5 100644 --- a/checklists/waf_checklist.ko.json +++ b/checklists/waf_checklist.ko.json @@ -40,56 +40,6 @@ "text": "프리미엄 Azure Cache for Redis 인스턴스에 대한 수동 지역 복제를 구성합니다. 지역에서 복제는 일반적으로 두 개의 Azure 지역에 걸쳐 있는 둘 이상의 Azure Cache for Redis 인스턴스를 연결하는 메커니즘입니다. 지역에서 복제는 주로 지역 간 재해 복구를 위해 설계되었습니다. 두 개의 프리미엄 계층 캐시 인스턴스는 주 캐시에 대한 읽기 및 쓰기를 제공하는 방식으로 지역 복제를 통해 연결되며, 해당 데이터는 보조 캐시에 복제됩니다.", "waf": "신뢰도" }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", - "severity": "높다", - "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", - "severity": "높다", - "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", - "severity": "높다", - "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", - "severity": "높다", - "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", - "severity": "보통", - "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.", - "waf": "작업" - }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", @@ -1049,5154 +999,4833 @@ "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "스토리지와 관련된 Microsoft 클라우드 보안 벤치마크의 지침 적용", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", "severity": "보통", - "text": "'스토리지에 대한 Azure 보안 기준' 고려", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Azure Storage는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 액세스가 필요한 Azure Compute 리소스에만 Azure Storage를 안전하게 노출할 수 있으므로 공용 인터넷에 노출되지 않습니다", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", - "severity": "높다", - "text": "Azure Storage에 프라이빗 엔드포인트를 사용하는 것이 좋습니다.", - "waf": "안전" + "text": "다중 지역 애플리케이션 랜딩 존 및 재해 복구 시나리오를 신속하게 지원할 수 있도록 여러 지역에 Azure 랜딩 존 연결 리소스를 배포합니다.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "새로 만든 저장소 계정은 ARM 배포 모델을 사용하여 만들어지므로 RBAC, 감사 등을 모두 사용할 수 있습니다. 구독에 클래식 배포 모델이 있는 이전 저장소 계정이 없는지 확인합니다.", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", "severity": "보통", - "text": "이전 스토리지 계정이 '클래식 배포 모델'을 사용하지 않는지 확인", - "waf": "안전" + "text": "다중 테넌트에 대한 명확한 규정 또는 비즈니스 요구 사항이 없는 한 Azure 리소스를 관리하기 위해 하나의 Entra 테넌트를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Microsoft Defender를 활용하여 의심스러운 활동 및 잘못된 구성에 대해 알아봅니다.", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", - "severity": "높다", - "text": "모든 스토리지 계정에 대해 Microsoft Defender 사용", - "waf": "안전" + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", + "severity": "낮다", + "text": "다중 테넌트 자동화 접근 방식을 사용하여 Microsoft Entra ID 테넌트를 관리합니다.", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "일시 삭제 메커니즘을 사용하면 실수로 삭제된 Blob을 복구할 수 있습니다.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", - "severity": "보통", - "text": "Blob에 대해 '일시 삭제' 사용Enable 'soft delete' for blobs", - "waf": "안전" + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", + "severity": "높다", + "text": "동일한 ID로 다중 테넌트 관리에 Azure Lighthouse를 사용합니다.", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", - "severity": "보통", - "text": "Blob에 대해 '일시 삭제' 사용 안 함", - "waf": "안전" + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", + "severity": "높다", + "text": "파트너에게 테넌트를 관리할 수 있는 액세스 권한을 부여하는 경우 Azure Lighthouse를 사용합니다.", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "비용" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "컨테이너에 대한 일시 삭제를 사용하면 컨테이너가 삭제된 후 컨테이너를 복구할 수 있습니다(예: 실수로 인한 삭제 작업에서 복구).", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", "severity": "높다", - "text": "컨테이너에 대해 '일시 삭제' 사용Enable 'soft delete' for containers", + "text": "클라우드 운영 모델에 맞는 RBAC 모델을 적용합니다. 관리 그룹 및 구독에서 범위를 지정하고 할당합니다.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", "severity": "보통", - "text": "컨테이너에 대해 '일시 삭제' 사용 안 함", + "text": "모든 계정 유형에 대해 회사 또는 학교 계정 인증 유형만 사용합니다. Microsoft 계정을 사용하지 마십시오.", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "사용자가 삭제하기 전에 먼저 삭제 잠금을 제거하도록 강제하여 저장소 계정이 실수로 삭제되는 것을 방지합니다.", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", - "severity": "높다", - "text": "스토리지 계정에 대한 리소스 잠금 사용Enable resource locks on storage accounts", + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", + "severity": "보통", + "text": "그룹만 사용하여 사용 권한을 할당합니다. 그룹 관리 시스템이 이미 있는 경우 Entra ID 전용 그룹에 온-프레미스 그룹을 추가합니다.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Blob에 대한 '법적 보존' 또는 '시간 기반 보존' 정책을 고려하면 Blob, 컨테이너 또는 스토리지 계정을 삭제할 수 없습니다. '불가능'은 실제로 '불가능'을 의미합니다. 스토리지 계정에 변경할 수 없는 Blob이 포함된 경우 해당 스토리지 계정을 '제거'하는 유일한 방법은 Azure 구독을 취소하는 것입니다.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", "severity": "높다", - "text": "변경할 수 없는 Blob 고려", + "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 Microsoft Entra ID 조건부 액세스 정책을 적용합니다.", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "모든 데이터 전송이 암호화되고, 무결성이 보호되고, 서버가 인증되도록 스토리지 계정에 대한 보호되지 않는 HTTP/80 액세스를 사용하지 않도록 설정하는 것이 좋습니다. ", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", "severity": "높다", - "text": "HTTPS 필요, 즉 스토리지 계정에서 포트 80 사용 안 함Require HTTPS, i.e. disable port 80 on the storage account", + "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 다단계 인증을 적용합니다.", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "스토리지 계정에서 사용자 지정 도메인(호스트 이름)을 구성할 때 TLS/HTTPS가 필요한지 여부를 확인합니다. 이 경우 저장소 계정 앞에 Azure CDN을 배치해야 할 수 있습니다.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", - "severity": "높다", - "text": "HTTPS를 적용할 때(HTTP 사용 안 함) 스토리지 계정에 사용자 지정 도메인(CNAME)을 사용하지 않는지 확인합니다.", + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", + "severity": "보통", + "text": "Microsoft Entra ID PIM(Privileged Identity Management)을 적용하여 제로 스탠딩 액세스 및 최소 권한을 설정합니다.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "클라이언트가 SAS 토큰을 사용하여 Blob 데이터에 액세스할 때 HTTPS를 요구하면 자격 증명 손실 위험을 최소화하는 데 도움이 됩니다.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "보통", - "text": "SAS(공유 액세스 서명) 토큰을 HTTPS 연결로만 제한", + "text": "Active Directory Domain Services에서 Entra Domain Services로 전환하려는 경우 모든 워크로드의 호환성을 평가합니다.", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "AAD 토큰은 가능한 경우 공유 액세스 서명보다 우선해야 합니다", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", - "severity": "높다", - "text": "Blob 액세스에 Azure AD(Azure Active Directory) 토큰 사용Use Azure Active Directory (Azure AD) tokens for blob access", - "waf": "안전" + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", + "severity": "보통", + "text": "Microsoft Entra Domain Services를 사용하는 경우 복제본 세트를 사용합니다. 복제본 세트는 관리되는 도메인의 복원력을 향상시키고 추가 지역에 배포할 수 있도록 합니다. ", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "사용자, 그룹 또는 응용 프로그램에 역할을 할당할 때 해당 보안 주체가 작업을 수행하는 데 필요한 권한만 부여합니다. 리소스에 대한 액세스를 제한하면 의도하지 않은 데이터 오용과 악의적인 데이터 오용을 모두 방지할 수 있습니다.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "severity": "보통", - "text": "IaM 권한의 최소 권한", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "사용자 위임 SAS는 Azure AD(Azure Active Directory) 자격 증명과 SAS에 지정된 권한으로 보호됩니다. 사용자 위임 SAS는 범위와 기능 측면에서 서비스 SAS와 유사하지만 서비스 SAS에 비해 보안상의 이점을 제공합니다. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "높다", - "text": "SAS를 사용하는 경우 스토리지 계정 키 기반 SAS보다 '사용자 위임 SAS'를 선호합니다.", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "스토리지 계정 키('공유 키')에는 감사 기능이 거의 없습니다. 누가/언제 키 사본을 가져왔는지 모니터링할 수 있지만, 키가 여러 사람의 손에 들어가면 특정 사용자의 사용을 귀속시키는 것은 불가능합니다. AAD 인증에만 의존하면 스토리지 액세스를 사용자에게 더 쉽게 연결할 수 있습니다. ", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", - "severity": "높다", - "text": "AAD 액세스(및 사용자 위임 SAS)만 지원되도록 스토리지 계정 키를 사용하지 않도록 설정하는 것이 좋습니다.", + "text": "Microsoft Entra ID 로그를 플랫폼 중앙 Azure Monitor와 통합합니다. Azure Monitor는 Azure의 로그 및 모니터링 데이터에 대한 단일 정보 소스를 허용하여 조직에 로그 수집 및 보존에 대한 요구 사항을 충족할 수 있는 클라우드 네이티브 옵션을 제공합니다.", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "활동 로그 데이터를 사용하여 스토리지 계정의 보안을 보거나 변경하는 '시기', '누가', '무엇을' 및 '방법'(예: 스토리지 계정 키, 액세스 정책 등)을 식별합니다.", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", "severity": "높다", - "text": "Azure Monitor를 사용하여 스토리지 계정에 대한 컨트롤 플레인 작업을 감사하는 것이 좋습니다.", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "키 만료 정책을 사용하면 계정 액세스 키 교체에 대한 미리 알림을 설정할 수 있습니다. 지정된 간격이 경과하고 키가 아직 회전되지 않은 경우 알림이 표시됩니다.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", - "severity": "보통", - "text": "스토리지 계정 키를 사용하는 경우 '키 만료 정책'을 사용하도록 설정하는 것이 좋습니다", + "text": "응급 액세스 또는 비상 계정을 구현하여 테넌트 전체 계정 잠금을 방지합니다. MFA는 2024년 10월에 모든 사용자에 대해 기본적으로 설정됩니다. 암호 키(FIDO2)를 사용하거나 MFA에 대한 인증서 기반 인증을 구성하도록 이러한 계정을 업데이트하는 것이 좋습니다. ", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS 만료 정책은 SAS가 유효한 권장 간격을 지정합니다. SAS 만료 정책은 서비스 SAS 또는 계정 SAS에 적용됩니다. 사용자가 권장 간격보다 큰 유효 간격을 사용하여 서비스 SAS 또는 계정 SAS를 생성하면 경고가 표시됩니다.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", "severity": "보통", - "text": "SAS 만료 정책 구성 고려", + "text": "특별히 필요한 시나리오가 없는 한 Microsoft Entra ID 역할 할당에 온-프레미스 동기화 계정을 사용하지 마세요.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "저장된 액세스 정책은 스토리지 계정 키를 다시 생성할 필요 없이 서비스 SAS에 대한 권한을 취소하는 옵션을 제공합니다. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", "severity": "보통", - "text": "SAS를 저장된 액세스 정책에 연결하는 것이 좋습니다.", + "text": "Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 애플리케이션에 대한 액세스 권한을 부여하는 경우 테넌트당 하나의 인스턴스만 가질 수 있으므로 플랫폼 리소스로 관리합니다.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", "severity": "보통", - "text": "체크 인된 연결 문자열 및 저장소 계정 키를 검색하도록 응용 프로그램의 소스 코드 리포지토리를 구성하는 것이 좋습니다.", + "text": "최대한의 유연성이 필요한 네트워크 시나리오에는 허브 및 스포크(hub-and-spoke) 네트워크 토폴로지를 사용합니다.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "이상적으로 애플리케이션은 관리 ID를 사용하여 Azure Storage에 인증해야 합니다. 이렇게 할 수 없는 경우 Azure KeyVault 또는 동등한 서비스에 스토리지 자격 증명(연결 문자열, 스토리지 계정 키, SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", "severity": "높다", - "text": "Azure KeyVault에 연결 문자열을 저장하는 것이 좋습니다(관리 ID를 사용할 수 없는 시나리오에서).", - "waf": "안전" + "text": "ExpressRoute 게이트웨이, VPN 게이트웨이 및 Azure Firewall 또는 파트너 NVA를 포함한 공유 네트워킹 서비스를 중앙 허브 가상 네트워크에 배포합니다. 필요한 경우 DNS 서비스도 배포합니다.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "비용" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "임시 SAS 서비스 SAS 또는 계정 SAS에서 단기 만료 시간을 사용합니다. 이러한 방식으로 SAS가 손상되더라도 짧은 시간 동안만 유효합니다. 이 방법은 저장된 액세스 정책을 참조할 수 없는 경우에 특히 중요합니다. 또한 단기 만료 시간은 업로드에 사용할 수 있는 시간을 제한하여 Blob에 쓸 수 있는 데이터의 양을 제한합니다.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "VNet", "severity": "높다", - "text": "임시 SAS의 유효 기간을 단축하기 위해 노력", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS를 만들 때는 가능한 한 구체적이고 제한적이어야 합니다. 훨씬 더 광범위한 액세스를 제공하는 SAS보다 단일 리소스 및 작업에 대해 SAS를 선호합니다.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", - "severity": "보통", - "text": "SAS에 좁은 범위 적용", + "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS에는 SAS를 사용하여 리소스를 요청할 수 있는 권한이 있는 클라이언트 IP 주소 또는 주소 범위에 대한 매개 변수가 포함될 수 있습니다. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "severity": "보통", - "text": "가능한 경우 SAS의 범위를 특정 클라이언트 IP 주소로 지정하는 것이 좋습니다", - "waf": "안전" + "text": "파트너 네트워킹 기술 또는 NVA를 배포할 때 파트너 공급업체의 지침을 따릅니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS는 클라이언트가 업로드하는 데이터의 양을 제한할 수 없습니다. 시간 경과에 따른 스토리지 양의 가격 책정 모델을 고려할 때 클라이언트가 악의적으로 큰 콘텐츠를 업로드했는지 여부를 확인하는 것이 합리적일 수 있습니다.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", "severity": "낮다", - "text": "클라이언트가 SAS를 사용하여 파일을 업로드한 후 업로드된 데이터를 확인하는 것이 좋습니다. ", + "text": "허브 및 스포크 시나리오에서 ExpressRoute와 VPN 게이트웨이 간의 전송이 필요한 경우 Azure Route Server를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "'로컬 사용자 계정'을 사용하여 SFTP를 통해 Blob Storage에 액세스하는 경우 '일반적인' RBAC 컨트롤이 적용되지 않습니다. NFS 또는 REST를 통한 Blob 액세스는 SFTP 액세스보다 더 제한적일 수 있습니다. 안타깝게도 2023년 초부터 로컬 사용자는 현재 SFTP 엔드포인트에 대해 지원되는 유일한 ID 관리 형태입니다", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", - "severity": "높다", - "text": "SFTP: SFTP 액세스에 대한 '로컬 사용자'의 수를 제한하고 시간이 지남에 따라 액세스가 필요한지 여부를 감사합니다.", + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "낮다", + "text": "Route Server를 사용하는 경우 Route Server 서브넷에 /27 접두사를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", "severity": "보통", - "text": "SFTP: SFTP 엔드포인트는 POSIX와 유사한 ACL을 지원하지 않습니다.", - "waf": "안전" + "text": "Azure 지역 간에 여러 허브 및 스포크 토폴로지가 있는 네트워크 아키텍처의 경우 허브 VNet 간의 글로벌 가상 네트워크 피어링을 사용하여 지역을 서로 연결합니다.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "waf": "공연" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "스토리지는 CORS(Cross-Origin Resource Sharing), 즉 다른 도메인의 웹앱이 동일 출처 정책을 완화할 수 있도록 하는 HTTP 기능을 지원합니다. CORS를 사용하도록 설정할 때 CorsRules를 최소 권한으로 유지합니다.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", - "severity": "높다", - "text": "지나치게 광범위한 CORS 정책 방지", - "waf": "안전" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", + "severity": "보통", + "text": "네트워크용 Azure Monitor를 사용하여 Azure에서 네트워크의 엔드투엔드 상태를 모니터링합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "미사용 데이터는 항상 서버 쪽에서 암호화되며 클라이언트 쪽에서도 암호화될 수 있습니다. 서버 쪽 암호화는 플랫폼 관리형 키(기본값) 또는 고객 관리형 키를 사용하여 발생할 수 있습니다. 클라이언트 쪽 암호화는 클라이언트가 Azure Storage에 Blob별로 암호화/암호 해독 키를 제공하거나 클라이언트 쪽에서 암호화를 완전히 처리하여 발생할 수 있습니다. 따라서 기밀성 보장을 위해 Azure Storage에 전혀 의존하지 않습니다.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", - "severity": "높다", - "text": "미사용 데이터를 암호화하는 방법을 결정합니다. 데이터에 대한 스레드 모델을 이해합니다.", - "waf": "안전" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "severity": "보통", + "text": "한 지역에 400개 이상의 스포크 네트워크가 있는 경우 VNet 피어링 제한(500) 및 ExpressRoute를 통해 보급할 수 있는 최대 접두사 수(1000)를 우회하기 위해 추가 허브를 배포합니다.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "보통", - "text": "사용해야 하는 플랫폼 암호화를 결정합니다.", - "waf": "안전" + "text": "경로 테이블당 경로 수를 400개로 제한합니다.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", - "severity": "보통", - "text": "사용해야 하는 클라이언트 쪽 암호화를 결정합니다.", - "waf": "안전" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", + "severity": "높다", + "text": "VNet 피어링을 구성할 때 '원격 가상 네트워크에 대한 트래픽 허용' 설정을 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Resource Graph Explorer(resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)를 활용하여 익명 Blob 액세스를 허용하는 스토리지 계정을 찾습니다.", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", "severity": "높다", - "text": "공용 Blob 액세스가 필요한지 또는 특정 스토리지 계정에 대해 사용하지 않도록 설정할 수 있는지 여부를 고려합니다. ", - "waf": "안전" + "text": "영역 중복 배포와 함께 표준 Load Balancer SKU를 사용하는 경우 표준 SKU Load Balancer를 선택하면 가용성 영역 및 영역 복원력을 통해 안정성이 향상되어 배포가 영역 및 지역 오류를 견딜 수 있습니다. Basic과 달리 전역 부하 분산을 지원하고 SLA를 제공합니다.", + "waf": "신뢰도" }, { - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", - "severity": "보통", - "text": "장기 취소 가능 토큰을 사용하고, 토큰을 캐시하고, Microsoft ID 라이브러리를 사용하여 자동으로 획득합니다.", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "severity": "높다", + "text": "부하 분산 장치 백 엔드 풀에 두 개 이상의 인스턴스가 포함되어 있는지 확인하고, 백 엔드에 두 개 이상의 인스턴스를 사용하여 Azure Load Balancer를 배포하면 단일 실패 지점을 방지하고 확장성을 지원할 수 있습니다.", "waf": "신뢰도" }, { - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", "severity": "보통", - "text": "로그인 사용자 흐름이 백업되고 복원력이 있는지 확인합니다. 사용자를 로그인하는 데 사용하는 코드가 백업되고 복구 가능한지 확인합니다. 외부 프로세스와의 복원력 있는 인터페이스", - "waf": "신뢰도" + "text": "ExpressRoute Direct를 사용하는 경우 조직의 라우터와 MSEE 간의 계층 2 수준에서 트래픽을 암호화하도록 MACsec을 구성합니다. 다이어그램은 흐름에서 이 암호화를 보여 줍니다.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "안전" }, { - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", "severity": "보통", - "text": "사용자 지정 브랜드 자산은 CDN에서 호스팅되어야 합니다.", - "waf": "공연" + "text": "MACsec을 사용할 수 없는 시나리오(예: ExpressRoute Direct를 사용하지 않음)의 경우 VPN Gateway를 사용하여 ExpressRoute 개인 피어링을 통해 IPsec 터널을 설정합니다.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "안전" }, { - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", - "severity": "낮다", - "text": "여러 ID 공급자가 있어야 합니다(예: Microsoft, Google, Facebook 계정으로 로그인).", - "waf": "신뢰도" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", + "severity": "높다", + "text": "Azure 지역 및 온-프레미스 위치에서 겹치는 IP 주소 공간이 사용되지 않는지 확인합니다.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "안전" }, { - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "severity": "보통", - "text": "VM 수준에서 고가용성을 위한 VM 규칙(프리미엄 디스크, 서로 다른 가용성 영역에 있는 지역에 두 개 이상)을 따릅니다.", - "waf": "신뢰도" + "text": "개인 인터넷(RFC 1918)에 대한 주소 할당 범위의 IP 주소를 사용합니다.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "안전" }, { - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "보통", - "text": "복제하지 마세요! 복제로 인해 디렉터리 동기화에 문제가 발생할 수 있습니다", - "waf": "신뢰도" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "높다", + "text": "IP 주소 공간이 낭비되지 않는지 확인하고 불필요하게 큰 가상 네트워크(예: /16)를 만들지 마세요.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "공연" }, { - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "보통", - "text": "다중 지역에 대해 활성-활성 상태 보유", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", + "severity": "높다", + "text": "프로덕션 및 재해 복구 사이트에 대해 겹치는 IP 주소 범위를 사용하지 마세요.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "신뢰도" }, { - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", - "severity": "보통", - "text": "추가 지역 및 위치에 Azure AD 도메인 서비스 스탬프 추가Add Azure AD Domain service stamps to additional regions and locations", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", + "severity": "높다", + "text": "해당하는 경우 표준 SKU 및 영역 중복 IP를 사용하며, Azure의 공용 IP 주소는 비영역, 영역 또는 영역 중복으로 사용할 수 있는 표준 SKU일 수 있습니다. 영역 중복 IP는 모든 영역에서 액세스할 수 있으므로 단일 영역 오류에 저항하여 더 높은 복원력을 제공합니다. ", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", "waf": "신뢰도" }, { - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", "severity": "보통", - "text": "DR에 복제본 세트 사용", - "waf": "신뢰도" + "text": "Azure의 이름 확인만 필요한 환경의 경우 이름 확인을 위해 위임된 영역(예: 'azure.contoso.com')을 사용하여 Azure 프라이빗 DNS를 확인합니다.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "작업" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", - "service": "APIM", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", "severity": "보통", - "text": "전역 수준에서 오류 처리 정책 구현", - "waf": "작업" + "text": "Azure 및 온-프레미스에서 이름 확인이 필요하고 Active Directory와 같은 기존 엔터프라이즈 DNS 서비스가 없는 환경의 경우 Azure DNS Private Resolver를 사용하여 DNS 요청을 Azure 또는 온-프레미스 DNS 서버로 라우팅합니다.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", + "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", - "service": "APIM", - "severity": "보통", - "text": "모든 API 정책에 요소가 포함되어 있는지 확인합니다.", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "severity": "낮다", + "text": "자체 DNS(예: Red Hat OpenShift)를 요구하고 배포하는 특수 워크로드는 선호하는 DNS 솔루션을 사용해야 합니다.", + "training": "https://learn.microsoft.com/training/courses/az-700t00", "waf": "작업" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", - "service": "APIM", - "severity": "보통", - "text": "정책 조각을 사용하여 여러 API에서 동일한 정책 정의를 반복하지 않도록 합니다.", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", + "severity": "높다", + "text": "Azure DNS에 대한 자동 등록을 사용하도록 설정하여 가상 네트워크 내에 배포된 가상 머신에 대한 DNS 레코드의 수명 주기를 자동으로 관리합니다.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "작업" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", - "service": "APIM", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", "severity": "보통", - "text": "API로 수익을 창출할 계획이라면 '수익 창출 지원' 도움말에서 권장사항을 확인하세요", - "waf": "작업" + "text": "여러 Azure 지역 간의 DNS 확인을 관리하기 위한 계획과 서비스가 다른 지역으로 장애 조치(failover)되는 경우 계획 구현", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", - "service": "APIM", - "severity": "높다", - "text": "진단 설정을 사용하도록 설정하여 로그를 Azure Monitor로 내보내기", - "waf": "작업" + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", + "severity": "보통", + "text": "Azure Bastion을 사용하여 네트워크에 안전하게 연결합니다.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", - "service": "APIM", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", "severity": "보통", - "text": "더 자세한 원격 분석을 위해 Application Insights 사용", - "waf": "작업" + "text": "서브넷 /26 이상에서 Azure Bastion을 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", - "service": "APIM", - "severity": "높다", - "text": "가장 중요한 메트릭에 대한 경고 구성", - "waf": "작업" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", + "severity": "보통", + "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역 전체에서 글로벌 보호를 제공합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", - "service": "APIM", - "severity": "높다", - "text": "사용자 지정 SSL 인증서가 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되어 있는지 확인합니다", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "낮다", + "text": "Azure Front Door 및 Azure Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Azure Front Door에서 WAF 정책을 사용합니다. Azure Front Door에서만 트래픽을 수신하도록 Azure Application Gateway를 잠급니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", - "service": "APIM", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "severity": "높다", - "text": "Azure AD를 사용하여 API(데이터 평면)에 들어오는 요청 보호", + "text": "인바운드 HTTP/S 연결에 WAF 및 기타 역방향 프록시가 필요한 경우 랜딩 존 가상 네트워크 내에 배포하고 보호하고 인터넷에 노출하는 앱과 함께 배포합니다.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", - "service": "APIM", - "severity": "보통", - "text": "Microsoft Entra ID를 사용하여 개발자 포털에서 사용자 인증", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "높다", + "text": "Azure DDoS 네트워크 또는 IP 보호 계획을 사용하여 가상 네트워크 내의 공용 IP 주소 엔드포인트를 보호할 수 있습니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", - "service": "APIM", - "severity": "보통", - "text": "제품의 가시성을 제어하기 위해 적절한 그룹을 만듭니다", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", + "severity": "높다", + "text": "예정된 호환성이 손상되는 변경 전에 네트워크 아웃바운드 트래픽 구성 및 전략을 관리하는 방법을 계획합니다. 2025년 9월 30일에 새 배포에 대한 기본 아웃바운드 액세스가 사용 중지되고 명시적 액세스 구성만 허용됩니다.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "신뢰도" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "높다", + "text": "보호된 모든 공용 IP 주소(DDoS IP 또는 네트워크 보호)에 대한 DDoS 관련 로그를 저장하는 진단 설정을 추가합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", - "service": "APIM", - "severity": "보통", - "text": "백엔드 기능을 사용하여 중복 API 백엔드 구성 제거", - "waf": "작업" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", + "severity": "높다", + "text": "Virtual Machines에 직접 연결된 공용 IP 주소를 거부하는 정책 할당이 있는지 확인합니다. 특정 VM에서 공용 IP가 필요한 경우 제외를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "보통", - "text": "명명된 값을 사용하여 정책에서 사용할 수 있는 공통 값 저장", - "waf": "작업" + "text": "ExpressRoute를 Azure에 대한 기본 연결로 사용합니다. VPN을 백업 연결의 소스로 사용합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "공연" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "description": "AS-path 접두사 및 연결 가중치를 사용하여 Azure에서 온-프레미스로의 트래픽에 영향을 주고, 자체 라우터의 전체 BGP 특성 범위를 사용하여 온-프레미스에서 Azure로의 트래픽에 영향을 줄 수 있습니다.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", "severity": "보통", - "text": "DR의 경우 99.99% SLA를 위해 둘 이상의 지역에 걸쳐 확장된 배포와 함께 프리미엄 계층을 활용합니다", + "text": "여러 ExpressRoute 회로 또는 여러 온-프레미스 위치를 사용하는 경우 BGP 특성을 사용하여 라우팅을 최적화합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", "severity": "보통", - "text": "99.99%의 SLA 증가를 위해 둘 이상의 가용성 영역에 하나 이상의 단위를 배포합니다.", - "waf": "신뢰도" + "text": "대역폭 및 성능 요구 사항에 따라 ExpressRoute/VPN 게이트웨이에 적합한 SKU를 선택합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "공연" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", "severity": "높다", - "text": "자동화된 백업 루틴이 있는지 확인", - "waf": "신뢰도" + "text": "비용을 정당화하는 대역폭에 도달하는 경우에만 무제한 데이터 ExpressRoute 회로를 사용하고 있는지 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "비용" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", - "severity": "보통", - "text": "정책을 사용하여 장애 조치 백엔드 URL 및 캐싱을 추가하여 실패한 호출을 줄입니다.", - "waf": "신뢰도" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", + "severity": "높다", + "text": "회로 피어링 위치가 로컬 SKU에 대한 Azure 지역을 지원하는 경우 ExpressRoute의 로컬 SKU를 활용하여 회로 비용을 줄입니다.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "비용" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", - "severity": "낮다", - "text": "고성능 수준에서 기록해야 하는 경우 Event Hubs 정책을 고려합니다", - "waf": "작업" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", + "severity": "보통", + "text": "지원되는 Azure 지역에 영역 중복 ExpressRoute 게이트웨이를 배포합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "보통", - "text": "제한 정책을 적용하여 초당 요청 수 제어Apply throttling policies to control the number of requests per second", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "text": "10Gbps보다 높은 대역폭 또는 전용 10/100Gbps 포트가 필요한 시나리오의 경우 ExpressRoute Direct를 사용합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "공연" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", "severity": "보통", - "text": "부하가 증가할 때 인스턴스 수를 확장하도록 자동 크기 조정 구성Configure autoscaling to scale out the number of instances when the load increases", + "text": "짧은 대기 시간이 필요하거나 온-프레미스에서 Azure로의 처리량이 10Gbps보다 커야 하는 경우 FastPath를 사용하여 데이터 경로에서 ExpressRoute 게이트웨이를 우회할 수 있습니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "공연" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", "severity": "보통", - "text": "Azure에 백 엔드 API에 가까운 지역이 없는 자체 호스팅 게이트웨이를 배포합니다.", - "waf": "공연" + "text": "영역 중복 VPN 게이트웨이를 사용하여 분기 또는 원격 위치를 Azure(사용 가능한 경우)에 연결합니다.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", "severity": "보통", - "text": "프로덕션 워크로드에 프리미엄 계층을 사용합니다.", + "text": "온-프레미스에서 중복 VPN 어플라이언스(활성/활성 또는 활성/수동)를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", - "severity": "보통", - "text": "다중 리전 모델에서는 Policies를 사용하여 가용성 또는 지연 시간에 따라 리전 백엔드로 요청을 라우팅합니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", "severity": "높다", - "text": "APIM의 제한에 유의해야 합니다.", - "waf": "신뢰도" + "text": "ExpressRoute Direct를 사용하는 경우 비용을 절감하기 위해 로컬 Azure 지역에 대한 ExpressRoute 로컬 회로를 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "비용" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", - "severity": "높다", - "text": "자체 호스팅 게이트웨이 배포가 복원력이 있는지 확인합니다.", - "waf": "신뢰도" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", + "severity": "보통", + "text": "트래픽 격리 또는 전용 대역폭이 필요한 경우(예: 프로덕션 환경과 비프로덕션 환경을 분리하기 위해) 다른 ExpressRoute 회로를 사용합니다. 이는 격리된 라우팅 도메인을 보장하고 시끄러운 이웃 위험을 완화하는 데 도움이 됩니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", "severity": "보통", - "text": "다중 지역 배포를 위해 APIM 앞에서 Azure Front Door 사용Use Azure Front Door in front of APIM for multi-region deployment", - "waf": "공연" + "text": "기본 제공 Express Route Insights를 사용하여 ExpressRoute 가용성 및 사용률을 모니터링합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "작업" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", "severity": "보통", - "text": "VNet(Virtual Network) 내에 서비스 배포Deploy the service within a Virtual Network (VNet)", - "waf": "안전" + "text": "네트워크를 통한 연결, 특히 온-프레미스와 Azure 간의 연결을 모니터링하기 위해 연결 모니터를 사용합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "작업" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", "severity": "보통", - "text": "서브넷에 NSG(네트워크 보안 그룹)를 배포하여 APIM에서 들어오고 나가는 트래픽을 제한하거나 모니터링합니다.", - "waf": "안전" + "text": "중복성을 위해 서로 다른 피어링 위치의 ExpressRoute 회로를 사용합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", "severity": "보통", - "text": "프라이빗 엔드포인트를 배포하여 APIM이 VNet에 배포되지 않은 경우 들어오는 트래픽을 필터링합니다.", - "waf": "안전" + "text": "단일 ExpressRoute 회로만 사용하는 경우 사이트 간 VPN을 ExpressRoute의 장애 조치(failover)로 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", "severity": "높다", - "text": "공용 네트워크 액세스 사용 안 함", - "waf": "안전" + "text": "GatewaySubnet에서 경로 테이블을 사용하는 경우 게이트웨이 경로가 전파되었는지 확인합니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", - "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", - "service": "APIM", - "severity": "보통", - "text": "PowerShell 자동화 스크립트로 관리 간소화", - "waf": "작업" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", + "severity": "높다", + "text": "ExpressRoute를 사용하는 경우 온-프레미스 라우팅은 동적이어야 하며, 연결 오류가 발생할 경우 회로의 나머지 연결로 수렴해야 합니다. 로드는 두 연결 모두에서 액티브/액티브로 이상적으로 공유되어야 하지만 액티브/패시브도 지원됩니다.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", "severity": "보통", - "text": "Infrastructure-as-code를 통해 APIM을 구성합니다. Cloud Adaption Framework APIM 랜딩 존 가속기에서 DevOps 모범 사례 검토", - "waf": "작업" + "text": "ExpressRoute 회로의 두 물리적 링크가 네트워크에 있는 두 개의 고유한 에지 디바이스에 연결되어 있는지 확인합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", - "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", "severity": "보통", - "text": "더 빠른 API 개발을 위해 Visual Studio Code APIM 확장 사용 촉진", - "waf": "작업" + "text": "BFD(Bidirectional Forwarding Detection)가 고객 또는 프로바이더 에지 라우팅 디바이스에서 활성화되고 구성되도록 보장합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "354f1c03-8112-4965-85ad-c0074bddf231", - "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", + "severity": "높다", + "text": "복원력을 높이기 위해 ExpressRoute 게이트웨이를 서로 다른 피어링 위치에서 둘 이상의 회로에 연결합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", "severity": "보통", - "text": "워크플로에서 DevOps 및 CI/CD 구현", + "text": "ExpressRoute 가상 네트워크 게이트웨이에 대한 진단 로그 및 경고를 구성합니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "작업" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "b6439493-426a-45f3-9697-cf65baee208d", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", - "service": "APIM", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", "severity": "보통", - "text": "클라이언트 인증서 인증을 사용하여 API 보안", - "waf": "안전" + "text": "VNet 간 통신에 ExpressRoute 회로를 사용하지 마세요.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "공연" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2a67d143-1033-4c0a-8732-680896478f08", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", - "service": "APIM", - "severity": "보통", - "text": "클라이언트 인증서 인증을 사용한 보안 백엔드 서비스", + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", + "severity": "낮다", + "text": "검사를 위해 Azure 트래픽을 하이브리드 위치로 보내지 마세요. 대신 'Azure의 트래픽이 Azure에 유지' 원칙을 따라 Azure의 리소스 간 통신이 Microsoft 백본 네트워크를 통해 발생하도록 합니다.", + "waf": "공연" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", + "severity": "높다", + "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", - "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", - "service": "APIM", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", "severity": "보통", - "text": "'OWASP API 보안 상위 10개 위협을 완화하기 위한 권장 사항' 문서를 검토하고 API에 적용할 수 있는 항목을 확인합니다.", + "text": "글로벌 Azure Firewall 정책을 만들어 글로벌 네트워크 환경에서 보안 태세를 제어하고 모든 Azure Firewall 인스턴스에 할당합니다. Azure 역할 기반 액세스 제어를 통해 증분 방화벽 정책을 로컬 보안 팀에 위임하여 특정 지역의 요구 사항을 충족하는 세분화된 정책을 허용합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", - "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", - "severity": "보통", - "text": "권한 부여 기능을 사용하여 백엔드 API에 대한 OAuth 2.0 토큰 관리 간소화", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", + "severity": "낮다", + "text": "조직에서 아웃바운드 연결을 보호하기 위해 이러한 솔루션을 사용하려는 경우 Firewall Manager 내에서 지원되는 파트너 SaaS 보안 공급자를 구성합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", "severity": "높다", - "text": "전송 중인 정보를 암호화할 때 최신 TLS 버전을 사용합니다. 가능한 경우 오래되고 불필요한 프로토콜과 암호를 사용하지 않도록 설정합니다.", + "text": "응용 프로그램 규칙을 사용하여 지원되는 프로토콜에 대한 대상 호스트 이름에서 아웃바운드 트래픽을 필터링합니다. FQDN 기반 네트워크 규칙 및 DNS 프록시와 함께 Azure Firewall을 사용하여 다른 프로토콜을 통해 인터넷으로의 송신 트래픽을 필터링합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", "severity": "높다", - "text": "비밀(명명된 값)이 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되었는지 확인합니다.", + "text": "Azure Firewall 프리미엄을 사용하여 추가 보안 기능을 사용하도록 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", - "severity": "보통", - "text": "가능할 때마다 관리 ID를 사용하여 다른 Azure 리소스에 인증", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", + "severity": "높다", + "text": "추가 보호를 위해 Azure Firewall 위협 인텔리전스 모드를 경고 및 거부로 구성합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", "severity": "높다", - "text": "APIM 앞에 Application Gateway를 배포하여 WAF(웹 애플리케이션 방화벽) 사용Use Web Application Firewall (WAF) by deploying Application Gateway in of APIM", + "text": "추가 보호를 위해 Azure Firewall IDPS 모드를 거부로 구성합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", - "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Front Door", - "severity": "보통", - "text": "Azure Front Door에서 고객 관리형 TLS 인증서를 사용하는 경우 '최신' 인증서 버전을 사용합니다. 수동 인증서 갱신으로 인한 중단 위험을 줄입니다.", - "waf": "작업" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", - "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Front Door", - "severity": "보통", - "text": "WAF 정책과 함께 Azure Front Door를 사용하여 여러 Azure 지역에 걸쳐 있는 글로벌 HTTP/S 앱을 제공하고 보호할 수 있습니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", + "severity": "높다", + "text": "Virtual WAN에 연결되지 않은 VNet의 서브넷의 경우 인터넷 트래픽이 Azure Firewall 또는 네트워크 가상 어플라이언스로 리디렉션되도록 경로 테이블을 연결합니다.", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", "severity": "보통", - "text": "Front Door 및 Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Front Door에서 WAF 정책을 사용합니다. Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.", + "text": "모든 Azure Firewall 배포에 대해 리소스별 대상 테이블을 사용하여 로그를 저장하는 진단 설정을 추가합니다.", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "안전" + "waf": "작업" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", - "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", "severity": "높다", - "text": "Web Application Firewall이 트래픽을 허용하거나 거부하기 위해 적절한 조치를 취할 수 있도록 Front Door에 대한 WAF 정책을 '방지' 모드'에 배포합니다.", - "waf": "안전" + "text": "Azure Firewall 클래식 규칙(있는 경우)에서 방화벽 정책으로 마이그레이션합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "작업" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", - "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", "severity": "높다", - "text": "Traffic Manager를 Front Door 뒤에 배치하지 마세요.", + "text": "Azure Firewall 서브넷에 /26 접두사를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", - "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "Front Door", - "severity": "높다", - "text": "Azure Front Door 및 원본에서 동일한 도메인 이름을 사용합니다. 호스트 이름이 일치하지 않으면 미묘한 버그가 발생할 수 있습니다.", - "waf": "안전" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", + "severity": "보통", + "text": "방화벽 정책 내의 규칙을 Rule Collection Groups(규칙 수집 그룹) 및 Rule Collections(규칙 컬렉션)로 정렬하고 사용 빈도에 따라 정렬합니다.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "공연" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", - "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "낮다", - "text": "Azure Front Door 원본 그룹에 원본이 하나만 있는 경우 상태 프로브를 사용하지 않도록 설정합니다.", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", + "severity": "보통", + "text": "IP 그룹 또는 IP 접두사를 사용하여 IP 테이블 규칙의 수를 줄입니다.", "waf": "공연" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", "severity": "보통", - "text": "Azure Front Door에 대한 양호한 상태 프로브 엔드포인트를 선택합니다. 애플리케이션의 모든 종속성을 확인하는 상태 엔드포인트를 구축하는 것이 좋습니다.", - "waf": "신뢰도" + "text": "와일드카드를 DNAT의 소스 IP로 사용하지 마십시오(예: * 또는 any). 들어오는 DNAT에 대한 소스 IP를 지정해야 합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "공연" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", - "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "Front Door", - "severity": "낮다", - "text": "Azure Front Door와 함께 HEAD 상태 프로브를 사용하여 Front Door가 애플리케이션으로 보내는 트래픽을 줄입니다.", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", + "severity": "보통", + "text": "SNAT 포트 사용량을 모니터링하고, NAT 게이트웨이 설정을 평가하고, 원활한 장애 조치(failover)를 보장하여 SNAT 포트 고갈을 방지합니다. 포트 수가 제한에 가까워지면 SNAT 고갈이 임박했을 수 있다는 신호입니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", "waf": "공연" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", - "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", "severity": "높다", - "text": "Azure Front Door에서 관리형 TLS 인증서를 사용합니다. 운영 비용을 줄이고 인증서 갱신으로 인한 중단 위험을 줄입니다.", - "waf": "작업" + "text": "Azure Firewall 프리미엄을 사용하는 경우 TLS 검사를 사용하도록 설정합니다.", + "waf": "공연" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", - "service": "Front Door", - "severity": "보통", - "text": "Azure Front Door WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.", - "waf": "작업" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", + "severity": "낮다", + "text": "웹 범주를 사용하여 특정 주제에 대한 아웃바운드 액세스를 허용하거나 거부할 수 있습니다.", + "waf": "공연" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", - "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", - "service": "Front Door", - "severity": "높다", - "text": "Azure Front Door에서 엔드투엔드 TLS를 사용합니다. 클라이언트에서 Front Door로, Front Door에서 원본으로의 연결에 TLS를 사용합니다.", - "waf": "안전" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", + "severity": "보통", + "text": "TLS 검사의 일환으로 검사를 위해 Azure App Gateway에서 트래픽 수신을 계획합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "공연" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", - "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", "severity": "보통", - "text": "Azure Front Door에서 HTTP를 HTTPS로 리디렉션을 사용합니다. 이전 클라이언트를 HTTPS 요청으로 자동으로 리디렉션하여 지원합니다.", + "text": "Azure Firewall DNS 프록시 구성을 사용하도록 설정합니다.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "severity": "높다", - "text": "Azure Front Door WAF를 사용하도록 설정합니다. 다양한 공격으로부터 애플리케이션을 보호합니다.", - "waf": "안전" + "text": "Azure Firewall을 Azure Monitor와 통합하고 진단 로깅을 사용하도록 설정하여 방화벽 로그 및 메트릭을 저장하고 분석합니다.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "작업" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", - "service": "Front Door", - "severity": "높다", - "text": "검색 모드에서 WAF를 구성하여 워크로드에 맞게 Azure Front Door WAF를 조정하여 가양성 검색을 줄이고 수정합니다.", - "waf": "안전" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "낮다", + "text": "방화벽 규칙에 대한 백업 구현Implement backups for your firewall rules", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "작업" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "severity": "높다", - "text": "Azure Front Door WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.", - "waf": "안전" + "text": "여러 가용성 영역에 Azure Firewall을 배포합니다. Azure Firewall은 배포에 따라 다른 SLA를 제공합니다. 단일 가용 영역 또는 여러 가용 영역에서 작동하여 안정성과 성능을 향상시킬 수 있습니다.", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", "severity": "높다", - "text": "Azure Front Door WAF 기본 규칙 집합을 사용하도록 설정합니다. 기본 규칙 집합은 일반적인 공격을 탐지하고 차단합니다.", - "waf": "안전" + "text": "Azure Firewall VNet에서 DDoS Protection을 구성하고, DDoS 보호 계획을 Azure Firewall을 호스트하는 가상 네트워크와 연결하여 DDoS 공격에 대한 향상된 완화를 제공합니다. Azure Firewall Manager는 방화벽 인프라 및 DDoS 보호 계획 생성을 통합합니다. ", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", - "service": "Front Door", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", "severity": "높다", - "text": "Azure Front Door WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.", + "text": "컨트롤 플레인 트래픽을 차단하는 0.0.0.0/0 경로 또는 NSG 규칙과 같이 가상 네트워크에 삽입된 Azure PaaS 서비스에 대한 컨트롤 플레인 통신을 중단하지 마세요.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", - "service": "Front Door", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", "severity": "보통", - "text": "최신 Azure Front Door WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.", + "text": "프라이빗 엔드포인트 및 ExpressRoute 프라이빗 피어링을 통해 온-프레미스에서 Azure PaaS 서비스에 액세스하세요. 이 방법을 사용하면 공용 인터넷을 통해 전송하지 않아도 됩니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", - "service": "Front Door", - "severity": "보통", - "text": "Azure Front Door WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 단기간에 많은 양의 트래픽을 보내는 것을 차단합니다.", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", + "severity": "높다", + "text": "모든 서브넷에서 기본적으로 가상 네트워크 서비스 엔드포인트를 사용하도록 설정하지 마세요.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", - "service": "Front Door", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "severity": "보통", - "text": "Azure Front Door WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호를 제공합니다.", + "text": "Azure Firewall 또는 NVA의 IP 주소 대신 FQDN을 사용하여 Azure PaaS 서비스에 대한 송신 트래픽을 필터링하여 데이터 반출을 방지합니다. Private Link를 사용하는 경우 모든 FQDN을 차단할 수 있으며, 그렇지 않으면 필요한 PaaS 서비스만 허용할 수 있습니다.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", - "service": "Front Door", - "severity": "낮다", - "text": "모든 지역에서 트래픽이 발생할 것으로 예상되지 않는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", + "severity": "높다", + "text": "게이트웨이 서브넷에 /27 접두사 이상을 사용합니다.", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", - "service": "Front Door", - "severity": "보통", - "text": "Azure Front Door WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 마세요.", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", + "severity": "높다", + "text": "VirtualNetwork 서비스 태그를 사용하여 연결을 제한하는 NSG 인바운드 기본 규칙에 의존하지 마세요.", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "Front Door", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", "severity": "보통", - "text": "Diagnostic Settings(진단 설정)를 켜서 로그 및 메트릭을 캡처합니다. 리소스 활동 로그, 액세스 로그, 상태 프로브 로그 및 WAF 로그를 포함합니다. 알림을 설정합니다.", - "waf": "작업" + "text": "NSG를 사용하여 서브넷 전체의 트래픽과 플랫폼 전체의 동쪽/서쪽 트래픽(랜딩 존 간 트래픽)을 보호할 수 있습니다.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "845f5f91-9c21-4674-a725-5ce890850e20", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "Front Door", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", "severity": "보통", - "text": "Azure Front Door WAF 로그를 Microsoft Sentinel로 보냅니다.", - "waf": "작업" + "text": "NSG 및 애플리케이션 보안 그룹을 사용하여 랜딩 존 내의 트래픽을 마이크로 세그먼트화하고 중앙 NVA를 사용하여 트래픽 흐름을 필터링하지 않도록 합니다.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", - "service": "Front Door", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", "severity": "보통", - "text": "배포 전략을 지원하는 라우팅 방법을 선택합니다. 구성된 가중치 계수에 따라 트래픽을 분산하는 가중치 방법은 액티브-액티브 모델을 지원합니다. 모든 트래픽을 수신하고 보조 지역으로 트래픽을 백업으로 보내도록 주 지역을 구성하는 우선 순위 기반 값은 활성-수동 모델을 지원합니다. 앞의 방법을 지연 시간과 결합하여 지연 시간이 가장 낮은 오리진이 트래픽을 수신하도록 합니다.", - "waf": "신뢰도" + "text": "VNet 흐름 로그를 사용하도록 설정하고 트래픽 분석에 제공하여 내부 및 외부 트래픽 흐름에 대한 인사이트를 얻을 수 있습니다.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", - "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", - "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", - "service": "Front Door", - "severity": "높다", - "text": "하나 이상의 백 엔드 풀에 여러 원본을 두어 중복성을 지원합니다. 항상 응용 프로그램의 중복 인스턴스를 가지고 있으며 각 인스턴스가 끝점 또는 원본을 노출하는지 확인하십시오. 이러한 원본을 하나 이상의 백 엔드 풀에 배치할 수 있습니다.", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", + "severity": "보통", + "text": "1,000개의 규칙 제한으로 인해 NSG당 900개 이상의 NSG 규칙을 구현하지 마세요.", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "waf": "신뢰도" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", - "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", "severity": "보통", - "text": "백 엔드에 대한 요청 전달에 대한 시간 제한을 설정합니다. 엔드포인트의 필요에 따라 시간 제한 설정을 조정합니다. 그렇지 않으면 원본이 응답을 보내기 전에 Azure Front Door가 연결을 닫을 수 있습니다. 모든 원본의 시간 제한이 더 짧은 경우 Azure Front Door의 기본 시간 제한을 낮출 수도 있습니다.", - "waf": "신뢰도" + "text": "시나리오가 Virtual WAN 라우팅 디자인 목록에 명시적으로 설명된 경우 Virtual WAN을 사용합니다.", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "waf": "작업" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", "severity": "보통", - "text": "응용 프로그램에 세션 선호도가 필요한지 여부를 결정합니다. 높은 안정성 요구 사항이 있는 경우 세션 선호도를 사용하지 않도록 설정하는 것이 좋습니다.", - "waf": "신뢰도" + "text": "Azure 지역당 Virtual WAN 허브를 사용하여 공통 글로벌 Azure Virtual WAN을 통해 Azure 지역 간에 여러 랜딩 존을 함께 연결합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "공연" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", - "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", "severity": "보통", - "text": "호스트 헤더를 백 엔드로 보냅니다. 백 엔드 서비스는 해당 호스트의 트래픽만 허용하는 규칙을 만들 수 있도록 호스트 이름을 인식해야 합니다.", + "text": "아웃바운드 인터넷 트래픽 보호 및 필터링을 위해 보안 허브에 Azure Firewall을 배포합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", "severity": "보통", - "text": "캐싱을 지원하는 엔드포인트에 대해 캐싱을 사용합니다.", - "waf": "비용" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", - "guid": "34069d73-e4de-46c5-a36f-625f87575a56", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "낮다", - "text": "단일 백 엔드 풀에서 상태 검사를 사용하지 않도록 설정합니다. Azure Front Door 원본 그룹에 원본이 하나만 구성된 경우 이러한 호출이 필요하지 않습니다. 이는 엔드포인트에 여러 원본을 가질 수 없는 경우에만 권장됩니다.", - "waf": "비용" + "text": "Virtual WAN 네트워크 아키텍처가 식별된 아키텍처 시나리오에 맞는지 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", "severity": "보통", - "text": "보안 보고서를 활용하기 위해 프리미엄 계층을 사용하는 것이 좋지만 표준 Azure Front Door 프로필은 기본 제공 분석/보고서에서 트래픽 보고서만 제공합니다.", + "text": "Virtual WAN용 Azure Monitor Insights를 사용하여 Virtual WAN의 엔드투엔드 토폴로지, 상태 및 주요 메트릭을 모니터링합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "작업" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", "severity": "보통", - "text": "가능한 경우 와일드카드 TLS 인증서를 사용합니다.", - "waf": "작업" + "text": "이러한 흐름을 명시적으로 차단해야 하는 경우가 아니면 Virtual WAN에서 분기 간 트래픽을 사용하지 않도록 설정하지 마세요.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", "severity": "보통", - "text": "캐싱을 위해 응용 프로그램 쿼리 문자열을 최적화합니다. 순전히 정적인 콘텐츠의 경우 쿼리 문자열을 무시하여 캐시 사용을 최대화합니다. 응용 프로그램에서 쿼리 문자열을 사용하는 경우 캐시 키에 포함하는 것이 좋습니다. 캐시 키에 쿼리 문자열을 포함하면 Azure Front Door가 구성에 따라 캐시된 응답 또는 기타 응답을 제공할 수 있습니다.", - "waf": "공연" + "text": "AS-Path는 ExpressRoute 또는 VPN보다 유연하므로 허브 라우팅 기본 설정으로 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", "severity": "보통", - "text": "다운로드 가능한 콘텐츠에 액세스할 때 파일 압축을 사용합니다.", - "waf": "공연" + "text": "Virtual WAN에서 레이블 기반 전파를 구성하지 않으면 가상 허브 간의 연결이 손상됩니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", - "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", - "link": "https://learn.microsoft.com/azure/cdn/tier-migration", - "service": "Front Door", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", "severity": "높다", - "text": "클래식 Azure Front Door는 2027년 3월까지 더 이상 사용되지 않으므로 현재 클래식 Azure Front Door를 사용하는 경우 표준 또는 프리미엄 SKU로 마이그레이션하는 것이 좋습니다.", - "waf": "작업" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", - "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", - "service": "Front Door", - "severity": "보통", - "text": "중요 업무용 고가용성 시나리오의 경우 Traffic Manager 부하 분산 Azure Front Door 및 타사 CDN 공급자 CDN 프로필을 사용하는 것이 좋습니다. ", + "text": "가상 허브에 /23 이상의 접두사를 할당하여 충분한 IP 공간을 사용할 수 있도록 합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "신뢰도" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", - "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", - "service": "Front Door", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "높다", - "text": "원본과 함께 Front Door를 App Services로 사용하는 경우 액세스 제한을 사용하여 Azure Front Door를 통해서만 앱 서비스에 대한 트래픽을 잠그는 것이 좋습니다. ", + "text": "Azure Policy를 전략적으로 활용하고, 정책 이니셔티브를 사용하여 관련 정책을 그룹화하여 환경에 대한 컨트롤을 정의합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "안전" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", - "severity": "높다", - "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements", - "waf": "신뢰도" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "보통", + "text": "규정 및 규정 준수 요구 사항을 Azure Policy 정의 및 Azure 역할 할당에 매핑합니다.", + "training": "https://learn.microsoft.com/training/modules/governance-security/", + "waf": "안전" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", - "severity": "높다", - "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "신뢰도" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "보통", + "text": "상속된 범위에서 할당할 수 있도록 중간 루트 관리 그룹에서 Azure Policy 정의를 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "안전" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "높다", - "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려", - "waf": "신뢰도" + "text": "필요한 경우 최하위 수준에서 제외를 사용하여 가장 적절한 수준에서 정책 할당을 관리합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "안전" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", - "severity": "높다", - "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다", - "waf": "신뢰도" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "낮다", + "text": "Azure Policy를 사용하여 사용자가 구독/관리 그룹 수준에서 프로비전할 수 있는 서비스를 제어합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "안전" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", - "severity": "보통", - "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.", - "waf": "작업" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "높다", + "text": "가능한 경우 기본 제공 정책을 사용하여 운영 오버헤드를 최소화합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "안전" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "description": "Resource Policy Contributor 역할을 특정 범위에 할당하면 정책 관리를 관련 팀에 위임할 수 있습니다. 예를 들어 중앙 IT 팀은 관리 그룹 수준 정책을 감독할 수 있고, 응용 프로그램 팀은 구독에 대한 정책을 처리하여 조직 표준을 준수하는 분산 거버넌스를 가능하게 할 수 있습니다.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "severity": "보통", - "text": "유연한 서버 활용", - "waf": "신뢰도" + "text": "특정 범위에서 기본 제공 Resource Policy Contributor 역할을 할당하여 응용 프로그램 수준 거버넌스를 사용하도록 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "안전" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", - "severity": "높다", - "text": "지역적으로 적용 가능한 경우 가용 영역 활용Leverage Availability Zones where regionally applicable", - "waf": "신뢰도" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "보통", + "text": "상속된 범위에서 제외를 통해 관리하지 않도록 루트 관리 그룹 범위에서 수행된 Azure Policy 할당 수를 제한합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "안전" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", "severity": "보통", - "text": "지역 간 DR 시나리오에 입력 데이터 복제 활용", - "waf": "신뢰도" + "text": "데이터 주권 요구 사항이 있는 경우 이를 적용하기 위해 Azure 정책을 배포해야 합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", "severity": "보통", - "text": "ACSS(Azure Center for SAP solutions)는 SAP를 Azure의 최상위 워크로드로 만드는 Azure 제품입니다. ACSS는 Azure에서 SAP 시스템을 통합 워크로드로 만들고 실행할 수 있도록 하는 엔드투엔드 솔루션으로, 혁신을 위한 보다 원활한 기반을 제공합니다. 새 Azure 기반 SAP 시스템과 기존 Azure 기반 SAP 시스템 모두에 대한 관리 기능을 활용할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "작업" + "text": "Sovereign Landing Zone의 경우 주권 정책 기준을 배포하고 올바른 관리 그룹 수준에서 할당합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", "severity": "보통", - "text": "Azure는 Linux 및 Windows에서 SAP 배포 자동화를 지원합니다. SAP Deployment Automation Framework는 SAP 환경을 배포, 설치 및 유지 관리할 수 있는 오픈 소스 오케스트레이션 툴입니다.", - "training": "https://github.com/Azure/sap-automation", - "waf": "작업" + "text": "Sovereign Landing Zone의 경우 정책 매핑에 대한 Sovereign Control 목표를 문서화합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", "severity": "보통", - "text": "RTO를 충족하는 언제든지 특정 시점과 시간 프레임에서 프로덕션 데이터베이스에 대한 특정 시점 복구를 수행합니다. 특정 시점 복구에는 일반적으로 DBMS 계층 또는 SAP를 통해 데이터를 삭제하는 운영자 오류가 포함됩니다", - "waf": "신뢰도" + "text": "Sovereign Landing Zone의 경우 'Sovereign Control 목표를 정책 매핑에 적용'을 관리하기 위한 프로세스가 마련되어 있는지 확인합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "severity": "보통", - "text": "백업 및 복구 시간을 테스트하여 재해 발생 후 모든 시스템을 동시에 복원하기 위한 RTO 요구 사항을 충족하는지 확인합니다.", - "waf": "신뢰도" - }, - { - "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", - "severity": "높다", - "text": "쌍을 이루는 지역 간에 표준 스토리지를 복제할 수 있지만 표준 스토리지를 사용하여 데이터베이스 또는 가상 하드 디스크를 저장할 수는 없습니다. 사용하는 쌍을 이루는 지역 간에만 백업을 복제할 수 있습니다. 다른 모든 데이터의 경우 SQL Server Always On 또는 SAP HANA 시스템 복제와 같은 기본 DBMS 기능을 사용하여 복제를 실행합니다. SAP 애플리케이션 계층에 Site Recovery, rsync 또는 robocopy 및 기타 타사 소프트웨어를 조합하여 사용합니다.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "신뢰도" + "text": "Azure RBAC(Azure 역할 기반 액세스 제어), 데이터 주권 요구 사항 또는 데이터 보존 정책에 따라 별도의 작업 영역이 필요한 경우를 제외하고 단일 모니터 로그 작업 영역을 사용하여 플랫폼을 중앙에서 관리합니다.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "보통", - "text": "고가용성을 달성하기 위해 Azure 가용성 영역을 사용하는 경우 SAP 애플리케이션 서버와 데이터베이스 서버 간의 대기 시간을 고려해야 합니다. 대기 시간이 긴 영역의 경우 SAP 애플리케이션 서버와 데이터베이스 서버가 항상 동일한 영역에서 실행되도록 운영 절차를 마련해야 합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "text": "모든 지역에 대해 단일 Azure Monitor 로그 작업 영역을 사용할지 또는 다양한 지리적 지역을 포괄하는 여러 작업 영역을 만들지 여부를 결정합니다. 각 접근 방식에는 잠재적인 지역 간 네트워킹 요금을 포함하여 장점과 단점이 있습니다", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "severity": "높다", - "text": "온-프레미스에서 주 및 보조 Azure 재해 복구 지역으로의 ExpressRoute 연결을 설정합니다. 또한 ExpressRoute를 사용하는 대신 온-프레미스에서 주 및 보조 Azure 재해 복구 지역으로 VPN 연결을 설정하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "신뢰도" + "text": "로그 보존 요구 사항이 12년을 초과하는 경우 로그를 Azure Storage로 내보냅니다. Write-Once, Read-Many 정책과 함께 변경할 수 없는 스토리지를 사용하여 사용자가 지정한 간격 동안 데이터를 지우거나 수정할 수 없도록 합니다.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", - "severity": "낮다", - "text": "DR 지역에서 데이터의 암호를 해독할 수 있도록 인증서, 비밀 또는 키와 같은 키 자격 증명 모음 콘텐츠를 지역 간에 복제합니다.", - "waf": "신뢰도" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", + "severity": "보통", + "text": "Azure Policy를 사용하여 OS 수준 VM(가상 머신) 구성 드리프트를 모니터링합니다. 정책을 통해 Azure Automanage Machine Configuration 감사 기능을 사용하도록 설정하면 애플리케이션 팀 워크로드가 적은 노력으로 기능 기능을 즉시 사용할 수 있습니다.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "service": "VM", "severity": "보통", - "text": "기본 및 재해 복구 가상 네트워크를 피어링합니다. 예를 들어 HANA 시스템 복제의 경우 SAP HANA DB 가상 네트워크를 재해 복구 사이트의 SAP HANA DB 가상 네트워크에 피어링해야 합니다.", - "waf": "신뢰도" + "text": "Azure에서 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure 업데이트 관리자를 사용합니다.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", - "severity": "낮다", - "text": "SAP 배포에 Azure NetApp Files 스토리지를 사용하는 경우 최소한 두 지역의 프리미엄 계층에 두 개의 Azure NetApp Files 계정을 만듭니다.", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "신뢰도" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", + "severity": "보통", + "text": "Azure Arc를 사용하여 Azure 외부의 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure 업데이트 관리자를 사용합니다.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "높다", - "text": "기본 데이터베이스 복제 기술을 사용하여 HA 쌍의 데이터베이스를 동기화해야 합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", - "waf": "신뢰도" + "arm-service": "microsoft.network/networkWatchers", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", + "severity": "보통", + "text": "Network Watcher를 사용하여 트래픽 흐름을 사전에 모니터링합니다.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", - "severity": "높다", - "text": "기본 VNet(가상 네트워크)의 CIDR은 DR 사이트 VNet의 CIDR과 충돌하거나 겹치지 않아야 합니다", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", + "severity": "보통", + "text": "인사이트 및 보고를 위해 Azure Monitor 로그를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", - "severity": "높다", - "text": "Site Recovery를 사용하여 응용 프로그램 서버를 DR 사이트에 복제합니다. Site Recovery는 중앙 서비스 클러스터 VM을 DR 사이트에 복제하는 데도 도움이 될 수 있습니다. DR을 호출할 때 DR 사이트에서 Linux Pacemaker 클러스터를 다시 구성해야 합니다(예: VIP 또는 SBD 바꾸기, corosync.conf 실행 등).", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "신뢰도" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", + "severity": "보통", + "text": "Azure Monitor 경고를 사용하여 운영 경고를 생성합니다.", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "높다", - "text": "단일 장애 지점에 대한 SAP 소프트웨어의 가용성을 고려합니다. 여기에는 SAP NetWeaver 및 SAP S/4HANA 아키텍처, SAP ABAP 및 ASCS + SCS에서 사용되는 DBMS와 같은 애플리케이션 내의 단일 실패 지점이 포함됩니다. 또한 SAP Web Dispatcher와 같은 다른 도구도 있습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", + "severity": "보통", + "text": "Azure Automation 계정을 통해 변경 및 인벤토리 추적을 사용하는 경우 Log Analytics 작업 영역과 자동화 계정을 함께 연결하는 데 지원되는 지역을 선택했는지 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", - "severity": "높다", - "text": "SAP 및 SAP 데이터베이스의 경우 자동 장애 조치(failover) 클러스터를 구현하는 것이 좋습니다. Windows에서 Windows Server 장애 조치(failover) 클러스터링은 장애 조치(failover)를 지원합니다. Linux에서 Linux Pacemaker 또는 SIOS Protection Suite 및 Veritas InfoScale과 같은 타사 도구는 장애 조치를 지원합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "severity": "낮다", + "text": "Azure Backup을 사용하는 경우 기본 설정은 GRS이므로 백업에 올바른 백업 유형(GRS, ZRS & LRS)을 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "높다", - "text": "Azure는 기본 및 보조 VM이 DBMS 데이터에 대한 스토리지를 공유하는 아키텍처를 지원하지 않습니다. DBMS 계층의 경우 일반적인 아키텍처 패턴은 기본 및 보조 VM에서 사용하는 것과 다른 스토리지 스택을 사용하여 동시에 데이터베이스를 복제하는 것입니다.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", + "severity": "보통", + "text": "Azure 게스트 정책을 사용하여 VM 확장을 통해 소프트웨어 구성을 자동으로 배포하고 규격 기준 VM 구성을 적용합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", - "severity": "높다", - "text": "DBMS 데이터 및 트랜잭션/다시 실행 로그 파일은 Azure 지원 블록 스토리지 또는 Azure NetApp Files에 저장됩니다. Azure Files 또는 Azure Premium Files는 SAP 워크로드를 사용하여 DBMS 데이터 및/또는 다시 실행 로그 파일에 대한 스토리지로 지원되지 않습니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", - "waf": "신뢰도" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "description": "Azure Policy의 게스트 구성 기능을 사용하여 컴퓨터 설정(예: OS, 애플리케이션, 환경)을 감사하고 수정하여 리소스가 예상 구성에 맞는지 확인하고, 업데이트 관리는 VM에 대한 패치 관리를 적용할 수 있습니다.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", + "severity": "보통", + "text": "Azure Policy를 통해 VM 보안 구성 드리프트를 모니터링합니다.", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", - "severity": "높다", - "text": "ASCS + SCS 구성 요소 및 특정 고가용성 시나리오에 대해 Windows에서 Azure 공유 디스크를 사용할 수 있습니다. SAP 애플리케이션 계층 구성 요소 및 DBMS 계층에 대해 장애 조치(failover) 클러스터를 별도로 설정합니다. Azure는 현재 SAP 애플리케이션 계층 구성 요소와 DBMS 계층을 하나의 장애 조치(failover) 클러스터로 결합하는 고가용성 아키텍처를 지원하지 않습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "신뢰도" - }, - { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", - "severity": "높다", - "text": "SAP ASCS(애플리케이션 계층 구성 요소) 및 DBMS 계층에 대한 대부분의 장애 조치(failover) 클러스터에는 장애 조치(failover) 클러스터에 대한 가상 IP 주소가 필요합니다. Azure Load Balancer는 다른 모든 경우에 대해 가상 IP 주소를 처리해야 합니다. 한 가지 설계 원칙은 클러스터 구성당 하나의 부하 분산 장치를 사용하는 것입니다. 부하 분산 장치의 표준 버전(표준 Load Balancer SKU)을 사용하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", + "severity": "보통", + "text": "Azure-to-Azure Virtual Machines 재해 복구 시나리오에는 Azure Site Recovery를 사용합니다. 이렇게 하면 지역 간에 워크로드를 복제할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", - "severity": "높다", - "text": "로드 밸런서에서 부동 IP가 활성화되어 있는지 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", + "severity": "보통", + "text": "Azure 네이티브 백업 기능 또는 Azure 호환 타사 백업 솔루션을 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", "severity": "높다", - "text": "고가용성 인프라를 배포하기 전에 선택한 지역에 따라 Azure 가용성 집합을 사용하여 배포할지 또는 가용성 영역을 사용하여 배포할지를 결정합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "신뢰도" + "text": "진단 설정을 추가하여 Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 WAF 로그를 저장합니다. 로그를 정기적으로 검토하여 공격 및 가양성 탐지를 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", - "severity": "높다", - "text": "SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)용 애플리케이션에 대한 인프라 SLA를 충족하려면 모든 구성 요소에 대해 동일한 고가용성 옵션(VM, 가용성 집합, 가용성 영역)을 선택해야 합니다.", - "waf": "신뢰도" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", + "severity": "보통", + "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 Microsoft Sentinel로 WAF 로그를 보냅니다. 공격을 탐지하고 WAF 텔레메트리를 전체 Azure 환경에 통합합니다.", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "severity": "높다", - "text": "동일한 가용성 집합에서 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합으로 유지", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "신뢰도" + "text": "Azure Key Vault를 사용하여 비밀과 자격 증명을 저장합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", "severity": "보통", - "text": "근접 배치 그룹을 사용하지 않는 한 Azure 가용성 영역 내에 Azure 가용성 집합을 배포할 수 없습니다.", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "신뢰도" + "text": "서로 다른 애플리케이션 및 지역에 대해 서로 다른 Azure Key Vault를 사용하여 트랜잭션 규모 제한을 방지하고 비밀에 대한 액세스를 제한합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", - "severity": "높다", - "text": "가용성 집합을 만들 때 사용 가능한 최대 장애 도메인 및 업데이트 도메인 수를 사용합니다. 예를 들어 하나의 가용성 집합에 두 개 이상의 VM을 배포하는 경우 Azure 계획된 유지 관리 외에도 잠재적인 물리적 하드웨어 오류, 네트워크 중단 또는 전원 중단의 영향을 제한할 수 있는 최대 장애 도메인 수(3개)와 충분한 업데이트 도메인을 사용합니다. 장애 도메인의 기본 수는 2개이며 나중에 온라인으로 변경할 수 없습니다.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "보통", + "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", - "severity": "높다", - "text": "가용성 집합 배포에서 Azure 근접 배치 그룹을 사용하는 경우 세 가지 SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)가 모두 동일한 근접 배치 그룹에 있어야 합니다.", - "waf": "신뢰도" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "보통", + "text": "키, 비밀 및 인증서를 영구적으로 삭제할 수 있는 권한 부여를 특수 사용자 지정 Microsoft Entra ID 역할로 제한하여 최소 권한 모델을 따릅니다.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", - "severity": "높다", - "text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹은 가용성 영역 또는 Azure 지역에 걸쳐 있지 않습니다.", - "waf": "신뢰도" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "보통", + "text": "공용 인증 기관을 통해 인증서 관리 및 갱신 프로세스를 자동화하여 관리를 용이하게 합니다.", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "높다", - "text": "운영 체제에 따라 다음 서비스 중 하나를 사용하여 SAP 중앙 서비스 클러스터를 실행합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "보통", + "text": "키 및 인증서 교체를 위한 자동화된 프로세스를 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "보통", - "text": "Azure는 현재 동일한 Linux Pacemaker 클러스터에서 ASCS와 DB HA를 결합하는 것을 지원하지 않습니다. 개별 클러스터로 분리합니다. 그러나 최대 5개의 여러 중앙 서비스 클러스터를 한 쌍의 VM으로 결합할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "신뢰도" + "text": "자격 증명 모음에서 방화벽 및 가상 네트워크 서비스 엔드포인트 또는 프라이빗 엔드포인트를 사용하도록 설정하여 키 자격 증명 모음에 대한 액세스를 제어합니다.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", "severity": "보통", - "text": "가용성 집합 또는 가용성 영역의 고가용성 쌍에 두 VM을 모두 배포합니다. 이러한 VM은 크기가 동일해야 하며 스토리지 구성이 동일해야 합니다.", - "waf": "신뢰도" + "text": "플랫폼 중앙 Azure Monitor Log Analytics 작업 영역을 사용하여 Key Vault의 각 인스턴스 내에서 키, 인증서 및 비밀 사용을 감사합니다.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "보통", - "text": "Azure는 RHEL(Red Hat Enterprise Linux)에서 실행되는 동일한 고가용성 클러스터에서 SAP HANA와 ASCS/SCS 및 ERS 인스턴스의 설치 및 구성을 지원합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "신뢰도" + "text": "Key Vault 인스턴스화 및 권한 있는 액세스를 위임하고 Azure Policy를 사용하여 일관된 규정 준수 구성을 적용합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", - "severity": "높다", - "text": "프리미엄 관리형 SSD에서 모든 프로덕션 시스템을 실행하고 Azure NetApp Files 또는 Ultra Disk Storage를 사용합니다. 적어도 OS 디스크는 더 나은 성능과 최상의 SLA를 달성할 수 있도록 프리미엄 계층에 있어야 합니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "보통", + "text": "애플리케이션당 환경, 지역별 Azure Key Vault를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", - "severity": "높다", - "text": null, - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", - "waf": "신뢰도" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "보통", + "text": "사용자 고유의 키를 가져오려는 경우 고려되는 모든 서비스에서 지원되지 않을 수 있습니다. 불일치가 원하는 결과를 방해하지 않도록 관련 완화를 구현합니다. 대기 시간을 최소화하는 적절한 지역 쌍 및 재해 복구 지역을 선택합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", - "severity": "높다", - "text": "SAP 워크로드에 사용하는 스토리지 유형에 따라 고가용성을 구성하는 것이 좋습니다. Azure에서 사용할 수 있는 일부 스토리지 서비스는 Azure Site Recovery에서 지원되지 않으므로 고가용성 구성이 다를 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", - "waf": "신뢰도" - }, - { - "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", - "severity": "높다", - "text": null, - "waf": "신뢰도" - }, - { - "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", "severity": "보통", - "text": "SAP System Start-Stop을 자동화하여 비용을 관리합니다.", - "waf": "비용" - }, - { - "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "낮다", - "text": "SAP HANA와 함께 Azure Premium Storage를 사용하는 경우 Azure Standard SSD Storage를 사용하여 비용에 민감한 스토리지 솔루션을 선택할 수 있습니다. 그러나 표준 SSD 또는 표준 HDD Azure Storage를 선택하면 개별 VM의 SLA에 영향을 줍니다. 또한 비프로덕션 환경과 같이 I/O 처리량이 낮고 대기 시간이 짧은 시스템의 경우 더 낮은 시리즈 VM을 사용할 수 있습니다.", - "waf": "비용" + "text": "Sovereign Landing Zone의 경우 Azure Key Vault 관리형 HSM을 사용하여 비밀과 자격 증명을 저장합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "낮다", - "text": "저렴한 대체 구성(다목적)으로 비프로덕션 HANA 데이터베이스 서버 VM에 대해 저성능 SKU를 선택할 수 있습니다. 그러나 E 시리즈와 같은 일부 VM 유형은 HANA 인증(SAP HANA 하드웨어 디렉터리)되지 않았거나 1ms 미만의 스토리지 대기 시간을 달성할 수 없다는 점에 유의해야 합니다.", - "waf": "비용" + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", + "severity": "보통", + "text": "Microsoft Entra ID 보고 기능을 사용하여 액세스 제어 감사 보고서를 생성합니다.", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", - "severity": null, - "text": null, - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", + "severity": "높다", + "text": "모든 구독에 대해 Defender 클라우드 보안 태세 관리를 사용하도록 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", - "severity": "보통", - "text": "클라우드 커넥터를 통해 SAP 클라우드 애플리케이션에서 SAP 온-프레미스(IaaS 포함)로 ID를 전달하기 위한 주체 전파 적용", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", + "severity": "높다", + "text": "모든 구독의 서버에 대해 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", - "severity": "보통", - "text": "SAML을 사용하여 Azure AD를 사용하여 SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics 및 SAP C4C와 같은 SAP SaaS 애플리케이션에 SSO를 구현합니다.", - "waf": null + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", + "severity": "높다", + "text": "모든 구독에서 Azure 리소스에 대한 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", - "severity": null, - "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": null + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", + "severity": "높다", + "text": "IaaS 서버에서 Endpoint Protection을 사용하도록 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", "severity": "보통", - "text": null, - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "text": "Azure Monitor 로그 및 클라우드용 Defender를 통해 기본 운영 체제 패치 드리프트를 모니터링합니다.", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "보통", - "text": "SAP NetWeaver SSO 또는 파트너 솔루션을 사용하여 SAP GUI에 SSO를 구현할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "text": "기본 리소스 구성을 중앙 집중식 Azure Monitor Log Analytics 작업 영역에 연결합니다.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", - "severity": "보통", - "text": "SAP GUI 및 웹 브라우저 액세스용 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP Secure Login Server를 고려합니다.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", + "severity": "높다", + "text": "상관 관계가 있는 로그를 통한 중앙 집중식 위협 탐지 - SIEM(보안 정보 및 이벤트 관리)을 통해 다양한 서비스 간에 상관 관계를 파악할 수 있는 중앙 위치에 보안 데이터를 통합합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "severity": "보통", - "text": null, + "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 투명 로그를 사용하도록 설정합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", "severity": "보통", - "text": "SAP NetWeaver용 OAuth를 사용하여 SSO를 구현하여 타사 또는 사용자 지정 애플리케이션이 SAP NetWeaver OData 서비스에 액세스할 수 있도록 합니다.", + "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 고객 Lockbox를 사용하도록 설정합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", - "severity": "보통", - "text": "SAP HANA에 대한 SSO 구현", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "높다", + "text": "스토리지 계정에 대한 보안 전송을 사용하도록 설정합니다.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", - "severity": "보통", - "text": "Azure AD를 RISE에서 호스트되는 SAP 시스템의 ID 공급자로 간주합니다. 자세한 내용은 Azure AD와 서비스 통합을 참조하세요.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", + "severity": "높다", + "text": "스토리지 계정에 대해 컨테이너 일시 삭제를 사용하도록 설정하여 삭제된 컨테이너와 해당 콘텐츠를 복구합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", - "severity": "보통", - "text": "SAP에 액세스하는 애플리케이션의 경우 주체 전파를 사용하여 SSO를 설정할 수 있습니다.", - "waf": "안전" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", + "severity": "높다", + "text": "Key Vault 비밀을 사용하여 자격 증명(가상 머신 사용자 암호), 인증서 또는 키와 같은 중요한 정보를 하드 코딩하지 않도록 합니다.", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", "severity": "보통", - "text": "SAP IAS(Identity Authentication Service)가 필요한 SAP BTP 서비스 또는 SaaS 솔루션을 사용하는 경우 SAP Cloud Identity Authentication Services와 Azure AD 간에 SSO를 구현하여 해당 SAP 서비스에 액세스하는 것이 좋습니다. 이 통합을 통해 SAP IAS는 프록시 ID 공급자 역할을 하고 중앙 사용자 저장소 및 ID 공급자로 Azure AD에 인증 요청을 전달할 수 있습니다.", - "waf": "안전" + "text": "Azure Front Door에서 고객 관리형 TLS 인증서를 사용하는 경우 '최신' 인증서 버전을 사용합니다. 수동 인증서 갱신으로 인한 중단 위험을 줄입니다.", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", "severity": "보통", - "text": "SAP BTP에 대한 SSO 구현", + "text": "WAF 정책과 함께 Azure Front Door를 사용하여 여러 Azure 지역에 걸쳐 있는 글로벌 HTTP/S 앱을 제공하고 보호할 수 있습니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", + "service": "Front Door", "severity": "보통", - "text": "SAP SuccessFactors를 사용하는 경우 Azure AD 자동화된 사용자 프로비저닝을 사용하는 것이 좋습니다. 이 통합을 통해 SAP SuccessFactors에 신입 사원을 추가할 때 Azure AD에서 해당 사용자 계정을 자동으로 생성할 수 있습니다. 필요에 따라 Microsoft 365 또는 Azure AD에서 지원하는 기타 SaaS 애플리케이션에서 사용자 계정을 만들 수 있습니다. SAP SuccessFactors에 이메일 주소의 쓰기 저장을 사용합니다.", + "text": "Front Door 및 Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Front Door에서 WAF 정책을 사용합니다. Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "description": "관리 그룹 계층 구조를 4개 이하로 합리적으로 평평하게 유지합니다.", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", - "severity": "보통", - "text": "SAP 구독에 기존 관리 그룹 정책 적용", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", - "waf": "작업" - }, - { - "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", "severity": "높다", - "text": "긴밀하게 결합된 애플리케이션을 동일한 SAP 구독에 통합하여 추가적인 라우팅 및 관리 복잡성 방지", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", - "waf": "작업" + "text": "Web Application Firewall이 트래픽을 허용하거나 거부하기 위해 적절한 조치를 취할 수 있도록 Front Door에 대한 WAF 정책을 '방지' 모드'에 배포합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", "severity": "높다", - "text": "구독을 배율 단위로 활용하고 리소스를 확장하려면 환경별로 구독을 배포하는 것이 좋습니다. 샌드박스, 비프로덕션, 프로덕션 ", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", - "waf": "작업" + "text": "Traffic Manager를 Front Door 뒤에 배치하지 마세요.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", "severity": "높다", - "text": "구독 프로비저닝의 일부로 할당량 증가를 보장(예: 구독 내에서 사용 가능한 총 VM 코어 수)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "waf": "작업" + "text": "Azure Front Door 및 원본에서 동일한 도메인 이름을 사용합니다. 호스트 이름이 일치하지 않으면 미묘한 버그가 발생할 수 있습니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", "severity": "낮다", - "text": "할당량 API는 Azure 서비스에 대한 할당량을 보고 관리하는 데 사용할 수 있는 REST API입니다. 필요한 경우 사용을 고려하십시오.", - "waf": "작업" + "text": "Azure Front Door 원본 그룹에 원본이 하나만 있는 경우 상태 프로브를 사용하지 않도록 설정합니다.", + "waf": "공연" }, { - "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", - "severity": "높다", - "text": "가용성 영역에 배포하는 경우 할당량이 승인되면 VM의 영역 배포를 사용할 수 있는지 확인합니다. 필요한 구독, VM 시리즈, CPU 수 및 가용성 영역을 포함한 지원 요청을 제출합니다.", - "waf": "작업" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", + "severity": "보통", + "text": "Azure Front Door에 대한 양호한 상태 프로브 엔드포인트를 선택합니다. 애플리케이션의 모든 종속성을 확인하는 상태 엔드포인트를 구축하는 것이 좋습니다.", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", + "severity": "낮다", + "text": "Azure Front Door와 함께 HEAD 상태 프로브를 사용하여 Front Door가 애플리케이션으로 보내는 트래픽을 줄입니다.", + "waf": "공연" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "Front Door", "severity": "높다", - "text": "필요한 서비스 및 기능이 선택한 배포 지역 내에서 사용할 수 있는지 확인합니다(예: ). ANF, 지역 등.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "text": "Azure Front Door에서 관리형 TLS 인증서를 사용합니다. 운영 비용을 줄이고 인증서 갱신으로 인한 중단 위험을 줄입니다.", "waf": "작업" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", "severity": "보통", - "text": "비용 분류 및 리소스 그룹화를 위해 Azure 리소스 태그 활용(BillTo, 부서(또는 사업부), 환경(프로덕션, 스테이지, 개발), 계층(웹 계층, 응용 프로그램 계층), 응용 프로그램 소유자, 프로젝트 이름)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "Azure Front Door WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.", "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", "severity": "높다", - "text": "Azure Backup 서비스를 사용하여 HANA 데이터베이스를 보호할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "신뢰도" + "text": "Azure Front Door에서 엔드투엔드 TLS를 사용합니다. 클라이언트에서 Front Door로, Front Door에서 원본으로의 연결에 TLS를 사용합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", "severity": "보통", - "text": "HANA, Oracle 또는 DB2 데이터베이스에 Azure NetApp Files를 배포하는 경우 Azure 애플리케이션 일치 스냅샷 도구(AzAcSnap)를 사용하여 애플리케이션 일치 스냅샷을 만듭니다. AzAcSnap은 Oracle 데이터베이스도 지원합니다. 개별 VM이 아닌 중앙 VM에서 AzAcSnap을 사용하는 것이 좋습니다.", - "waf": "신뢰도" + "text": "Azure Front Door에서 HTTP를 HTTPS로 리디렉션을 사용합니다. 이전 클라이언트를 HTTPS 요청으로 자동으로 리디렉션하여 지원합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", "severity": "높다", - "text": "운영 체제와 SAP 시스템 간의 표준 시간대 일치를 확인합니다.", - "waf": "작업" - }, - { - "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", - "severity": "보통", - "text": "동일한 클러스터에서 서로 다른 애플리케이션 서비스를 그룹화하지 마세요. 예를 들어 DRBD와 중앙 서비스 클러스터를 동일한 클러스터에 결합하지 마세요. 그러나 동일한 Pacemaker 클러스터를 사용하여 약 5개의 서로 다른 중앙 서비스(다중 SID 클러스터)를 관리할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "신뢰도" + "text": "Azure Front Door WAF를 사용하도록 설정합니다. 다양한 공격으로부터 애플리케이션을 보호합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", - "severity": "낮다", - "text": "Azure 실행 비용을 절약하고 최적화하기 위해 스누즈 모델에서 개발/테스트 시스템을 실행하는 것이 좋습니다.", - "waf": "비용" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", + "severity": "높다", + "text": "검색 모드에서 WAF를 구성하여 워크로드에 맞게 Azure Front Door WAF를 조정하여 가양성 검색을 줄이고 수정합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", - "severity": "보통", - "text": "SAP 자산을 관리하여 고객과 파트너 관계를 맺는 경우 Azure Lighthouse를 사용하는 것이 좋습니다. Azure Lighthouse를 사용하면 관리 서비스 공급자가 Azure 네이티브 ID 서비스를 사용하여 고객 환경에 인증할 수 있습니다. 고객은 언제든지 액세스 권한을 취소하고 서비스 제공업체의 조치를 감사할 수 있으므로 제어권을 고객에게 부여합니다.", - "waf": "작업" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", + "severity": "높다", + "text": "Azure Front Door WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", - "severity": "보통", - "text": "Azure 업데이트 관리자를 사용하여 단일 VM 또는 여러 VM에 대해 사용 가능한 업데이트의 상태를 확인하고 정기적인 패치를 예약하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", - "waf": "작업" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", + "severity": "높다", + "text": "Azure Front Door WAF 기본 규칙 집합을 사용하도록 설정합니다. 기본 규칙 집합은 일반적인 공격을 탐지하고 차단합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", - "severity": "낮다", - "text": "SAP Landscape Management(LaMa)를 사용하여 SAP Basis 운영을 최적화하고 관리합니다. Azure용 SAP LaMa 커넥터를 사용하여 SAP 시스템을 재배치, 복사, 복제 및 새로 고칩니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", - "waf": "작업" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", + "severity": "높다", + "text": "Azure Front Door WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", "severity": "보통", - "text": "SAP용 Azure Monitor 솔루션을 사용하여 Azure에서 SAP 워크로드(SAP HANA, 고가용성 SUSE 클러스터 및 SQL 시스템)를 모니터링합니다. SAP Solution Manager를 사용하여 SAP용 Azure Monitor 솔루션을 보완하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "작업" + "text": "최신 Azure Front Door WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", - "severity": "높다", - "text": "SAP용 VM 확장 검사를 실행합니다. SAP용 VM 확장은 VM(가상 머신)의 할당된 관리 ID를 사용하여 VM 모니터링 및 구성 데이터에 액세스합니다. 이 검사는 SAP 애플리케이션의 모든 성능 메트릭이 기본 SAP용 Azure 확장에서 제공되는지 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", - "waf": "작업" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", + "severity": "보통", + "text": "Azure Front Door WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 단기간에 많은 양의 트래픽을 보내는 것을 차단합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", "severity": "보통", - "text": "액세스 제어 및 규정 준수 보고에 Azure Policy를 사용합니다. Azure Policy는 일관된 정책 준수와 빠른 위반 감지를 보장하기 위해 조직 전체 설정을 적용할 수 있는 기능을 제공합니다. ", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "작업" + "text": "Azure Front Door WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호를 제공합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", + "severity": "낮다", + "text": "모든 지역에서 트래픽이 발생할 것으로 예상되지 않는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.", + "waf": "안전" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", "severity": "보통", - "text": "Azure Network Watcher의 연결 모니터를 사용하여 SAP 데이터베이스 및 애플리케이션 서버에 대한 대기 시간 메트릭을 모니터링합니다. 또는 Azure Monitor를 사용하여 네트워크 대기 시간 측정값을 수집하고 표시합니다.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "text": "Azure Front Door WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 마세요.", + "waf": "안전" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", + "severity": "보통", + "text": "Diagnostic Settings(진단 설정)를 켜서 로그 및 메트릭을 캡처합니다. 리소스 활동 로그, 액세스 로그, 상태 프로브 로그 및 WAF 로그를 포함합니다. 알림을 설정합니다.", "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", "severity": "보통", - "text": "프로비저닝된 Azure 인프라에서 SAP HANA에 대한 품질 검사를 수행하여 프로비저닝된 VM이 Azure의 SAP HANA 모범 사례를 준수하는지 확인합니다.", + "text": "Azure Front Door WAF 로그를 Microsoft Sentinel로 보냅니다.", "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", + "service": "Front Door", + "severity": "보통", + "text": "배포 전략을 지원하는 라우팅 방법을 선택합니다. 구성된 가중치 계수에 따라 트래픽을 분산하는 가중치 방법은 액티브-액티브 모델을 지원합니다. 모든 트래픽을 수신하고 보조 지역으로 트래픽을 백업으로 보내도록 주 지역을 구성하는 우선 순위 기반 값은 활성-수동 모델을 지원합니다. 앞의 방법을 지연 시간과 결합하여 지연 시간이 가장 낮은 오리진이 트래픽을 수신하도록 합니다.", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", + "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", + "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", + "service": "Front Door", "severity": "높다", - "text": "각 Azure 구독에 대해 영역 배포 전에 Azure 가용성 영역에서 대기 시간 테스트를 실행하여 Azure에서 SAP를 배포하기 위한 대기 시간이 짧은 영역을 선택합니다.", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "waf": "공연" + "text": "하나 이상의 백 엔드 풀에 여러 원본을 두어 중복성을 지원합니다. 항상 응용 프로그램의 중복 인스턴스를 가지고 있으며 각 인스턴스가 끝점 또는 원본을 노출하는지 확인하십시오. 이러한 원본을 하나 이상의 백 엔드 풀에 배치할 수 있습니다.", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", + "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", + "service": "Front Door", "severity": "보통", - "text": "복원력 보고서를 실행하여 프로비저닝된 전체 Azure 인프라(컴퓨팅, 데이터베이스, 네트워킹, 스토리지, Site Recovery)의 구성이 Azure용 Cloud Adaption Framework에서 정의한 구성을 준수하는지 확인합니다.", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "text": "백 엔드에 대한 요청 전달에 대한 시간 제한을 설정합니다. 엔드포인트의 필요에 따라 시간 제한 설정을 조정합니다. 그렇지 않으면 원본이 응답을 보내기 전에 Azure Front Door가 연결을 닫을 수 있습니다. 모든 원본의 시간 제한이 더 짧은 경우 Azure Front Door의 기본 시간 제한을 낮출 수도 있습니다.", "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", + "service": "Front Door", "severity": "보통", - "text": "SAP용 Microsoft Sentinel 솔루션을 사용하여 위협 방지를 구현합니다. 이 솔루션을 사용하여 SAP 시스템을 모니터링하고 비즈니스 로직 및 애플리케이션 계층 전반에서 정교한 위협을 탐지할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "text": "응용 프로그램에 세션 선호도가 필요한지 여부를 결정합니다. 높은 안정성 요구 사항이 있는 경우 세션 선호도를 사용하지 않도록 설정하는 것이 좋습니다.", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", + "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", + "service": "Front Door", + "severity": "보통", + "text": "호스트 헤더를 백 엔드로 보냅니다. 백 엔드 서비스는 해당 호스트의 트래픽만 허용하는 규칙을 만들 수 있도록 호스트 이름을 인식해야 합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "보통", - "text": "Azure 태그 지정을 활용하여 리소스를 논리적으로 그룹화 및 추적하고, 배포를 자동화하고, 가장 중요한 것은 발생한 비용에 대한 가시성을 제공할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", - "waf": "작업" + "text": "캐싱을 지원하는 엔드포인트에 대해 캐싱을 사용합니다.", + "waf": "비용" }, { - "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", + "guid": "34069d73-e4de-46c5-a36f-625f87575a56", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", "severity": "낮다", - "text": "대기 시간에 민감한 애플리케이션에 대해 VM 간 대기 시간 모니터링을 사용합니다.", - "waf": "공연" + "text": "단일 백 엔드 풀에서 상태 검사를 사용하지 않도록 설정합니다. Azure Front Door 원본 그룹에 원본이 하나만 구성된 경우 이러한 호출이 필요하지 않습니다. 이는 엔드포인트에 여러 원본을 가질 수 없는 경우에만 권장됩니다.", + "waf": "비용" }, { - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", + "service": "Front Door", "severity": "보통", - "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "신뢰도" + "text": "보안 보고서를 활용하기 위해 프리미엄 계층을 사용하는 것이 좋지만 표준 Azure Front Door 프로필은 기본 제공 분석/보고서에서 트래픽 보고서만 제공합니다.", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", + "service": "Front Door", "severity": "보통", - "text": "모든 데이터베이스 파일 시스템 및 실행 프로그램을 바이러스 백신 검사에서 제외합니다. 이를 포함하면 성능 문제가 발생할 수 있습니다. 제외 목록에 대한 규범적 세부 정보는 데이터베이스 공급업체에 문의하십시오. 예를 들어 Oracle은 바이러스 백신 검사에서 /oracle//sapdata를 제외하는 것이 좋습니다.", - "waf": "공연" - }, - { - "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", - "severity": "낮다", - "text": "마이그레이션 후 비 HANA 데이터베이스에 대한 전체 데이터베이스 통계를 수집하는 것이 좋습니다. 예를 들어 SAP Note 1020260 - Oracle 통계 제공을 구현합니다.", - "waf": "공연" + "text": "가능한 경우 와일드카드 TLS 인증서를 사용합니다.", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "보통", - "text": "Azure에서 SAP를 사용하는 모든 Oracle 배포에 Oracle ASM(자동 스토리지 관리)을 사용하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "text": "캐싱을 위해 응용 프로그램 쿼리 문자열을 최적화합니다. 순전히 정적인 콘텐츠의 경우 쿼리 문자열을 무시하여 캐시 사용을 최대화합니다. 응용 프로그램에서 쿼리 문자열을 사용하는 경우 캐시 키에 포함하는 것이 좋습니다. 캐시 키에 쿼리 문자열을 포함하면 Azure Front Door가 구성에 따라 캐시된 응답 또는 기타 응답을 제공할 수 있습니다.", "waf": "공연" }, { - "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", + "service": "Front Door", "severity": "보통", - "text": "Oracle을 실행하는 Azure의 SAP의 경우 SQL 스크립트 컬렉션을 통해 성능 문제를 진단할 수 있습니다. AWR(Automatic Workload Repository) 보고서에는 Oracle 시스템의 문제를 진단하는 데 유용한 정보가 포함되어 있습니다. 여러 세션 동안 AWR 보고서를 실행하고 최대 피크 시간을 선택하여 분석에 대한 광범위한 적용 범위를 보장하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "text": "다운로드 가능한 콘텐츠에 액세스할 때 파일 압축을 사용합니다.", "waf": "공연" }, { - "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", + "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", + "link": "https://learn.microsoft.com/azure/cdn/tier-migration", + "service": "Front Door", "severity": "높다", - "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "text": "클래식 Azure Front Door는 2027년 3월까지 더 이상 사용되지 않으므로 현재 클래식 Azure Front Door를 사용하는 경우 표준 또는 프리미엄 SKU로 마이그레이션하는 것이 좋습니다.", "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", + "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", + "service": "Front Door", "severity": "보통", - "text": "HTTP/S 앱을 안전하게 배달하려면 Application Gateway v2를 사용하고 WAF 보호 및 정책이 사용하도록 설정되어 있는지 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "text": "중요 업무용 고가용성 시나리오의 경우 Traffic Manager 부하 분산 Azure Front Door 및 타사 CDN 공급자 CDN 프로필을 사용하는 것이 좋습니다. ", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", + "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", + "service": "Front Door", + "severity": "높다", + "text": "원본과 함께 Front Door를 App Services로 사용하는 경우 액세스 제한을 사용하여 Azure Front Door를 통해서만 앱 서비스에 대한 트래픽을 잠그는 것이 좋습니다. ", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", - "severity": "보통", - "text": "Azure로 마이그레이션하는 동안 가상 머신의 DNS 또는 가상 이름이 변경되지 않은 경우 백그라운드 DNS 및 가상 이름은 SAP 환경의 많은 시스템 인터페이스를 연결하며, 고객은 시간이 지남에 따라 개발자가 정의하는 인터페이스를 가끔씩만 인식할 수 있습니다. 마이그레이션 후 가상 또는 DNS 이름이 변경될 때 다양한 시스템 간에 연결 문제가 발생하며, 이러한 유형의 문제를 방지하기 위해 DNS 별칭을 유지하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "작업" - }, - { - "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", "severity": "보통", - "text": "서로 다른 DNS 영역을 사용하여 각 환경(샌드박스, 개발, 사전 프로덕션 및 프로덕션)을 서로 구분합니다. 예외는 자체 VNet을 사용하는 SAP 배포의 경우입니다. 여기서는 프라이빗 DNS 영역이 필요하지 않을 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "작업" + "text": "Application Gateway v2 SKU를 사용하고 있는지 확인합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "description": "VNet 피어링을 구성할 때 원격 가상 네트워크에 대한 트래픽 허용 설정을 사용합니다.", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", "severity": "보통", - "text": "로컬 및 글로벌 VNet 피어링은 연결을 제공하며, 여러 Azure 지역에서 SAP 배포를 위한 랜딩 존 간의 연결을 보장하기 위해 선호되는 접근 방식입니다", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "신뢰도" - }, - { - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", - "severity": "높다", - "text": "SAP 애플리케이션과 SAP 데이터베이스 서버 간에 NVA를 배포하는 것은 지원되지 않습니다", - "training": "https://me.sap.com/notes/2731110", - "waf": "공연" + "text": "Azure Load Balancer에 표준 SKU를 사용하고 있는지 확인합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", "severity": "보통", - "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 새로운, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "waf": "작업" + "text": "Load Balancer 프런트 엔드 IP 주소가 영역 중복인지 확인합니다(영역 프런트 엔드가 필요하지 않은 경우).", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", "severity": "보통", - "text": "파트너 NVA를 사용하는 경우에만 지역 간에 NVA(네트워크 가상 어플라이언스)를 배포하는 것이 좋습니다. 네이티브 NVA가 있는 경우 지역 또는 VNet 간의 NVA가 필요하지 않습니다. 파트너 네트워킹 기술 및 NVA를 배포하는 경우 공급업체의 지침에 따라 Azure 네트워킹과 충돌하는 구성을 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "작업" + "text": "Application Gateways v2는 IP 접두사가 /24보다 크거나 같은 서브넷에 배포해야 합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "description": "일반적으로 역방향 프록시 및 특히 WAF의 관리는 네트워킹보다 애플리케이션에 더 가깝기 때문에 앱과 동일한 구독에 속합니다. 연결 구독에서 Application Gateway 및 WAF를 중앙 집중화하는 것은 단일 팀에서 관리하는 경우 괜찮을 수 있습니다.", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", "severity": "보통", - "text": "Virtual WAN은 가상 WAN 기반 토폴로지에 대한 스포크 VNet 간의 연결을 관리하며(UDR[사용자 정의 라우팅] 또는 NVA를 설정할 필요 없음) 동일한 가상 허브의 VNet 간 트래픽에 대한 최대 네트워크 처리량은 초당 50기가비트입니다. 필요한 경우 SAP 랜딩 존은 VNet 피어링을 사용하여 다른 랜딩 존에 연결하고 이 대역폭 제한을 극복할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", - "waf": "작업" - }, - { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "severity": "높다", - "text": "SAP Workload를 실행하는 VM에 공용 IP를 할당하는 것은 권장되지 않습니다.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "text": "랜딩 존 가상 네트워크 내에서 그리고 보안 중인 앱을 사용하여 인바운드 HTTP(S) 연결을 프록시하는 데 사용되는 Azure Application Gateway v2 또는 파트너 NVA를 배포합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", - "severity": "높다", - "text": "ASR을 구성할 때 DR 쪽에서 IP 주소를 예약하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "작업" - }, - { - "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "severity": "높다", - "text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "작업" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", + "severity": "보통", + "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", "severity": "보통", - "text": "Azure는 VNet에서 여러 위임된 서브넷을 만드는 데 도움이 되지만 Azure NetApp Files용 VNet에는 하나의 위임된 서브넷만 존재할 수 있습니다. Azure NetApp Files에 대해 둘 이상의 위임된 서브넷을 사용하는 경우 새 볼륨을 만들려는 시도가 실패합니다.", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "작업" + "text": "최소 2개의 인스턴스로 자동 크기 조정을 구성합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", "severity": "보통", - "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다.", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", - "waf": "안전" + "text": "가용성 영역에 Application Gateway 배포", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", "severity": "보통", - "text": "Application Gateway, SAP Web Dispatcher 및 기타 타사 서비스 간의 비교에서 볼 수 있듯이 Application Gateway 및 Web Application Firewall SAP 웹앱에 대한 역방향 프록시 역할을 하는 경우 Application Gateway 및 Web Application Firewall에 대한 제한 사항이 있습니다.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "text": "Front Door 및 Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Front Door에서 WAF 정책을 사용합니다. Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", - "severity": "보통", - "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역 전체에서 글로벌 보호를 제공합니다.", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", - "waf": "안전" + "service": "Traffic Manager", + "severity": "높다", + "text": "Traffic Manager를 사용하여 HTTP/S 이외의 프로토콜에 걸쳐 있는 글로벌 앱을 제공합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", - "severity": "보통", - "text": "Azure Front Door 및 Application Gateway를 사용하여 HTTP/S 애플리케이션을 보호하는 경우 Azure Front Door의 Web Application Firewall 정책을 활용합니다. Azure Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "낮다", + "text": "사용자가 내부 애플리케이션에만 액세스해야 하는 경우 Microsoft Entra ID 애플리케이션 프록시를 AVD(Azure Virtual Desktop)의 대안으로 고려했나요?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "severity": "보통", - "text": "웹 응용 프로그램 방화벽을 사용하여 인터넷에 노출될 때 트래픽을 검사합니다. 또 다른 옵션은 부하 분산 장치 또는 Application Gateway 또는 타사 솔루션과 같은 기본 제공 방화벽 기능이 있는 리소스와 함께 사용하는 것입니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "text": "네트워크에서 들어오는 연결에 대해 열려 있는 방화벽 포트 수를 줄이려면 Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 내부 애플리케이션에 대한 안전하고 인증된 액세스 권한을 부여하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", - "severity": "보통", - "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 새로운, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "공연" + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", + "severity": "높다", + "text": "SNAT 확장성 향상을 위해 Load Balancer 아웃바운드 규칙 대신 Azure NAT Gateway 사용", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", - "severity": "보통", - "text": "데이터 유출을 방지하려면 Azure Private Link를 사용하여 Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory 등과 같은 PaaS(Platform as a Service) 리소스에 안전하게 액세스합니다. Azure 프라이빗 엔드포인트는 VNet과 Azure Storage, Azure Backup 등과 같은 서비스 간의 트래픽을 보호하는 데도 도움이 될 수 있습니다. VNet과 프라이빗 엔드포인트 사용 서비스 간의 트래픽은 Microsoft 글로벌 네트워크를 통해 이동하므로 공용 인터넷에 노출되지 않습니다.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", + "severity": "높다", + "text": "Azure Application Gateway WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", "severity": "높다", - "text": "SAP 애플리케이션 및 DBMS 계층에 사용되는 VM에서 Azure 가속 네트워킹이 사용하도록 설정되어 있는지 확인합니다.", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "공연" - }, - { - "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", - "severity": "보통", - "text": "Azure Load Balancer에 대한 내부 배포가 DSR(Direct Server Return)을 사용하도록 설정되어 있는지 확인합니다. 이 설정(유동 IP 사용)은 DBMS 계층의 고가용성 구성에 내부 로드 밸런서 구성을 사용할 때 대기 시간을 줄입니다.", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "text": "Azure Application Gateway WAF 정책에서 요청 본문 검사 기능이 사용하도록 설정되어 있는지 확인합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", - "severity": "보통", - "text": "ASG(애플리케이션 보안 그룹) 및 NSG 규칙을 사용하여 SAP 애플리케이션과 DBMS 계층 간의 네트워크 보안 액세스 제어 목록을 정의할 수 있습니다. ASG는 가상 머신을 그룹화하여 보안을 관리하는 데 도움을 줍니다.", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", + "severity": "높다", + "text": "워크로드에 대한 검색 모드에서 Azure Application Gateway WAF를 튜닝합니다. 거짓 긍정 탐지를 줄입니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "App Gateway", "severity": "높다", - "text": "피어링되지 않은 다른 Azure VNet에 SAP 애플리케이션 계층 및 SAP DBMS를 배치하는 것은 지원되지 않습니다.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "공연" + "text": "'방지' 모드에서 Application Gateway에 대한 WAF 정책을 배포합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", "severity": "보통", - "text": "SAP 애플리케이션에서 네트워크 대기 시간을 최적화하려면 Azure 근접 배치 그룹을 사용하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "공연" - }, - { - "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "severity": "높다", - "text": "온-프레미스와 Azure 간에 분할된 SAP 애플리케이션 서버 계층 및 DBMS 계층을 실행하는 것은 전혀 지원되지 않습니다. 두 계층 모두 온-프레미스 또는 Azure에 완전히 상주해야 합니다.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "공연" + "text": "Azure Application Gateway WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 단기간에 많은 양의 트래픽을 보내는 것을 차단합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "severity": "높다", - "text": "계층 간의 과도한 네트워크 트래픽으로 인해 발생할 수 있는 상당한 비용 때문에 DBMS(데이터베이스 관리 시스템) 및 SAP 시스템의 애플리케이션 계층을 서로 다른 VNet에 호스트하고 VNet 피어링과 연결하는 것은 권장되지 않습니다. Azure 가상 네트워크 내의 서브넷을 사용하여 SAP 애플리케이션 계층과 DBMS 계층을 분리하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "비용" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", + "severity": "보통", + "text": "Azure Application Gateway WAF 속도 제한에 대해 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호를 제공합니다. ", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", - "severity": "높다", - "text": "Linux 게스트 운영 체제에서 Load Balancer를 사용하는 경우 Linux 네트워크 매개 변수 net.ipv4.tcp_timestamps가 0으로 설정되어 있는지 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "공연" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", + "severity": "낮다", + "text": "모든 지역에서 트래픽이 발생할 것으로 예상되지 않는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", "severity": "보통", - "text": "SAP RISE/ECS 배포의 경우 가상 피어링은 고객의 기존 Azure 환경과의 연결을 설정하는 기본 방법입니다. SAP vnet과 고객 vnet은 모두 NSG(네트워크 보안 그룹)로 보호되므로 vnet 피어링을 통해 SAP 및 데이터베이스 포트에서 통신할 수 있습니다", + "text": "Azure Application Gateway WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 마세요.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "높다", - "text": "Azure VM에 대한 SAP HANA 데이터베이스 백업을 검토합니다.", - "waf": "비용" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", + "severity": "보통", + "text": "최신 Azure Application Gateway WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", "severity": "보통", - "text": "SAP에 사용되는 Site Recovery 기본 제공 모니터링을 검토합니다.", - "waf": "비용" + "text": "진단 설정을 추가하여 Azure Application Gateway WAF 로그를 저장합니다.", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", - "severity": "높다", - "text": "SAP HANA 시스템 환경 모니터링 지침을 검토합니다.", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", + "severity": "보통", + "text": "Azure Application Gateway WAF 로그를 Microsoft Sentinel로 보냅니다.", "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", "severity": "보통", - "text": "Azure Linux VM 백업 전략에서 Oracle Database를 검토합니다.", + "text": "Azure Application Gateway WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.", "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", "severity": "보통", - "text": "SQL Server 2016에서 Azure Blob Storage 사용을 검토합니다.", + "text": "레거시 WAF 구성 대신 WAF 정책을 사용합니다.", "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", "severity": "보통", - "text": "Azure VM에 대한 자동화된 Backup v2 사용을 검토합니다.", - "waf": "작업" + "text": "Application Gateway 서브넷의 연결(예: NSG)만 허용하도록 백 엔드에서 인바운드 트래픽을 필터링합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", "severity": "높다", - "text": "프리미엄 디스크(V1)를 사용하는 경우 M 시리즈에 쓰기 가속기 사용", - "waf": "작업" + "text": "백엔드 서버에 대한 트래픽을 암호화해야 합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", - "severity": "보통", - "text": "가용성 영역 대기 시간을 테스트합니다.", - "waf": "공연" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", + "severity": "높다", + "text": "웹 응용 프로그램 방화벽을 사용해야 합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "App Gateway", "severity": "보통", - "text": "모든 SAP 구성요소에 대해 SAP EarlyWatch Alert를 활성화합니다.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "공연" + "text": "HTTP를 HTTPS로 리디렉션", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", "severity": "보통", - "text": "SAP ABAPMeter 보고서 /SSA/CAT를 사용하여 SAP 애플리케이션 서버-데이터베이스 서버 대기 시간을 검토합니다.", - "training": "https://me.sap.com/notes/0002879613", - "waf": "공연" + "text": "게이트웨이 관리 쿠키를 사용하여 처리를 위해 사용자 세션에서 동일한 서버로 트래픽을 전달합니다.", + "waf": "작업" }, { - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", - "severity": "보통", - "text": "CCMS를 사용하여 SQL Server 성능 모니터링을 검토합니다.", - "waf": "공연" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", + "severity": "높다", + "text": "계획된 서비스 업데이트 중에 연결 드레이닝을 사용하도록 설정하여 백 엔드 풀의 기존 멤버에 대한 연결 손실을 방지합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "App Gateway", + "severity": "낮다", + "text": "사용자 지정 오류 페이지를 만들어 개인화된 사용자 경험을 표시합니다.", + "waf": "작업" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "App Gateway", "severity": "보통", - "text": "SAP 애플리케이션 계층 VM과 DBMS VM(NIPING) 간의 네트워크 대기 시간을 테스트합니다.", - "training": "https://me.sap.com/notes/1100926/E", - "waf": "공연" + "text": "클라이언트와 서버 간의 라우팅 및 정보 교환을 보다 쉽게 하기 위해 HTTP 요청 및 응답 헤더를 편집합니다.", + "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "App Gateway", "severity": "보통", - "text": "SAP HANA Studio 알림을 검토합니다.", + "text": "Front Door를 구성하여 글로벌 웹 트래픽 라우팅, 최상위 최종 사용자 성능 및 빠른 글로벌 장애 조치(failover)를 통해 안정성을 최적화합니다.", "waf": "공연" }, { - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", "severity": "보통", - "text": "HANA_Configuration_Minichecks를 사용하여 SAP HANA 상태 점검을 수행합니다.", + "text": "전송 계층 부하 분산 사용", "waf": "공연" }, { - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", "severity": "보통", - "text": "Azure, 온-프레미스 또는 기타 클라우드 환경에서 Windows 및 Linux VM을 실행하는 경우 Azure Automation의 업데이트 관리 센터를 사용하여 보안 패치를 포함한 운영 체제 업데이트를 관리할 수 있습니다.", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "text": "단일 게이트웨이에서 여러 웹 응용 프로그램에 대한 호스트 또는 도메인 이름을 기반으로 라우팅을 구성합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", "severity": "보통", - "text": "SAP는 SAP 시스템을 보호하기 위해 즉각적인 조치가 필요한 매우 중요한 보안 패치 또는 핫픽스를 릴리스하므로 SAP 보안 OSS 노트를 정기적으로 검토합니다.", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "text": "SSL 인증서 관리를 중앙 집중화하여 백엔드 서버 팜의 암호화 및 암호 해독 오버헤드를 줄입니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", "severity": "낮다", - "text": "SQL Server SAP의 경우 SQL Server 시스템 관리자 계정을 사용하지 않으므로 SQL Server 시스템 관리자 계정을 사용하지 않도록 설정할 수 있습니다. 원래 시스템 관리자 계정을 비활성화하기 전에 시스템 관리자 권한이 있는 다른 사용자가 서버에 액세스할 수 있는지 확인합니다.", + "text": "WebSocket 및 HTTP/2 프로토콜에 대한 기본 지원을 위해 Application Gateway 사용", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", "severity": "높다", - "text": "xp_cmdshell 비활성화합니다. SQL Server 기능 xp_cmdshell SQL Server 내부 운영 체제 명령 셸을 사용하도록 설정합니다. 이는 보안 감사에서 잠재적인 위험입니다.", - "training": "https://me.sap.com/notes/3019299/E", - "waf": "안전" + "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(자동으로 활성화됨)", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "높다", - "text": "Azure에서 SAP HANA 데이터베이스 서버를 암호화하려면 SAP HANA 네이티브 암호화 기술을 사용합니다. 또한 Azure에서 SQL Server를 사용하는 경우 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "waf": "안전" + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "severity": "보통", + "text": "Microsoft에서 시작한 장애 조치(failover)에 유의하세요. 드문 경우지만 Microsoft는 영향을 받는 지역의 모든 IoT Hub를 해당 지역 쌍을 이루는 지역으로 장애 조치(failover)하기 위해 이러한 작업을 수행합니다.", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", - "severity": "보통", - "text": "Azure Storage 암호화는 모든 Azure Resource Manager 및 클래식 스토리지 계정에 대해 사용하도록 설정되며 사용하지 않도록 설정할 수 없습니다. 데이터는 기본적으로 암호화되므로 Azure Storage 암호화를 사용하기 위해 코드나 애플리케이션을 수정할 필요가 없습니다.", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", - "waf": "안전" + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", + "severity": "높다", + "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "severity": "높다", - "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "안전" + "text": "수동 장애 조치(failover)를 트리거하는 방법을 알아봅니다.", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", - "severity": "보통", - "text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다. 또한 사용자 지정된 Azure 정책(Custome 역할)을 사용하여 구독별로 LOCK 제약 조건 및 규칙을 적용할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", - "waf": "안전" + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", + "severity": "높다", + "text": "장애 조치(failover) 후 장애 복구(failback)하는 방법을 알아봅니다.", + "waf": "신뢰도" }, { - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "스토리지와 관련된 Microsoft 클라우드 보안 벤치마크의 지침 적용", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "severity": "보통", - "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "'스토리지에 대한 Azure 보안 기준' 고려", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Azure Storage는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 액세스가 필요한 Azure Compute 리소스에만 Azure Storage를 안전하게 노출할 수 있으므로 공용 인터넷에 노출되지 않습니다", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", "severity": "높다", - "text": "기존 요구 사항에 따라 규정 및 규정 준수 제어(내부/외부) - 필요한 Azure 정책 및 Azure RBAC 역할 결정", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "text": "Azure Storage에 프라이빗 엔드포인트를 사용하는 것이 좋습니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "높다", - "text": "SAP 환경에서 엔드포인트용 Microsoft Defender 사용하도록 설정하는 경우 모든 서버를 대상으로 하는 대신 DBMS 서버에서 데이터 및 로그 파일을 제외하는 것이 좋습니다. 대상 파일을 제외할 때 DBMS 공급업체의 권장 사항을 따릅니다.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "새로 만든 저장소 계정은 ARM 배포 모델을 사용하여 만들어지므로 RBAC, 감사 등을 모두 사용할 수 있습니다. 구독에 클래식 배포 모델이 있는 이전 저장소 계정이 없는지 확인합니다.", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", + "severity": "보통", + "text": "이전 스토리지 계정이 '클래식 배포 모델'을 사용하지 않는지 확인", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Microsoft Defender를 활용하여 의심스러운 활동 및 잘못된 구성에 대해 알아봅니다.", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", "severity": "높다", - "text": "클라우드용 Microsoft Defender의 Just-In-Time 액세스 권한이 있는 SAP 관리자 사용자 지정 역할을 위임합니다.", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "text": "모든 스토리지 계정에 대해 Microsoft Defender 사용", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "낮다", - "text": "타사 보안 제품을 DIAG(SAP GUI)용 SNC(Secure Network Communications), RFC 및 HTTPS용 SPNEGO와 통합하여 전송 중인 데이터를 암호화합니다.", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "일시 삭제 메커니즘을 사용하면 실수로 삭제된 Blob을 복구할 수 있습니다.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", + "severity": "보통", + "text": "Blob에 대해 '일시 삭제' 사용Enable 'soft delete' for blobs", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "보통", - "text": "보안 주체 암호화 기능을 위해 기본적으로 Microsoft 관리형 키를 사용하고 필요한 경우 고객 관리형 키를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Blob에 대해 '일시 삭제' 사용 안 함", "waf": "안전" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", - "severity": "높다", - "text": "애플리케이션당 환경, 지역별 Azure Key Vault를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "컨테이너에 대한 일시 삭제를 사용하면 컨테이너가 삭제된 후 컨테이너를 복구할 수 있습니다(예: 실수로 인한 삭제 작업에서 복구).", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", + "severity": "높다", + "text": "컨테이너에 대해 '일시 삭제' 사용Enable 'soft delete' for containers", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", - "severity": "높다", - "text": "비 HANA Windows 및 비 Windows 운영 체제에 대한 디스크 암호화 키 및 비밀을 제어하고 관리하려면 Azure Key Vault를 사용합니다. SAP HANA는 Azure Key Vault에서 지원되지 않으므로 SAP ABAP 또는 SSH 키와 같은 대체 방법을 사용해야 합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "보통", + "text": "컨테이너에 대해 '일시 삭제' 사용 안 함", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "사용자가 삭제하기 전에 먼저 삭제 잠금을 제거하도록 강제하여 저장소 계정이 실수로 삭제되는 것을 방지합니다.", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "severity": "높다", - "text": "Azure 스포크 구독의 SAP에 대한 RBAC(역할 기반 액세스 제어) 역할을 사용자 지정하여 실수로 인한 네트워크 관련 변경을 방지합니다.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "text": "스토리지 계정에 대한 리소스 잠금 사용Enable resource locks on storage accounts", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Blob에 대한 '법적 보존' 또는 '시간 기반 보존' 정책을 고려하면 Blob, 컨테이너 또는 스토리지 계정을 삭제할 수 없습니다. '불가능'은 실제로 '불가능'을 의미합니다. 스토리지 계정에 변경할 수 없는 Blob이 포함된 경우 해당 스토리지 계정을 '제거'하는 유일한 방법은 Azure 구독을 취소하는 것입니다.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", "severity": "높다", - "text": "SAP 자산의 나머지 부분에서 DMZ 및 NVA를 격리하고, Azure Private Link를 구성하고, Azure의 SAP 리소스를 안전하게 관리 및 제어합니다.", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "text": "변경할 수 없는 Blob 고려", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "severity": "낮다", - "text": "Azure에서 Microsoft 맬웨어 방지 소프트웨어를 사용하여 악성 파일, 애드웨어 및 기타 위협으로부터 가상 머신을 보호하는 것이 좋습니다.", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "모든 데이터 전송이 암호화되고, 무결성이 보호되고, 서버가 인증되도록 스토리지 계정에 대한 보호되지 않는 HTTP/80 액세스를 사용하지 않도록 설정하는 것이 좋습니다. ", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "높다", + "text": "HTTPS 필요, 즉 스토리지 계정에서 포트 80 사용 안 함Require HTTPS, i.e. disable port 80 on the storage account", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", - "severity": "낮다", - "text": "더욱 강력한 보호를 위해 엔드포인트용 Microsoft Defender 사용하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "스토리지 계정에서 사용자 지정 도메인(호스트 이름)을 구성할 때 TLS/HTTPS가 필요한지 여부를 확인합니다. 이 경우 저장소 계정 앞에 Azure CDN을 배치해야 할 수 있습니다.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", + "severity": "높다", + "text": "HTTPS를 적용할 때(HTTP 사용 안 함) 스토리지 계정에 사용자 지정 도메인(CNAME)을 사용하지 않는지 확인합니다.", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "높다", - "text": "가상 네트워크 피어링을 통해 스포크 네트워크에 연결된 허브 가상 네트워크를 통해 모든 트래픽을 전달하여 인터넷 또는 온-프레미스 네트워크에서 SAP 애플리케이션 및 데이터베이스 서버를 격리합니다. 피어링된 가상 네트워크는 Azure의 SAP 솔루션이 공용 인터넷에서 격리되도록 보장합니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "클라이언트가 SAS 토큰을 사용하여 Blob 데이터에 액세스할 때 HTTPS를 요구하면 자격 증명 손실 위험을 최소화하는 데 도움이 됩니다.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", + "severity": "보통", + "text": "SAS(공유 액세스 서명) 토큰을 HTTPS 연결로만 제한", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "낮다", - "text": "SAP Fiori와 같은 인터넷 연결 애플리케이션의 경우 보안 수준을 유지하면서 애플리케이션 요구 사항에 따라 부하를 분산해야 합니다. 계층 7 보안의 경우 Azure Marketplace에서 사용할 수 있는 타사 WAF(Web Application Firewall)를 사용할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "AAD 토큰은 가능한 경우 공유 액세스 서명보다 우선해야 합니다", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "높다", + "text": "Blob 액세스에 Azure AD(Azure Active Directory) 토큰 사용Use Azure Active Directory (Azure AD) tokens for blob access", "waf": "안전" }, { - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "사용자, 그룹 또는 응용 프로그램에 역할을 할당할 때 해당 보안 주체가 작업을 수행하는 데 필요한 권한만 부여합니다. 리소스에 대한 액세스를 제한하면 의도하지 않은 데이터 오용과 악의적인 데이터 오용을 모두 방지할 수 있습니다.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "보통", - "text": "SAP용 Azure Monitor 솔루션에서 보안 통신을 사용하도록 설정하려면 루트 인증서 또는 서버 인증서를 사용하도록 선택할 수 있습니다. 루트 인증서를 사용하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "IaM 권한의 최소 권한", "waf": "안전" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus 프리미엄은 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키도 고객 관리형 키를 사용하여 암호화됩니다. ", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", - "severity": "낮다", - "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션을 사용합니다", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "사용자 위임 SAS는 Azure AD(Azure Active Directory) 자격 증명과 SAS에 지정된 권한으로 보호됩니다. 사용자 위임 SAS는 범위와 기능 측면에서 서비스 SAS와 유사하지만 서비스 SAS에 비해 보안상의 이점을 제공합니다. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", + "severity": "높다", + "text": "SAS를 사용하는 경우 스토리지 계정 키 기반 SAS보다 '사용자 위임 SAS'를 선호합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "클라이언트 애플리케이션과 Azure Service Bus 네임스페이스 간의 통신은 TLS(전송 계층 보안)를 사용하여 암호화됩니다. Azure Service Bus 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 보다 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Service Bus 네임스페이스를 구성할 수 있습니다.", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", - "severity": "보통", - "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "스토리지 계정 키('공유 키')에는 감사 기능이 거의 없습니다. 누가/언제 키 사본을 가져왔는지 모니터링할 수 있지만, 키가 여러 사람의 손에 들어가면 특정 사용자의 사용을 귀속시키는 것은 불가능합니다. AAD 인증에만 의존하면 스토리지 액세스를 사용자에게 더 쉽게 연결할 수 있습니다. ", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", + "severity": "높다", + "text": "AAD 액세스(및 사용자 위임 SAS)만 지원되도록 스토리지 계정 키를 사용하지 않도록 설정하는 것이 좋습니다.", "waf": "안전" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Service Bus 네임스페이스를 만들면 네임스페이스에 대해 RootManageSharedAccessKey라는 SAS 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙은 관리 루트 계정처럼 취급하고 애플리케이션에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", - "severity": "보통", - "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "활동 로그 데이터를 사용하여 스토리지 계정의 보안을 보거나 변경하는 '시기', '누가', '무엇을' 및 '방법'(예: 스토리지 계정 키, 액세스 정책 등)을 식별합니다.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "높다", + "text": "Azure Monitor를 사용하여 스토리지 계정에 대한 컨트롤 플레인 작업을 감사하는 것이 좋습니다.", "waf": "안전" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure 리소스 지원을 위해 관리되는 엔터티가 사용하도록 설정된 가상 머신 또는 Azure App Service 애플리케이션 내에서 실행되는 Service Bus 클라이언트 앱은 SAS 규칙 및 키 또는 기타 액세스 토큰을 처리할 필요가 없습니다. 클라이언트 앱에는 Service Bus 메시징 네임스페이스의 엔드포인트 주소만 필요합니다. ", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", - "service": "Service Bus", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "키 만료 정책을 사용하면 계정 액세스 키 교체에 대한 미리 알림을 설정할 수 있습니다. 지정된 간격이 경과하고 키가 아직 회전되지 않은 경우 알림이 표시됩니다.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "보통", - "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Service Bus에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "스토리지 계정 키를 사용하는 경우 '키 만료 정책'을 사용하도록 설정하는 것이 좋습니다", "waf": "안전" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "사용 권한을 만들 때 Azure Service Bus에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Service Bus의 사용 권한은 개별 리소스 수준(예: 큐, 토픽 또는 구독)으로 범위를 지정할 수 있으며 지정해야 합니다. ", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", - "severity": "높다", - "text": "최소 권한 데이터 플레인 RBAC 사용", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS 만료 정책은 SAS가 유효한 권장 간격을 지정합니다. SAS 만료 정책은 서비스 SAS 또는 계정 SAS에 적용됩니다. 사용자가 권장 간격보다 큰 유효 간격을 사용하여 서비스 SAS 또는 계정 SAS를 생성하면 경고가 표시됩니다.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", + "severity": "보통", + "text": "SAS 만료 정책 구성 고려", "waf": "안전" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus 리소스 로그에는 작업 로그, 가상 네트워크 및 IP 필터링 로그가 포함됩니다. 런타임 감사 로그는 Service Bus에서 다양한 데이터 평면 액세스 작업(예: 메시지 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "저장된 액세스 정책은 스토리지 계정 키를 다시 생성할 필요 없이 서비스 SAS에 대한 권한을 취소하는 옵션을 제공합니다. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", "severity": "보통", - "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그 및 런타임 감사 로그 추적(현재 프리미엄 계층에서만 사용 가능)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "SAS를 저장된 액세스 정책에 연결하는 것이 좋습니다.", "waf": "안전" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Service Bus 간의 트래픽이 Microsoft 백본 네트워크를 통과할 수 있습니다. 또한 공용 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", "severity": "보통", - "text": "프라이빗 엔드포인트를 사용하여 Azure Service Bus에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "체크 인된 연결 문자열 및 저장소 계정 키를 검색하도록 응용 프로그램의 소스 코드 리포지토리를 구성하는 것이 좋습니다.", "waf": "안전" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 집합 또는 IPv4 주소 범위로만 추가로 제한할 수 있습니다. ", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", - "severity": "보통", - "text": "특정 IP 주소 또는 범위에서만 Azure Service Bus 네임스페이스에 액세스할 수 있도록 허용하는 것이 좋습니다", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "이상적으로 애플리케이션은 관리 ID를 사용하여 Azure Storage에 인증해야 합니다. 이렇게 할 수 없는 경우 Azure KeyVault 또는 동등한 서비스에 스토리지 자격 증명(연결 문자열, 스토리지 계정 키, SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", + "severity": "높다", + "text": "Azure KeyVault에 연결 문자열을 저장하는 것이 좋습니다(관리 ID를 사용할 수 없는 시나리오에서).", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", - "severity": "낮다", - "text": "AKS Windows 워크로드에 필요한 경우 HostProcess 컨테이너를 사용할 수 있습니다.", - "waf": "신뢰도" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", - "severity": "낮다", - "text": "이벤트 기반 워크로드를 실행하는 경우 KEDA 사용Use KEDA if running event-driven workloads", - "waf": "공연" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "임시 SAS 서비스 SAS 또는 계정 SAS에서 단기 만료 시간을 사용합니다. 이러한 방식으로 SAS가 손상되더라도 짧은 시간 동안만 유효합니다. 이 방법은 저장된 액세스 정책을 참조할 수 없는 경우에 특히 중요합니다. 또한 단기 만료 시간은 업로드에 사용할 수 있는 시간을 제한하여 Blob에 쓸 수 있는 데이터의 양을 제한합니다.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "높다", + "text": "임시 SAS의 유효 기간을 단축하기 위해 노력", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", - "severity": "낮다", - "text": "Dapr을 사용하여 마이크로 서비스 개발 용이", - "waf": "작업" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS를 만들 때는 가능한 한 구체적이고 제한적이어야 합니다. 훨씬 더 광범위한 액세스를 제공하는 SAS보다 단일 리소스 및 작업에 대해 SAS를 선호합니다.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "보통", + "text": "SAS에 좁은 범위 적용", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", - "severity": "높다", - "text": "SLA 지원 AKS 제품 사용", - "waf": "신뢰도" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS에는 SAS를 사용하여 리소스를 요청할 수 있는 권한이 있는 클라이언트 IP 주소 또는 주소 범위에 대한 매개 변수가 포함될 수 있습니다. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", + "severity": "보통", + "text": "가능한 경우 SAS의 범위를 특정 클라이언트 IP 주소로 지정하는 것이 좋습니다", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS는 클라이언트가 업로드하는 데이터의 양을 제한할 수 없습니다. 시간 경과에 따른 스토리지 양의 가격 책정 모델을 고려할 때 클라이언트가 악의적으로 큰 콘텐츠를 업로드했는지 여부를 확인하는 것이 합리적일 수 있습니다.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", "severity": "낮다", - "text": "Pod 및 배포 정의에서 중단 예산 사용Use Disruption Budgets in your pod and deployment definitions", - "waf": "신뢰도" + "text": "클라이언트가 SAS를 사용하여 파일을 업로드한 후 업로드된 데이터를 확인하는 것이 좋습니다. ", + "waf": "안전" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "'로컬 사용자 계정'을 사용하여 SFTP를 통해 Blob Storage에 액세스하는 경우 '일반적인' RBAC 컨트롤이 적용되지 않습니다. NFS 또는 REST를 통한 Blob 액세스는 SFTP 액세스보다 더 제한적일 수 있습니다. 안타깝게도 2023년 초부터 로컬 사용자는 현재 SFTP 엔드포인트에 대해 지원되는 유일한 ID 관리 형태입니다", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "severity": "높다", - "text": "개인 레지스트리를 사용하는 경우 여러 지역에 이미지를 저장하도록 지역 복제를 구성합니다", - "waf": "신뢰도" + "text": "SFTP: SFTP 액세스에 대한 '로컬 사용자'의 수를 제한하고 시간이 지남에 따라 액세스가 필요한지 여부를 감사합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", - "severity": "낮다", - "text": "kubecost와 같은 외부 애플리케이션을 사용하여 다른 사용자에게 비용 할당", - "waf": "비용" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", + "severity": "보통", + "text": "SFTP: SFTP 엔드포인트는 POSIX와 유사한 ACL을 지원하지 않습니다.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", - "severity": "낮다", - "text": "축소 모드를 사용하여 노드 삭제/할당 취소", - "waf": "비용" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "스토리지는 CORS(Cross-Origin Resource Sharing), 즉 다른 도메인의 웹앱이 동일 출처 정책을 완화할 수 있도록 하는 HTTP 기능을 지원합니다. CORS를 사용하도록 설정할 때 CorsRules를 최소 권한으로 유지합니다.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", + "severity": "높다", + "text": "지나치게 광범위한 CORS 정책 방지", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", - "severity": "보통", - "text": "필요한 경우 AKS 클러스터에서 다중 인스턴스 분할 GPU 사용", - "waf": "비용" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "미사용 데이터는 항상 서버 쪽에서 암호화되며 클라이언트 쪽에서도 암호화될 수 있습니다. 서버 쪽 암호화는 플랫폼 관리형 키(기본값) 또는 고객 관리형 키를 사용하여 발생할 수 있습니다. 클라이언트 쪽 암호화는 클라이언트가 Azure Storage에 Blob별로 암호화/암호 해독 키를 제공하거나 클라이언트 쪽에서 암호화를 완전히 처리하여 발생할 수 있습니다. 따라서 기밀성 보장을 위해 Azure Storage에 전혀 의존하지 않습니다.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", + "severity": "높다", + "text": "미사용 데이터를 암호화하는 방법을 결정합니다. 데이터에 대한 스레드 모델을 이해합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", - "severity": "낮다", - "text": "개발/테스트 클러스터를 실행하는 경우 NodePool 시작/중지를 사용합니다.", - "waf": "비용" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", + "severity": "보통", + "text": "사용해야 하는 플랫폼 암호화를 결정합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", "severity": "보통", - "text": "Kubernetes용 Azure Policy를 사용하여 클러스터 규정 준수 보장", + "text": "사용해야 하는 클라이언트 쪽 암호화를 결정합니다.", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", - "severity": "보통", - "text": "사용자/시스템 노드 풀이 있는 컨트롤 플레인에서 응용 프로그램 분리", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Resource Graph Explorer(resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)를 활용하여 익명 Blob 액세스를 허용하는 스토리지 계정을 찾습니다.", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", + "severity": "높다", + "text": "공용 Blob 액세스가 필요한지 또는 특정 스토리지 계정에 대해 사용하지 않도록 설정할 수 있는지 여부를 고려합니다. ", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus 프리미엄은 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키도 고객 관리형 키를 사용하여 암호화됩니다. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", "severity": "낮다", - "text": "시스템 nodepool에 taint를 추가하여 전용으로 만듭니다.", + "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션을 사용합니다", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "클라이언트 애플리케이션과 Azure Service Bus 네임스페이스 간의 통신은 TLS(전송 계층 보안)를 사용하여 암호화됩니다. Azure Service Bus 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 보다 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Service Bus 네임스페이스를 구성할 수 있습니다.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", "severity": "보통", - "text": "이미지에 개인 레지스트리(예: ACR) 사용", + "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "안전" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Service Bus 네임스페이스를 만들면 네임스페이스에 대해 RootManageSharedAccessKey라는 SAS 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙은 관리 루트 계정처럼 취급하고 애플리케이션에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", "severity": "보통", - "text": "이미지에서 취약성 검사", + "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", - "severity": "높다", - "text": "앱 분리 요구 사항 정의(네임스페이스/노드 풀/클러스터)", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure 리소스 지원을 위해 관리되는 엔터티가 사용하도록 설정된 가상 머신 또는 Azure App Service 애플리케이션 내에서 실행되는 Service Bus 클라이언트 앱은 SAS 규칙 및 키 또는 기타 액세스 토큰을 처리할 필요가 없습니다. 클라이언트 앱에는 Service Bus 메시징 네임스페이스의 엔드포인트 주소만 필요합니다. ", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", + "service": "Service Bus", + "severity": "보통", + "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Service Bus에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", - "severity": "보통", - "text": "CSI 비밀 저장소 드라이버를 사용하여 Azure Key Vault에 비밀 저장", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "사용 권한을 만들 때 Azure Service Bus에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Service Bus의 사용 권한은 개별 리소스 수준(예: 큐, 토픽 또는 구독)으로 범위를 지정할 수 있으며 지정해야 합니다. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", + "severity": "높다", + "text": "최소 권한 데이터 플레인 RBAC 사용", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", - "severity": "높다", - "text": "클러스터에 서비스 주체를 사용하는 경우 주기적으로(예: 분기별) 자격 증명을 새로 고칩니다", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus 리소스 로그에는 작업 로그, 가상 네트워크 및 IP 필터링 로그가 포함됩니다. 런타임 감사 로그는 Service Bus에서 다양한 데이터 평면 액세스 작업(예: 메시지 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", + "severity": "보통", + "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그 및 런타임 감사 로그 추적(현재 프리미엄 계층에서만 사용 가능)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Service Bus 간의 트래픽이 Microsoft 백본 네트워크를 통과할 수 있습니다. 또한 공용 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", "severity": "보통", - "text": "필요한 경우 키 관리 서비스 etcd 암호화를 추가합니다.", + "text": "프라이빗 엔드포인트를 사용하여 Azure Service Bus에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", - "severity": "낮다", - "text": "필요한 경우 AKS용 기밀 컴퓨팅을 사용하는 것이 좋습니다.", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 집합 또는 IPv4 주소 범위로만 추가로 제한할 수 있습니다. ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", + "severity": "보통", + "text": "특정 IP 주소 또는 범위에서만 Azure Service Bus 네임스페이스에 액세스할 수 있도록 허용하는 것이 좋습니다", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", - "severity": "보통", - "text": "컨테이너용 Defender 사용 고려", - "waf": "안전" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", + "severity": "높다", + "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", "severity": "높다", - "text": "서비스 주체 대신 관리 ID 사용", - "waf": "안전" + "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", - "severity": "보통", - "text": "AAD와 인증 통합(관리형 통합 사용)", - "waf": "안전" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", + "severity": "높다", + "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", - "severity": "보통", - "text": "관리자 kubeconfig에 대한 액세스 제한(get-credentials --admin)", - "waf": "안전" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", + "severity": "높다", + "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", "severity": "보통", - "text": "AAD RBAC와 권한 부여 통합", - "waf": "안전" + "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "높다", - "text": "쿠버네티스에서 RBAC 권한을 제한하기 위해 네임스페이스 사용", - "waf": "안전" + "text": "읽기 작업에 대해 99.9%의 가용성을 갖도록 복제본 2개 사용", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "보통", - "text": "Pod ID 액세스 관리의 경우 Azure AD 워크로드 ID(미리 보기)를 사용합니다.", - "waf": "안전" + "text": "읽기/쓰기 작업에 대해 99.9%의 가용성을 갖도록 복제본 3개 사용", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", - "severity": "보통", - "text": "AKS 비대화형 로그인의 경우 kubelogin(미리 보기)을 사용합니다.", - "waf": "안전" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", + "severity": "높다", + "text": "읽기 및/또는 쓰기 복제본을 활성화하여 가용 영역 활용Leverage Availability Zones by enabling read and/or write replicas", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "severity": "보통", - "text": "AKS 로컬 계정 사용 안 함", - "waf": "안전" + "text": "지역 중복의 경우 Manually create services in 2 or more regions for Search는 지리적 지역 간에 검색 인덱스를 복제하는 자동화된 방법을 제공하지 않습니다", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "낮다", - "text": "필요한 경우 Just-in-time 클러스터 액세스 구성", - "waf": "안전" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", + "severity": "보통", + "text": "여러 서비스에서 데이터를 동기화하려면 인덱서를 사용하여 여러 서비스의 콘텐츠를 업데이트하거나 REST API를 사용하여 여러 서비스에서 콘텐츠 업데이트를 푸시합니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "낮다", - "text": "AKS에 필요한 경우 AAD 조건부 액세스 구성", - "waf": "안전" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", + "severity": "보통", + "text": "Azure Traffic Manager를 사용하여 요청 조정", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", - "severity": "낮다", - "text": "Windows AKS 워크로드에 필요한 경우 gMSA를 구성합니다. ", - "waf": "안전" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", + "severity": "높다", + "text": "Azure Cognitive Search 인덱스를 백업 및 복원합니다. 이 샘플 코드를 사용하여 인덱스 정의 및 스냅샷을 일련의 Json 파일에 백업합니다", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", "severity": "보통", - "text": "더 세밀하게 제어하려면 관리형 Kubelet ID를 사용하는 것이 좋습니다.", - "waf": "안전" + "text": "Azure Bot Service의 안정성 지원 권장 사항을 따릅니다", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", "severity": "보통", - "text": "AGIC를 사용하는 경우 클러스터 간에 AppGW를 공유하지 마세요", + "text": "로컬 데이터 레지던시 및 지역 규정 준수를 통해 봇 배포Deploying bots with local data residency and regional compliance", "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", - "severity": "높다", - "text": "AKS HTTP 라우팅 추가 기능을 사용하지 말고, 애플리케이션 라우팅 추가 기능과 함께 관리되는 NGINX 수신을 대신 사용합니다.", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", + "severity": "보통", + "text": "Azure Bot Service는 글로벌 및 지역 서비스 모두에 대해 활성-활성 모드로 실행됩니다. 중단이 발생하면 오류를 감지하거나 서비스를 관리할 필요가 없습니다. Azure Bot Service는 다중 지역 지리적 아키텍처에서 자동 장애 조치(failover) 및 자동 복구를 자동으로 수행합니다. EU 봇 지역 서비스의 경우 Azure Bot Service는 중복성을 보장하기 위해 활성/활성 복제가 있는 유럽 내 두 개의 전체 지역을 제공합니다. 글로벌 봇 서비스의 경우 사용 가능한 모든 지역/지역을 글로벌 공간으로 제공할 수 있습니다.", "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", "severity": "보통", - "text": "Windows 워크로드의 경우 가속화된 네트워킹을 사용합니다.", - "waf": "공연" + "text": "ACSS(Azure Center for SAP solutions)는 SAP를 Azure의 최상위 워크로드로 만드는 Azure 제품입니다. ACSS는 Azure에서 SAP 시스템을 통합 워크로드로 만들고 실행할 수 있도록 하는 엔드투엔드 솔루션으로, 혁신을 위한 보다 원활한 기반을 제공합니다. 새 Azure 기반 SAP 시스템과 기존 Azure 기반 SAP 시스템 모두에 대한 관리 기능을 활용할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", - "severity": "높다", - "text": "표준 ALB 사용(기본 ALB와 반대)", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", + "severity": "보통", + "text": "Azure는 Linux 및 Windows에서 SAP 배포 자동화를 지원합니다. SAP Deployment Automation Framework는 SAP 환경을 배포, 설치 및 유지 관리할 수 있는 오픈 소스 오케스트레이션 툴입니다.", + "training": "https://github.com/Azure/sap-automation", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", "severity": "보통", - "text": "Azure CNI를 사용하는 경우 NodePools에 다른 서브넷을 사용하는 것이 좋습니다.", - "waf": "안전" + "text": "RTO를 충족하는 언제든지 특정 시점과 시간 프레임에서 프로덕션 데이터베이스에 대한 특정 시점 복구를 수행합니다. 특정 시점 복구에는 일반적으로 DBMS 계층 또는 SAP를 통해 데이터를 삭제하는 운영자 오류가 포함됩니다", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", "severity": "보통", - "text": "프라이빗 엔드포인트(기본 설정) 또는 Virtual Network 서비스 엔드포인트를 사용하여 클러스터에서 PaaS 서비스에 액세스", - "waf": "안전" + "text": "백업 및 복구 시간을 테스트하여 재해 발생 후 모든 시스템을 동시에 복원하기 위한 RTO 요구 사항을 충족하는지 확인합니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", "severity": "높다", - "text": "요구 사항에 가장 적합한 CNI 네트워크 플러그 인 선택(Azure CNI 권장)", + "text": "쌍을 이루는 지역 간에 표준 스토리지를 복제할 수 있지만 표준 스토리지를 사용하여 데이터베이스 또는 가상 하드 디스크를 저장할 수는 없습니다. 사용하는 쌍을 이루는 지역 간에만 백업을 복제할 수 있습니다. 다른 모든 데이터의 경우 SQL Server Always On 또는 SAP HANA 시스템 복제와 같은 기본 DBMS 기능을 사용하여 복제를 실행합니다. SAP 애플리케이션 계층에 Site Recovery, rsync 또는 robocopy 및 기타 타사 소프트웨어를 조합하여 사용합니다.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "높다", - "text": "Azure CNI를 사용하는 경우 노드당 최대 Pod 수를 고려하여 서브넷 크기를 적절하게 조정합니다", - "waf": "공연" + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "보통", + "text": "고가용성을 달성하기 위해 Azure 가용성 영역을 사용하는 경우 SAP 애플리케이션 서버와 데이터베이스 서버 간의 대기 시간을 고려해야 합니다. 대기 시간이 긴 영역의 경우 SAP 애플리케이션 서버와 데이터베이스 서버가 항상 동일한 영역에서 실행되도록 운영 절차를 마련해야 합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", "severity": "높다", - "text": "Azure CNI를 사용하는 경우 최대 Pod/노드(기본값 30)를 확인합니다.", - "waf": "공연" + "text": "온-프레미스에서 주 및 보조 Azure 재해 복구 지역으로의 ExpressRoute 연결을 설정합니다. 또한 ExpressRoute를 사용하는 대신 온-프레미스에서 주 및 보조 Azure 재해 복구 지역으로 VPN 연결을 설정하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "내부 앱의 경우 조직은 방화벽에서 전체 AKS 서브넷을 여는 경우가 많습니다. 이렇게 하면 노드에 대한 네트워크 액세스도 열리고 잠재적으로 Pod에 대한 액세스도 열립니다(Azure CNI를 사용하는 경우). LoadBalancer IP가 다른 서브넷에 있는 경우 앱 클라이언트에서 이 IP만 사용할 수 있어야 합니다. 또 다른 이유는 AKS 서브넷의 IP 주소가 부족한 리소스인 경우 서비스에 해당 IP 주소를 사용하면 클러스터의 최대 확장성이 감소하기 때문입니다.", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", "severity": "낮다", - "text": "개인 IP LoadBalancer 서비스를 사용하는 경우 AKS 서브넷이 아닌 전용 서브넷을 사용합니다", - "waf": "안전" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "높다", - "text": "그에 따라 서비스 IP 주소 범위의 크기를 조정합니다(클러스터 확장성이 제한됨).", + "text": "DR 지역에서 데이터의 암호를 해독할 수 있도록 인증서, 비밀 또는 키와 같은 키 자격 증명 모음 콘텐츠를 지역 간에 복제합니다.", "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", - "severity": "낮다", - "text": "필요한 경우 자체 CNI 플러그인을 추가합니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", + "severity": "보통", + "text": "기본 및 재해 복구 가상 네트워크를 피어링합니다. 예를 들어 HANA 시스템 복제의 경우 SAP HANA DB 가상 네트워크를 재해 복구 사이트의 SAP HANA DB 가상 네트워크에 피어링해야 합니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", "severity": "낮다", - "text": "필요한 경우 AKS에서 노드당 공용 IP 구성", - "waf": "공연" + "text": "SAP 배포에 Azure NetApp Files 스토리지를 사용하는 경우 최소한 두 지역의 프리미엄 계층에 두 개의 Azure NetApp Files 계정을 만듭니다.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", - "severity": "보통", - "text": "수신 컨트롤러를 사용하여 LoadBalancer 유형 서비스를 사용하여 노출하는 대신 웹 기반 앱을 노출합니다", + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "높다", + "text": "기본 데이터베이스 복제 기술을 사용하여 HA 쌍의 데이터베이스를 동기화해야 합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", - "severity": "낮다", - "text": "송신 트래픽 크기 조정을 위해 Azure NAT Gateway를 outboundType으로 사용", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", + "severity": "높다", + "text": "기본 VNet(가상 네트워크)의 CIDR은 DR 사이트 VNet의 CIDR과 충돌하거나 겹치지 않아야 합니다", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", - "severity": "보통", - "text": "Azure CNI IP 소모를 방지하기 위해 IP의 동적 할당 사용", + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", + "severity": "높다", + "text": "Site Recovery를 사용하여 응용 프로그램 서버를 DR 사이트에 복제합니다. Site Recovery는 중앙 서비스 클러스터 VM을 DR 사이트에 복제하는 데도 도움이 될 수 있습니다. DR을 호출할 때 DR 사이트에서 Linux Pacemaker 클러스터를 다시 구성해야 합니다(예: VIP 또는 SBD 바꾸기, corosync.conf 실행 등).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "높다", - "text": "보안 요구 사항에 필요한 경우 AzFW/NVA를 사용하여 송신 트래픽 필터링", - "waf": "안전" + "text": "단일 장애 지점에 대한 SAP 소프트웨어의 가용성을 고려합니다. 여기에는 SAP NetWeaver 및 SAP S/4HANA 아키텍처, SAP ABAP 및 ASCS + SCS에서 사용되는 DBMS와 같은 애플리케이션 내의 단일 실패 지점이 포함됩니다. 또한 SAP Web Dispatcher와 같은 다른 도구도 있습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", - "severity": "보통", - "text": "퍼블릭 API 엔드포인트를 사용하는 경우 액세스할 수 있는 IP 주소를 제한합니다", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", + "severity": "높다", + "text": "SAP 및 SAP 데이터베이스의 경우 자동 장애 조치(failover) 클러스터를 구현하는 것이 좋습니다. Windows에서 Windows Server 장애 조치(failover) 클러스터링은 장애 조치(failover)를 지원합니다. Linux에서 Linux Pacemaker 또는 SIOS Protection Suite 및 Veritas InfoScale과 같은 타사 도구는 장애 조치를 지원합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "severity": "높다", - "text": "요구 사항에 따라 개인 클러스터를 사용합니다", - "waf": "안전" + "text": "Azure는 기본 및 보조 VM이 DBMS 데이터에 대한 스토리지를 공유하는 아키텍처를 지원하지 않습니다. DBMS 계층의 경우 일반적인 아키텍처 패턴은 기본 및 보조 VM에서 사용하는 것과 다른 스토리지 스택을 사용하여 동시에 데이터베이스를 복제하는 것입니다.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", - "severity": "보통", - "text": "Windows 2019 및 2022 AKS 노드의 경우 Calico 네트워크 정책을 사용할 수 있습니다. ", - "waf": "안전" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", "severity": "높다", - "text": "Kubernetes 네트워크 정책 옵션 사용(Calico/Azure)", - "waf": "안전" + "text": "DBMS 데이터 및 트랜잭션/다시 실행 로그 파일은 Azure 지원 블록 스토리지 또는 Azure NetApp Files에 저장됩니다. Azure Files 또는 Azure Premium Files는 SAP 워크로드를 사용하여 DBMS 데이터 및/또는 다시 실행 로그 파일에 대한 스토리지로 지원되지 않습니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", "severity": "높다", - "text": "쿠버네티스 네트워크 정책을 사용하여 클러스터 내 보안 강화", - "waf": "안전" + "text": "ASCS + SCS 구성 요소 및 특정 고가용성 시나리오에 대해 Windows에서 Azure 공유 디스크를 사용할 수 있습니다. SAP 애플리케이션 계층 구성 요소 및 DBMS 계층에 대해 장애 조치(failover) 클러스터를 별도로 설정합니다. Azure는 현재 SAP 애플리케이션 계층 구성 요소와 DBMS 계층을 하나의 장애 조치(failover) 클러스터로 결합하는 고가용성 아키텍처를 지원하지 않습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", "severity": "높다", - "text": "웹 워크로드(UI 또는 API)에 WAF 사용Use a WAF for web workloads (UIs or APIs)", - "waf": "안전" + "text": "SAP ASCS(애플리케이션 계층 구성 요소) 및 DBMS 계층에 대한 대부분의 장애 조치(failover) 클러스터에는 장애 조치(failover) 클러스터에 대한 가상 IP 주소가 필요합니다. Azure Load Balancer는 다른 모든 경우에 대해 가상 IP 주소를 처리해야 합니다. 한 가지 설계 원칙은 클러스터 구성당 하나의 부하 분산 장치를 사용하는 것입니다. 부하 분산 장치의 표준 버전(표준 Load Balancer SKU)을 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", - "severity": "보통", - "text": "AKS Virtual Network에서 DDoS 표준 사용Use DDoS Standard in the AKS Virtual Network", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", + "severity": "높다", + "text": "로드 밸런서에서 부동 IP가 활성화되어 있는지 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", - "severity": "낮다", - "text": "필요한 경우 회사 HTTP 프록시를 추가합니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", + "severity": "높다", + "text": "고가용성 인프라를 배포하기 전에 선택한 지역에 따라 Azure 가용성 집합을 사용하여 배포할지 또는 가용성 영역을 사용하여 배포할지를 결정합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", - "severity": "보통", - "text": "고급 마이크로서비스 통신 관리를 위해 서비스 메시를 사용하는 것이 좋습니다", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", + "severity": "높다", + "text": "SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)용 애플리케이션에 대한 인프라 SLA를 충족하려면 모든 구성 요소에 대해 동일한 고가용성 옵션(VM, 가용성 집합, 가용성 영역)을 선택해야 합니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "severity": "높다", - "text": "가장 중요한 메트릭에 대한 경고 구성(권장 사항은 Container Insights 참조)", - "waf": "작업" + "text": "동일한 가용성 집합에서 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합으로 유지", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", - "severity": "낮다", - "text": "Azure Advisor에서 클러스터에 대한 권장 사항을 정기적으로 확인합니다.", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", + "severity": "보통", + "text": "근접 배치 그룹을 사용하지 않는 한 Azure 가용성 영역 내에 Azure 가용성 집합을 배포할 수 없습니다.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", - "severity": "낮다", - "text": "AKS 자동 인증서 회전 사용", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "높다", + "text": "가용성 집합을 만들 때 사용 가능한 최대 장애 도메인 및 업데이트 도메인 수를 사용합니다. 예를 들어 하나의 가용성 집합에 두 개 이상의 VM을 배포하는 경우 Azure 계획된 유지 관리 외에도 잠재적인 물리적 하드웨어 오류, 네트워크 중단 또는 전원 중단의 영향을 제한할 수 있는 최대 장애 도메인 수(3개)와 충분한 업데이트 도메인을 사용합니다. 장애 도메인의 기본 수는 2개이며 나중에 온라인으로 변경할 수 없습니다.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "높다", - "text": "kubernetes 버전을 주기적으로(예: 분기별) 업그레이드하거나 AKS 자동 업그레이드 기능을 사용하는 정기적인 프로세스가 있습니다.", - "waf": "작업" + "text": "가용성 집합 배포에서 Azure 근접 배치 그룹을 사용하는 경우 세 가지 SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)가 모두 동일한 근접 배치 그룹에 있어야 합니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "높다", - "text": "node-image upgrade를 사용하지 않는 경우 Linux 노드 업그레이드에 kured를 사용합니다.", - "waf": "작업" + "text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹은 가용성 영역 또는 Azure 지역에 걸쳐 있지 않습니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "높다", - "text": "클러스터 노드 이미지를 주기적으로(예: 매주) 업그레이드하는 정기적인 프로세스가 있습니다.", - "waf": "작업" + "text": "운영 체제에 따라 다음 서비스 중 하나를 사용하여 SAP 중앙 서비스 클러스터를 실행합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", - "severity": "낮다", - "text": "gitops를 고려하여 애플리케이션 또는 클러스터 구성을 여러 클러스터에 배포합니다.", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", + "severity": "보통", + "text": "Azure는 현재 동일한 Linux Pacemaker 클러스터에서 ASCS와 DB HA를 결합하는 것을 지원하지 않습니다. 개별 클러스터로 분리합니다. 그러나 최대 5개의 여러 중앙 서비스 클러스터를 한 쌍의 VM으로 결합할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", - "severity": "낮다", - "text": "프라이빗 클러스터에서 AKS 명령 호출을 사용하는 것이 좋습니다.", - "waf": "작업" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "보통", + "text": "가용성 집합 또는 가용성 영역의 고가용성 쌍에 두 VM을 모두 배포합니다. 이러한 VM은 크기가 동일해야 하며 스토리지 구성이 동일해야 합니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", - "service": "AKS", - "severity": "낮다", - "text": "계획된 이벤트의 경우 노드 자동 드레인 사용을 고려하십시오.", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", + "severity": "보통", + "text": "Azure는 RHEL(Red Hat Enterprise Linux)에서 실행되는 동일한 고가용성 클러스터에서 SAP HANA와 ASCS/SCS 및 ERS 인스턴스의 설치 및 구성을 지원합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "높다", - "text": "노드 RG(일명 '인프라 RG')의 운영자가 변경을 수행하지 않도록 자체 거버넌스 관행을 개발합니다.", - "waf": "작업" + "text": "프리미엄 관리형 SSD에서 모든 프로덕션 시스템을 실행하고 Azure NetApp Files 또는 Ultra Disk Storage를 사용합니다. 적어도 OS 디스크는 더 나은 성능과 최상의 SLA를 달성할 수 있도록 프리미엄 계층에 있어야 합니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "낮다", - "text": "사용자 정의 노드 RG (일명 '인프라 RG') 이름 사용", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", + "severity": "높다", + "text": null, + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", - "severity": "보통", - "text": "YAML 매니페스트에서 더 이상 사용되지 않는 Kubernetes API를 사용하지 마십시오.", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", + "severity": "높다", + "text": "SAP 워크로드에 사용하는 스토리지 유형에 따라 고가용성을 구성하는 것이 좋습니다. Azure에서 사용할 수 있는 일부 스토리지 서비스는 Azure Site Recovery에서 지원되지 않으므로 고가용성 구성이 다를 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", - "severity": "낮다", - "text": "테인트 Windows 노드", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "높다", + "text": null, + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", - "severity": "낮다", - "text": "Windows 컨테이너 패치 수준을 호스트 패치 수준과 동기화된 상태로 유지", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", + "severity": "보통", + "text": "SAP System Start-Stop을 자동화하여 비용을 관리합니다.", + "waf": "비용" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "클러스터 수준의 진단 설정을 통해Via Diagnostic Settings at the cluster level", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "severity": "낮다", - "text": "마스터 로그(즉, API 로그)를 Azure Monitor 또는 기본 로그 관리 솔루션으로 보냅니다", - "waf": "작업" + "text": "SAP HANA와 함께 Azure Premium Storage를 사용하는 경우 Azure Standard SSD Storage를 사용하여 비용에 민감한 스토리지 솔루션을 선택할 수 있습니다. 그러나 표준 SSD 또는 표준 HDD Azure Storage를 선택하면 개별 VM의 SLA에 영향을 줍니다. 또한 비프로덕션 환경과 같이 I/O 처리량이 낮고 대기 시간이 짧은 시스템의 경우 더 낮은 시리즈 VM을 사용할 수 있습니다.", + "waf": "비용" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", "severity": "낮다", - "text": "필요한 경우 nodePool 스냅샷을 사용합니다.", + "text": "저렴한 대체 구성(다목적)으로 비프로덕션 HANA 데이터베이스 서버 VM에 대해 저성능 SKU를 선택할 수 있습니다. 그러나 E 시리즈와 같은 일부 VM 유형은 HANA 인증(SAP HANA 하드웨어 디렉터리)되지 않았거나 1ms 미만의 스토리지 대기 시간을 달성할 수 없다는 점에 유의해야 합니다.", "waf": "비용" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", - "severity": "낮다", - "text": "시간에 민감하지 않은 워크로드에 대한 스폿 노드 풀 고려", - "waf": "작업" + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", + "severity": null, + "text": null, + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "낮다", - "text": "빠른 버스팅을 위해 AKS 가상 노드 고려", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "보통", + "text": "클라우드 커넥터를 통해 SAP 클라우드 애플리케이션에서 SAP 온-프레미스(IaaS 포함)로 ID를 전달하기 위한 주체 전파 적용", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", - "severity": "높다", - "text": "Container Insights(또는 Prometheus와 같은 다른 도구)를 사용하여 클러스터 지표 모니터링", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "보통", + "text": "SAML을 사용하여 Azure AD를 사용하여 SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics 및 SAP C4C와 같은 SAP SaaS 애플리케이션에 SSO를 구현합니다.", + "waf": null }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", - "severity": "높다", - "text": "Container Insights(또는 Telegraf/ElasticSearch와 같은 다른 도구)를 사용하여 클러스터 로그를 저장하고 분석합니다.", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": null, + "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": null }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", "severity": "보통", - "text": "노드의 CPU 및 메모리 사용률 모니터링", - "waf": "작업" + "text": null, + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "severity": "보통", - "text": "Azure CNI를 사용하는 경우 노드당 사용되는 Pod IP의 %를 모니터링합니다.", - "waf": "작업" + "text": "SAP NetWeaver SSO 또는 파트너 솔루션을 사용하여 SAP GUI에 SSO를 구현할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "OS 디스크의 I/O는 중요한 리소스입니다. 노드의 OS가 I/O에서 제한되면 예측할 수 없는 동작이 발생할 수 있으며, 일반적으로 노드가 NotReady로 선언됩니다", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", "severity": "보통", - "text": "노드에서 OS 디스크 큐 크기 모니터링Monitor OS disk queue depth in nodes", - "waf": "작업" + "text": "SAP GUI 및 웹 브라우저 액세스용 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP Secure Login Server를 고려합니다.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", "severity": "보통", - "text": "AzFW/NVA에서 송신 필터링을 사용하지 않는 경우 표준 ALB 할당 SNAT 포트를 모니터링합니다", - "waf": "작업" + "text": null, + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", "severity": "보통", - "text": "AKS 클러스터에 대한 Resource Health 알림 구독Subscribe to resource health notifications for your AKS cluster", - "waf": "작업" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "높다", - "text": "Pod 규격에서 요청 및 제한 구성", - "waf": "작업" + "text": "SAP NetWeaver용 OAuth를 사용하여 SSO를 구현하여 타사 또는 사용자 지정 애플리케이션이 SAP NetWeaver OData 서비스에 액세스할 수 있도록 합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", "severity": "보통", - "text": "네임스페이스에 대한 리소스 할당량 적용Enforce resource quotas for namespaces", - "waf": "작업" + "text": "SAP HANA에 대한 SSO 구현", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", - "severity": "높다", - "text": "구독에 노드 풀을 확장할 수 있는 충분한 할당량이 있는지 확인합니다.", - "waf": "작업" + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", + "severity": "보통", + "text": "Azure AD를 RISE에서 호스트되는 SAP 시스템의 ID 공급자로 간주합니다. 자세한 내용은 Azure AD와 서비스 통합을 참조하세요.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", "severity": "보통", - "text": "Cluster Autoscaler 사용", - "waf": "공연" + "text": "SAP에 액세스하는 애플리케이션의 경우 주체 전파를 사용하여 SSO를 설정할 수 있습니다.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", - "severity": "낮다", - "text": "AKS 노드 풀에 대한 노드 구성 사용자 지정", - "waf": "공연" + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", + "severity": "보통", + "text": "SAP IAS(Identity Authentication Service)가 필요한 SAP BTP 서비스 또는 SaaS 솔루션을 사용하는 경우 SAP Cloud Identity Authentication Services와 Azure AD 간에 SSO를 구현하여 해당 SAP 서비스에 액세스하는 것이 좋습니다. 이 통합을 통해 SAP IAS는 프록시 ID 공급자 역할을 하고 중앙 사용자 저장소 및 ID 공급자로 Azure AD에 인증 요청을 전달할 수 있습니다.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", "severity": "보통", - "text": "필요한 경우 Horizontal Pod Autoscaler 사용", - "waf": "공연" + "text": "SAP BTP에 대한 SSO 구현", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "노드가 클수록 임시 디스크 및 가속화된 네트워킹과 같은 더 높은 성능과 기능을 제공하지만 폭발 반경이 증가하고 크기 조정 세분성이 감소합니다", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", - "service": "AKS", - "severity": "높다", - "text": "너무 크거나 너무 작지 않은 적절한 노드 크기를 고려합니다", - "waf": "공연" + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", + "severity": "보통", + "text": "SAP SuccessFactors를 사용하는 경우 Azure AD 자동화된 사용자 프로비저닝을 사용하는 것이 좋습니다. 이 통합을 통해 SAP SuccessFactors에 신입 사원을 추가할 때 Azure AD에서 해당 사용자 계정을 자동으로 생성할 수 있습니다. 필요에 따라 Microsoft 365 또는 Azure AD에서 지원하는 기타 SaaS 애플리케이션에서 사용자 계정을 만들 수 있습니다. SAP SuccessFactors에 이메일 주소의 쓰기 저장을 사용합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", - "service": "AKS", - "severity": "낮다", - "text": "확장성을 위해 5,000개 이상의 노드가 필요한 경우 추가 AKS 클러스터를 사용하는 것이 좋습니다", - "waf": "공연" + "checklist": "SAP Checklist", + "description": "관리 그룹 계층 구조를 4개 이하로 합리적으로 평평하게 유지합니다.", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", + "severity": "보통", + "text": "SAP 구독에 기존 관리 그룹 정책 적용", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", - "service": "AKS", - "severity": "낮다", - "text": "AKS 자동화를 위해 EventGrid 이벤트를 구독하는 것이 좋습니다.", - "waf": "공연" + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "높다", + "text": "긴밀하게 결합된 애플리케이션을 동일한 SAP 구독에 통합하여 추가적인 라우팅 및 관리 복잡성 방지", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", - "service": "AKS", - "severity": "낮다", - "text": "AKS 클러스터에서 장기 실행 작업의 경우 이벤트 종료를 고려합니다.", - "waf": "공연" + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "높다", + "text": "구독을 배율 단위로 활용하고 리소스를 확장하려면 환경별로 구독을 배포하는 것이 좋습니다. 샌드박스, 비프로덕션, 프로덕션 ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", + "checklist": "SAP Checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", + "severity": "높다", + "text": "구독 프로비저닝의 일부로 할당량 증가를 보장(예: 구독 내에서 사용 가능한 총 VM 코어 수)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "작업" + }, + { + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", "severity": "낮다", - "text": "필요한 경우 AKS 노드에 Azure Dedicated Host를 사용하는 것이 좋습니다", - "waf": "공연" + "text": "할당량 API는 Azure 서비스에 대한 할당량을 보고 관리하는 데 사용할 수 있는 REST API입니다. 필요한 경우 사용을 고려하십시오.", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", "severity": "높다", - "text": "임시 OS 디스크 사용", - "waf": "공연" + "text": "가용성 영역에 배포하는 경우 할당량이 승인되면 VM의 영역 배포를 사용할 수 있는지 확인합니다. 필요한 구독, VM 시리즈, CPU 수 및 가용성 영역을 포함한 지원 요청을 제출합니다.", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", "severity": "높다", - "text": "임시 디스크가 아닌 디스크의 경우 여러 Pod를 실행하는 데 고성능이 필요하고 기본 AKS 로그 회전 임계값을 사용하여 대규모 로그를 생성하므로 많은 Pod/노드를 실행할 때 노드에 높은 IOPS 및 더 큰 OS 디스크를 사용합니다", - "waf": "공연" + "text": "필요한 서비스 및 기능이 선택한 배포 지역 내에서 사용할 수 있는지 확인합니다(예: ). ANF, 지역 등.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", - "severity": "낮다", - "text": "고성능 스토리지 옵션의 경우 AKS에서 Ultra Disks를 사용합니다.", - "waf": "공연" + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", + "severity": "보통", + "text": "비용 분류 및 리소스 그룹화를 위해 Azure 리소스 태그 활용(BillTo, 부서(또는 사업부), 환경(프로덕션, 스테이지, 개발), 계층(웹 계층, 응용 프로그램 계층), 응용 프로그램 소유자, 프로젝트 이름)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "작업" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", - "severity": "보통", - "text": "클러스터에서 상태를 유지하지 않고 외부(AzStorage, AzSQL, Cosmos 등)에 데이터를 저장합니다.", - "waf": "공연" + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "높다", + "text": "Azure Backup 서비스를 사용하여 HANA 데이터베이스를 보호할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", "severity": "보통", - "text": "AzFiles 표준을 사용하는 경우 성능상의 이유로 AzFiles 프리미엄 및/또는 ANF를 고려합니다", - "waf": "공연" + "text": "HANA, Oracle 또는 DB2 데이터베이스에 Azure NetApp Files를 배포하는 경우 Azure 애플리케이션 일치 스냅샷 도구(AzAcSnap)를 사용하여 애플리케이션 일치 스냅샷을 만듭니다. AzAcSnap은 Oracle 데이터베이스도 지원합니다. 개별 VM이 아닌 중앙 VM에서 AzAcSnap을 사용하는 것이 좋습니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", - "severity": "보통", - "text": "Azure 디스크 및 AZ를 사용하는 경우 올바른 영역에 스토리지를 프로비전하기 위해 VolumeBindingMode::WaitForFirstConsumer를 사용하여 LRS 디스크의 영역 내에 노드 풀을 사용하거나 여러 영역에 걸쳐 있는 노드 풀에 ZRS 디스크를 사용하는 것이 좋습니다", - "waf": "공연" + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "높다", + "text": "운영 체제와 SAP 시스템 간의 표준 시간대 일치를 확인합니다.", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", "severity": "보통", - "text": "Application Gateway v2 SKU를 사용하고 있는지 확인합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "안전" + "text": "동일한 클러스터에서 서로 다른 애플리케이션 서비스를 그룹화하지 마세요. 예를 들어 DRBD와 중앙 서비스 클러스터를 동일한 클러스터에 결합하지 마세요. 그러나 동일한 Pacemaker 클러스터를 사용하여 약 5개의 서로 다른 중앙 서비스(다중 SID 클러스터)를 관리할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", - "severity": "보통", - "text": "Azure Load Balancer에 표준 SKU를 사용하고 있는지 확인합니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", + "severity": "낮다", + "text": "Azure 실행 비용을 절약하고 최적화하기 위해 스누즈 모델에서 개발/테스트 시스템을 실행하는 것이 좋습니다.", + "waf": "비용" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", "severity": "보통", - "text": "Load Balancer 프런트 엔드 IP 주소가 영역 중복인지 확인합니다(영역 프런트 엔드가 필요하지 않은 경우).", - "waf": "안전" + "text": "SAP 자산을 관리하여 고객과 파트너 관계를 맺는 경우 Azure Lighthouse를 사용하는 것이 좋습니다. Azure Lighthouse를 사용하면 관리 서비스 공급자가 Azure 네이티브 ID 서비스를 사용하여 고객 환경에 인증할 수 있습니다. 고객은 언제든지 액세스 권한을 취소하고 서비스 제공업체의 조치를 감사할 수 있으므로 제어권을 고객에게 부여합니다.", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", "severity": "보통", - "text": "Application Gateways v2는 IP 접두사가 /24보다 크거나 같은 서브넷에 배포해야 합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "안전" + "text": "Azure 업데이트 관리자를 사용하여 단일 VM 또는 여러 VM에 대해 사용 가능한 업데이트의 상태를 확인하고 정기적인 패치를 예약하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "description": "일반적으로 역방향 프록시 및 특히 WAF의 관리는 네트워킹보다 애플리케이션에 더 가깝기 때문에 앱과 동일한 구독에 속합니다. 연결 구독에서 Application Gateway 및 WAF를 중앙 집중화하는 것은 단일 팀에서 관리하는 경우 괜찮을 수 있습니다.", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", - "severity": "보통", - "text": "랜딩 존 가상 네트워크 내에서 그리고 보안 중인 앱을 사용하여 인바운드 HTTP(S) 연결을 프록시하는 데 사용되는 Azure Application Gateway v2 또는 파트너 NVA를 배포합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", + "severity": "낮다", + "text": "SAP Landscape Management(LaMa)를 사용하여 SAP Basis 운영을 최적화하고 관리합니다. Azure용 SAP LaMa 커넥터를 사용하여 SAP 시스템을 재배치, 복사, 복제 및 새로 고칩니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", "severity": "보통", - "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "안전" + "text": "SAP용 Azure Monitor 솔루션을 사용하여 Azure에서 SAP 워크로드(SAP HANA, 고가용성 SUSE 클러스터 및 SQL 시스템)를 모니터링합니다. SAP Solution Manager를 사용하여 SAP용 Azure Monitor 솔루션을 보완하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", - "service": "App Gateway", - "severity": "보통", - "text": "최소 2개의 인스턴스로 자동 크기 조정을 구성합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", + "severity": "높다", + "text": "SAP용 VM 확장 검사를 실행합니다. SAP용 VM 확장은 VM(가상 머신)의 할당된 관리 ID를 사용하여 VM 모니터링 및 구성 데이터에 액세스합니다. 이 검사는 SAP 애플리케이션의 모든 성능 메트릭이 기본 SAP용 Azure 확장에서 제공되는지 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", "severity": "보통", - "text": "가용성 영역에 Application Gateway 배포", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "신뢰도" + "text": "액세스 제어 및 규정 준수 보고에 Azure Policy를 사용합니다. Azure Policy는 일관된 정책 준수와 빠른 위반 감지를 보장하기 위해 조직 전체 설정을 적용할 수 있는 기능을 제공합니다. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "작업" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", "severity": "보통", - "text": "Front Door 및 Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Front Door에서 WAF 정책을 사용합니다. Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "안전" - }, - { - "ammp": true, - "arm-service": "microsoft.network/trafficManagerProfiles", - "checklist": "Azure Application Delivery Networking", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", - "severity": "높다", - "text": "Traffic Manager를 사용하여 HTTP/S 이외의 프로토콜에 걸쳐 있는 글로벌 앱을 제공합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "신뢰도" - }, - { - "checklist": "Azure Application Delivery Networking", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", - "severity": "낮다", - "text": "사용자가 내부 애플리케이션에만 액세스해야 하는 경우 Microsoft Entra ID 애플리케이션 프록시를 AVD(Azure Virtual Desktop)의 대안으로 고려했나요?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "안전" + "text": "Azure Network Watcher의 연결 모니터를 사용하여 SAP 데이터베이스 및 애플리케이션 서버에 대한 대기 시간 메트릭을 모니터링합니다. 또는 Azure Monitor를 사용하여 네트워크 대기 시간 측정값을 수집하고 표시합니다.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "작업" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", "severity": "보통", - "text": "네트워크에서 들어오는 연결에 대해 열려 있는 방화벽 포트 수를 줄이려면 Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 내부 애플리케이션에 대한 안전하고 인증된 액세스 권한을 부여하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "안전" + "text": "프로비저닝된 Azure 인프라에서 SAP HANA에 대한 품질 검사를 수행하여 프로비저닝된 VM이 Azure의 SAP HANA 모범 사례를 준수하는지 확인합니다.", + "waf": "작업" }, { - "ammp": true, - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "severity": "높다", - "text": "SNAT 확장성 향상을 위해 Load Balancer 아웃바운드 규칙 대신 Azure NAT Gateway 사용", - "waf": "신뢰도" + "text": "각 Azure 구독에 대해 영역 배포 전에 Azure 가용성 영역에서 대기 시간 테스트를 실행하여 Azure에서 SAP를 배포하기 위한 대기 시간이 짧은 영역을 선택합니다.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "공연" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "App Gateway", - "severity": "높다", - "text": "Azure Application Gateway WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", + "severity": "보통", + "text": "복원력 보고서를 실행하여 프로비저닝된 전체 Azure 인프라(컴퓨팅, 데이터베이스, 네트워킹, 스토리지, Site Recovery)의 구성이 Azure용 Cloud Adaption Framework에서 정의한 구성을 준수하는지 확인합니다.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "waf": "신뢰도" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "App Gateway", - "severity": "높다", - "text": "Azure Application Gateway WAF 정책에서 요청 본문 검사 기능이 사용하도록 설정되어 있는지 확인합니다.", + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", + "severity": "보통", + "text": "SAP용 Microsoft Sentinel 솔루션을 사용하여 위협 방지를 구현합니다. 이 솔루션을 사용하여 SAP 시스템을 모니터링하고 비즈니스 로직 및 애플리케이션 계층 전반에서 정교한 위협을 탐지할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", "waf": "안전" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "App Gateway", - "severity": "높다", - "text": "워크로드에 대한 검색 모드에서 Azure Application Gateway WAF를 튜닝합니다. 거짓 긍정 탐지를 줄입니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", + "severity": "보통", + "text": "Azure 태그 지정을 활용하여 리소스를 논리적으로 그룹화 및 추적하고, 배포를 자동화하고, 가장 중요한 것은 발생한 비용에 대한 가시성을 제공할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "작업" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "App Gateway", - "severity": "높다", - "text": "'방지' 모드에서 Application Gateway에 대한 WAF 정책을 배포합니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", + "severity": "낮다", + "text": "대기 시간에 민감한 애플리케이션에 대해 VM 간 대기 시간 모니터링을 사용합니다.", + "waf": "공연" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "보통", - "text": "Azure Application Gateway WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 단기간에 많은 양의 트래픽을 보내는 것을 차단합니다.", - "waf": "안전" + "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "severity": "보통", - "text": "Azure Application Gateway WAF 속도 제한에 대해 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호를 제공합니다. ", - "waf": "안전" + "text": "모든 데이터베이스 파일 시스템 및 실행 프로그램을 바이러스 백신 검사에서 제외합니다. 이를 포함하면 성능 문제가 발생할 수 있습니다. 제외 목록에 대한 규범적 세부 정보는 데이터베이스 공급업체에 문의하십시오. 예를 들어 Oracle은 바이러스 백신 검사에서 /oracle//sapdata를 제외하는 것이 좋습니다.", + "waf": "공연" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", "severity": "낮다", - "text": "모든 지역에서 트래픽이 발생할 것으로 예상되지 않는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.", - "waf": "안전" + "text": "마이그레이션 후 비 HANA 데이터베이스에 대한 전체 데이터베이스 통계를 수집하는 것이 좋습니다. 예를 들어 SAP Note 1020260 - Oracle 통계 제공을 구현합니다.", + "waf": "공연" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", "severity": "보통", - "text": "Azure Application Gateway WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 마세요.", - "waf": "안전" + "text": "Azure에서 SAP를 사용하는 모든 Oracle 배포에 Oracle ASM(자동 스토리지 관리)을 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "waf": "공연" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", "severity": "보통", - "text": "최신 Azure Application Gateway WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.", - "waf": "안전" + "text": "Oracle을 실행하는 Azure의 SAP의 경우 SQL 스크립트 컬렉션을 통해 성능 문제를 진단할 수 있습니다. AWR(Automatic Workload Repository) 보고서에는 Oracle 시스템의 문제를 진단하는 데 유용한 정보가 포함되어 있습니다. 여러 세션 동안 AWR 보고서를 실행하고 최대 피크 시간을 선택하여 분석에 대한 광범위한 적용 범위를 보장하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "공연" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "App Gateway", - "severity": "보통", - "text": "진단 설정을 추가하여 Azure Application Gateway WAF 로그를 저장합니다.", + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", + "severity": "높다", + "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", "severity": "보통", - "text": "Azure Application Gateway WAF 로그를 Microsoft Sentinel로 보냅니다.", - "waf": "작업" + "text": "HTTP/S 앱을 안전하게 배달하려면 Application Gateway v2를 사용하고 WAF 보호 및 정책이 사용하도록 설정되어 있는지 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "waf": "안전" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "severity": "보통", - "text": "Azure Application Gateway WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.", + "text": "Azure로 마이그레이션하는 동안 가상 머신의 DNS 또는 가상 이름이 변경되지 않은 경우 백그라운드 DNS 및 가상 이름은 SAP 환경의 많은 시스템 인터페이스를 연결하며, 고객은 시간이 지남에 따라 개발자가 정의하는 인터페이스를 가끔씩만 인식할 수 있습니다. 마이그레이션 후 가상 또는 DNS 이름이 변경될 때 다양한 시스템 간에 연결 문제가 발생하며, 이러한 유형의 문제를 방지하기 위해 DNS 별칭을 유지하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "severity": "보통", - "text": "레거시 WAF 구성 대신 WAF 정책을 사용합니다.", + "text": "서로 다른 DNS 영역을 사용하여 각 환경(샌드박스, 개발, 사전 프로덕션 및 프로덕션)을 서로 구분합니다. 예외는 자체 VNet을 사용하는 SAP 배포의 경우입니다. 여기서는 프라이빗 DNS 영역이 필요하지 않을 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "App Gateway", + "checklist": "SAP Checklist", + "description": "VNet 피어링을 구성할 때 원격 가상 네트워크에 대한 트래픽 허용 설정을 사용합니다.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", "severity": "보통", - "text": "Application Gateway 서브넷의 연결(예: NSG)만 허용하도록 백 엔드에서 인바운드 트래픽을 필터링합니다.", - "waf": "안전" + "text": "로컬 및 글로벌 VNet 피어링은 연결을 제공하며, 여러 Azure 지역에서 SAP 배포를 위한 랜딩 존 간의 연결을 보장하기 위해 선호되는 접근 방식입니다", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "severity": "높다", - "text": "백엔드 서버에 대한 트래픽을 암호화해야 합니다.", - "waf": "안전" + "text": "SAP 애플리케이션과 SAP 데이터베이스 서버 간에 NVA를 배포하는 것은 지원되지 않습니다", + "training": "https://me.sap.com/notes/2731110", + "waf": "공연" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "App Gateway", - "severity": "높다", - "text": "웹 응용 프로그램 방화벽을 사용해야 합니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", + "severity": "보통", + "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 새로운, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", "severity": "보통", - "text": "HTTP를 HTTPS로 리디렉션", - "waf": "안전" + "text": "파트너 NVA를 사용하는 경우에만 지역 간에 NVA(네트워크 가상 어플라이언스)를 배포하는 것이 좋습니다. 네이티브 NVA가 있는 경우 지역 또는 VNet 간의 NVA가 필요하지 않습니다. 파트너 네트워킹 기술 및 NVA를 배포하는 경우 공급업체의 지침에 따라 Azure 네트워킹과 충돌하는 구성을 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", "severity": "보통", - "text": "게이트웨이 관리 쿠키를 사용하여 처리를 위해 사용자 세션에서 동일한 서버로 트래픽을 전달합니다.", + "text": "Virtual WAN은 가상 WAN 기반 토폴로지에 대한 스포크 VNet 간의 연결을 관리하며(UDR[사용자 정의 라우팅] 또는 NVA를 설정할 필요 없음) 동일한 가상 허브의 VNet 간 트래픽에 대한 최대 네트워크 처리량은 초당 50기가비트입니다. 필요한 경우 SAP 랜딩 존은 VNet 피어링을 사용하여 다른 랜딩 존에 연결하고 이 대역폭 제한을 극복할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "App Gateway", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "severity": "높다", - "text": "계획된 서비스 업데이트 중에 연결 드레이닝을 사용하도록 설정하여 백 엔드 풀의 기존 멤버에 대한 연결 손실을 방지합니다.", + "text": "SAP Workload를 실행하는 VM에 공용 IP를 할당하는 것은 권장되지 않습니다.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "App Gateway", - "severity": "낮다", - "text": "사용자 지정 오류 페이지를 만들어 개인화된 사용자 경험을 표시합니다.", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", + "severity": "높다", + "text": "ASR을 구성할 때 DR 쪽에서 IP 주소를 예약하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "App Gateway", - "severity": "보통", - "text": "클라이언트와 서버 간의 라우팅 및 정보 교환을 보다 쉽게 하기 위해 HTTP 요청 및 응답 헤더를 편집합니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "높다", + "text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", "severity": "보통", - "text": "Front Door를 구성하여 글로벌 웹 트래픽 라우팅, 최상위 최종 사용자 성능 및 빠른 글로벌 장애 조치(failover)를 통해 안정성을 최적화합니다.", - "waf": "공연" + "text": "Azure는 VNet에서 여러 위임된 서브넷을 만드는 데 도움이 되지만 Azure NetApp Files용 VNet에는 하나의 위임된 서브넷만 존재할 수 있습니다. Azure NetApp Files에 대해 둘 이상의 위임된 서브넷을 사용하는 경우 새 볼륨을 만들려는 시도가 실패합니다.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "작업" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", + "checklist": "SAP Checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", "severity": "보통", - "text": "전송 계층 부하 분산 사용", - "waf": "공연" + "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다.", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "waf": "안전" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", "severity": "보통", - "text": "단일 게이트웨이에서 여러 웹 응용 프로그램에 대한 호스트 또는 도메인 이름을 기반으로 라우팅을 구성합니다.", + "text": "Application Gateway, SAP Web Dispatcher 및 기타 타사 서비스 간의 비교에서 볼 수 있듯이 Application Gateway 및 Web Application Firewall SAP 웹앱에 대한 역방향 프록시 역할을 하는 경우 Application Gateway 및 Web Application Firewall에 대한 제한 사항이 있습니다.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", "waf": "안전" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", - "severity": "보통", - "text": "SSL 인증서 관리를 중앙 집중화하여 백엔드 서버 팜의 암호화 및 암호 해독 오버헤드를 줄입니다.", + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "보통", + "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역 전체에서 글로벌 보호를 제공합니다.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", "waf": "안전" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", - "severity": "낮다", - "text": "WebSocket 및 HTTP/2 프로토콜에 대한 기본 지원을 위해 Application Gateway 사용", + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", + "severity": "보통", + "text": "Azure Front Door 및 Application Gateway를 사용하여 HTTP/S 애플리케이션을 보호하는 경우 Azure Front Door의 Web Application Firewall 정책을 활용합니다. Azure Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", - "severity": "낮다", - "text": "모범 사례는 기준 고가용성 영역 중복 웹 애플리케이션 아키텍처를 참조하세요.", - "waf": "신뢰도" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "severity": "보통", - "text": "프리미엄 및 표준 계층을 사용합니다. 이러한 계층은 스테이징 슬롯 및 자동 백업을 지원합니다.", - "waf": "신뢰도" + "text": "웹 응용 프로그램 방화벽을 사용하여 인터넷에 노출될 때 트래픽을 검사합니다. 또 다른 옵션은 부하 분산 장치 또는 Application Gateway 또는 타사 솔루션과 같은 기본 제공 방화벽 기능이 있는 리소스와 함께 사용하는 것입니다.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", - "service": "App Services", - "severity": "높다", - "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(프리미엄 v2 또는 v3 계층 필요)", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", + "severity": "보통", + "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 새로운, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", "severity": "보통", - "text": "상태 확인 구현", - "waf": "신뢰도" + "text": "데이터 유출을 방지하려면 Azure Private Link를 사용하여 Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory 등과 같은 PaaS(Platform as a Service) 리소스에 안전하게 액세스합니다. Azure 프라이빗 엔드포인트는 VNet과 Azure Storage, Azure Backup 등과 같은 서비스 간의 트래픽을 보호하는 데도 도움이 될 수 있습니다. VNet과 프라이빗 엔드포인트 사용 서비스 간의 트래픽은 Microsoft 글로벌 네트워크를 통해 이동하므로 공용 인터넷에 노출되지 않습니다.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", - "service": "App Services", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", "severity": "높다", - "text": "Azure App Service에 대한 백업 및 복원 모범 사례를 참조하세요.", - "waf": "신뢰도" + "text": "SAP 애플리케이션 및 DBMS 계층에 사용되는 VM에서 Azure 가속 네트워킹이 사용하도록 설정되어 있는지 확인합니다.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", - "severity": "높다", - "text": "Azure App Service 안정성 모범 사례 구현", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", + "severity": "보통", + "text": "Azure Load Balancer에 대한 내부 배포가 DSR(Direct Server Return)을 사용하도록 설정되어 있는지 확인합니다. 이 설정(유동 IP 사용)은 DBMS 계층의 고가용성 구성에 내부 로드 밸런서 구성을 사용할 때 대기 시간을 줄입니다.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", - "severity": "낮다", - "text": "App Service 앱을 다른 지역으로 이동하는 방법을 숙지합니다. 재해가 발생하는 동안", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", + "severity": "보통", + "text": "ASG(애플리케이션 보안 그룹) 및 NSG 규칙을 사용하여 SAP 애플리케이션과 DBMS 계층 간의 네트워크 보안 액세스 제어 목록을 정의할 수 있습니다. ASG는 가상 머신을 그룹화하여 보안을 관리하는 데 도움을 줍니다.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "severity": "높다", - "text": "Azure App Service의 안정성 지원 숙지", - "waf": "신뢰도" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", - "severity": "보통", - "text": "App Service 계획에서 실행되는 Function Apps에 대해 \"Always On\"이 사용하도록 설정되어 있는지 확인합니다.", - "waf": "신뢰도" + "text": "피어링되지 않은 다른 Azure VNet에 SAP 애플리케이션 계층 및 SAP DBMS를 배치하는 것은 지원되지 않습니다.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "보통", - "text": "상태 검사를 사용하여 App Service 인스턴스 모니터링Monitor App Service instances using Health checks", - "waf": "신뢰도" + "text": "SAP 애플리케이션에서 네트워크 대기 시간을 최적화하려면 Azure 근접 배치 그룹을 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", - "service": "App Services", - "severity": "보통", - "text": "Application Insights 가용성 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "높다", + "text": "온-프레미스와 Azure 간에 분할된 SAP 애플리케이션 서버 계층 및 DBMS 계층을 실행하는 것은 전혀 지원되지 않습니다. 두 계층 모두 온-프레미스 또는 Azure에 완전히 상주해야 합니다.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", - "severity": "낮다", - "text": "Application Insights 표준 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "높다", + "text": "계층 간의 과도한 네트워크 트래픽으로 인해 발생할 수 있는 상당한 비용 때문에 DBMS(데이터베이스 관리 시스템) 및 SAP 시스템의 애플리케이션 계층을 서로 다른 VNet에 호스트하고 VNet 피어링과 연결하는 것은 권장되지 않습니다. Azure 가상 네트워크 내의 서브넷을 사용하여 SAP 애플리케이션 계층과 DBMS 계층을 분리하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "비용" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Key Vault를 사용하여 애플리케이션에 필요한 모든 비밀을 저장합니다. Key Vault는 비밀을 저장하기 위한 안전하고 감사된 환경을 제공하며 Key Vault SDK 또는 App Service Key Vault 참조를 통해 App Service와 잘 통합됩니다.", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", "severity": "높다", - "text": "Key Vault를 사용하여 비밀 저장", - "waf": "안전" + "text": "Linux 게스트 운영 체제에서 Load Balancer를 사용하는 경우 Linux 네트워크 매개 변수 net.ipv4.tcp_timestamps가 0으로 설정되어 있는지 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "관리 ID를 사용하여 Key Vault SDK를 사용하거나 App Service Key Vault 참조를 통해 Key Vault에 연결합니다.", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", - "severity": "높다", - "text": "관리 ID를 사용하여 Key Vault에 연결", + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", + "severity": "보통", + "text": "SAP RISE/ECS 배포의 경우 가상 피어링은 고객의 기존 Azure 환경과의 연결을 설정하는 기본 방법입니다. SAP vnet과 고객 vnet은 모두 NSG(네트워크 보안 그룹)로 보호되므로 vnet 피어링을 통해 SAP 및 데이터베이스 포트에서 통신할 수 있습니다", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service TLS 인증서를 Key Vault에 저장합니다.", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "severity": "높다", - "text": "Key Vault를 사용하여 TLS 인증서를 저장합니다.", - "waf": "안전" + "text": "Azure VM에 대한 SAP HANA 데이터베이스 백업을 검토합니다.", + "waf": "비용" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "중요한 정보를 처리하는 시스템은 격리해야 합니다. 이렇게 하려면 별도의 App Service 계획 또는 App Service Environment를 사용하고 다른 구독 또는 관리 그룹을 사용하는 것이 좋습니다.", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "보통", - "text": "민감한 정보를 처리하는 시스템 격리", - "waf": "안전" + "text": "SAP에 사용되는 Site Recovery 기본 제공 모니터링을 검토합니다.", + "waf": "비용" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service의 로컬 디스크는 암호화되지 않으며 중요한 데이터를 저장해서는 안 됩니다. (예: D:\\\\Local and %TMP%).", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", + "severity": "높다", + "text": "SAP HANA 시스템 환경 모니터링 지침을 검토합니다.", + "waf": "작업" + }, + { + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", "severity": "보통", - "text": "로컬 디스크에 중요한 데이터를 저장하지 마십시오.", - "waf": "안전" + "text": "Azure Linux VM 백업 전략에서 Oracle Database를 검토합니다.", + "waf": "작업" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "인증된 웹 애플리케이션의 경우 Azure AD 또는 Azure AD B2C와 같이 잘 설정된 ID 공급자를 사용합니다. 선택한 애플리케이션 프레임워크를 활용하여 이 공급자와 통합하거나 App Service 인증/권한 부여 기능을 사용합니다.", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", "severity": "보통", - "text": "인증에 설정된 ID 공급자 사용", - "waf": "안전" + "text": "SQL Server 2016에서 Azure Blob Storage 사용을 검토합니다.", + "waf": "작업" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "잘 관리되고 안전한 DevOps 배포 파이프라인과 같이 제어되고 신뢰할 수 있는 환경에서 App Service에 코드를 배포합니다. 이렇게 하면 버전이 제어되지 않고 악성 호스트에서 배포되는 것으로 확인되지 않은 코드를 방지할 수 있습니다.", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", - "severity": "높다", - "text": "신뢰할 수 있는 환경에서 배포", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", + "severity": "보통", + "text": "Azure VM에 대한 자동화된 Backup v2 사용을 검토합니다.", + "waf": "작업" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "FTP/FTPS 및 WebDeploy/SCM 모두에 대한 기본 인증을 사용 안함으로 설정합니다. 이렇게 하면 이러한 서비스에 대한 액세스가 비활성화되고 배포에 Azure AD 보안 엔드포인트가 사용됩니다. SCM 사이트는 Azure AD 자격 증명을 사용하여 열 수도 있습니다.", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", "severity": "높다", - "text": "기본 인증 사용 안 함", - "waf": "안전" + "text": "프리미엄 디스크(V1)를 사용하는 경우 M 시리즈에 쓰기 가속기 사용", + "waf": "작업" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "가능한 경우 관리 ID를 사용하여 Azure AD 보안 리소스에 연결합니다. 이렇게 할 수 없는 경우 Key Vault에 비밀을 저장하고 대신 관리 ID를 사용하여 Key Vault에 연결합니다.", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", - "severity": "높다", - "text": "관리 ID를 사용하여 리소스에 연결", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", + "severity": "보통", + "text": "가용성 영역 대기 시간을 테스트합니다.", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 관리 ID를 사용하여 끌어옵니다.", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", - "severity": "높다", - "text": "관리 ID를 사용하여 컨테이너 끌어오기", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", + "severity": "보통", + "text": "모든 SAP 구성요소에 대해 SAP EarlyWatch Alert를 활성화합니다.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service의 진단 설정을 구성하면 모든 원격 분석을 로깅 및 모니터링의 중앙 대상으로 Log Analytics에 보낼 수 있습니다. 이를 통해 HTTP 로그, 애플리케이션 로그, 플랫폼 로그 등과 같은 App Service의 런타임 활동을 모니터링할 수 있습니다.", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", "severity": "보통", - "text": "Log Analytics에 App Service 런타임 로그 보내기Send App Service runtime logs to Log Analytics", - "waf": "안전" + "text": "SAP ABAPMeter 보고서 /SSA/CAT를 사용하여 SAP 애플리케이션 서버-데이터베이스 서버 대기 시간을 검토합니다.", + "training": "https://me.sap.com/notes/0002879613", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "활동 로그를 Log Analytics에 로깅 및 모니터링의 중앙 대상으로 보내도록 진단 설정을 지정합니다. 이렇게 하면 App Service 리소스 자체에서 컨트롤 플레인 작업을 모니터링할 수 있습니다.", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", "severity": "보통", - "text": "Log Analytics에 App Service 활동 로그 보내기Send App Service activity logs to Log Analytics", - "waf": "안전" + "text": "CCMS를 사용하여 SQL Server 성능 모니터링을 검토합니다.", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "지역 VNet 통합, 네트워크 보안 그룹 및 UDR의 조합을 사용하여 아웃바운드 네트워크 액세스를 제어합니다. 트래픽은 Azure Firewall과 같은 NVA로 라우팅되어야 합니다. 방화벽의 로그를 모니터링해야 합니다.", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", "severity": "보통", - "text": "아웃바운드 네트워크 액세스를 제어해야 함", - "waf": "안전" + "text": "SAP 애플리케이션 계층 VM과 DBMS VM(NIPING) 간의 네트워크 대기 시간을 테스트합니다.", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "VNet 통합을 사용하고 VNet NAT Gateway 또는 NVA와 같은 Azure Firewall을 사용하여 안정적인 아웃바운드 IP를 제공할 수 있습니다. 이렇게 하면 필요한 경우 수신 당사자가 IP를 기반으로 허용 목록을 만들 수 있습니다. Azure 서비스에 대한 통신의 경우 IP 주소에 의존할 필요가 없는 경우가 많으며 서비스 엔드포인트와 같은 메커니즘을 대신 사용해야 합니다. (또한 수신 끝에서 프라이빗 엔드포인트를 사용하면 SNAT가 발생하지 않고 안정적인 아웃바운드 IP 범위를 제공합니다.)", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", - "severity": "낮다", - "text": "인터넷 주소에 대한 아웃바운드 통신을 위한 안정적인 IP 보장", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", + "severity": "보통", + "text": "SAP HANA Studio 알림을 검토합니다.", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service 액세스 제한, 서비스 엔드포인트 또는 프라이빗 엔드포인트의 조합을 사용하여 인바운드 네트워크 액세스를 제어합니다. 웹앱 자체 및 SCM 사이트에 대해 서로 다른 액세스 제한이 필요하고 구성될 수 있습니다.", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "높다", - "text": "인바운드 네트워크 액세스를 제어해야 합니다.", - "waf": "안전" + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", + "severity": "보통", + "text": "HANA_Configuration_Minichecks를 사용하여 SAP HANA 상태 점검을 수행합니다.", + "waf": "공연" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Application Gateway 또는 Azure Front Door와 같은 Web Application Firewall을 사용하여 악의적인 인바운드 트래픽으로부터 보호합니다. WAF의 로그를 모니터링해야 합니다.", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", - "severity": "높다", - "text": "App Service 앞에서 WAF 사용Use a WAF in front of App Service", + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "보통", + "text": "Azure, 온-프레미스 또는 기타 클라우드 환경에서 Windows 및 Linux VM을 실행하는 경우 Azure Automation의 업데이트 관리 센터를 사용하여 보안 패치를 포함한 운영 체제 업데이트를 관리할 수 있습니다.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "WAF에 대한 액세스만 잠궈 WAF를 우회할 수 없는지 확인합니다. 액세스 제한, 서비스 엔드포인트 및 프라이빗 엔드포인트의 조합을 사용합니다.", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "높다", - "text": "WAF가 우회되지 않도록 방지", + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", + "severity": "보통", + "text": "SAP는 SAP 시스템을 보호하기 위해 즉각적인 조치가 필요한 매우 중요한 보안 패치 또는 핫픽스를 릴리스하므로 SAP 보안 OSS 노트를 정기적으로 검토합니다.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service 구성에서 최소 TLS 정책을 1.2로 설정합니다.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", - "severity": "보통", - "text": "최소 TLS 정책을 1.2로 설정합니다.", + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "낮다", + "text": "SQL Server SAP의 경우 SQL Server 시스템 관리자 계정을 사용하지 않으므로 SQL Server 시스템 관리자 계정을 사용하지 않도록 설정할 수 있습니다. 원래 시스템 관리자 계정을 비활성화하기 전에 시스템 관리자 권한이 있는 다른 사용자가 서버에 액세스할 수 있는지 확인합니다.", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "HTTPS만 사용하도록 App Service를 구성합니다. 이로 인해 App Service가 HTTP에서 HTTPS로 리디렉션됩니다. 코드 또는 WAF에서 HSTS(HTTP Strict Transport Security)를 사용하여 HTTPS를 통해서만 사이트에 액세스해야 함을 브라우저에 알리는 것이 좋습니다.", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "severity": "높다", - "text": "HTTPS만 사용", + "text": "xp_cmdshell 비활성화합니다. SQL Server 기능 xp_cmdshell SQL Server 내부 운영 체제 명령 셸을 사용하도록 설정합니다. 이는 보안 감사에서 잠재적인 위험입니다.", + "training": "https://me.sap.com/notes/3019299/E", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "CORS 구성에서 와일드카드를 사용하면 모든 원본이 서비스에 액세스할 수 있으므로 CORS의 목적에 어긋나므로 사용하지 마세요. 특히 서비스에 액세스할 수 있을 것으로 예상되는 원본만 허용합니다.", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "severity": "높다", - "text": "와일드카드는 CORS에 사용할 수 없습니다.", + "text": "Azure에서 SAP HANA 데이터베이스 서버를 암호화하려면 SAP HANA 네이티브 암호화 기술을 사용합니다. 또한 Azure에서 SQL Server를 사용하는 경우 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "원격 디버깅은 서비스에서 추가 포트를 열어 공격 노출 영역을 증가시키므로 프로덕션에서 켜면 안 됩니다. 서비스는 48시간 후에 자동으로 원격 디버깅을 설정합니다.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", - "severity": "높다", - "text": "원격 디버깅 끄기", + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", + "severity": "보통", + "text": "Azure Storage 암호화는 모든 Azure Resource Manager 및 클래식 스토리지 계정에 대해 사용하도록 설정되며 사용하지 않도록 설정할 수 없습니다. 데이터는 기본적으로 암호화되므로 Azure Storage 암호화를 사용하기 위해 코드나 애플리케이션을 수정할 필요가 없습니다.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "App Service용 Defender를 사용하도록 설정합니다. 이는 다른 위협 중에서도 알려진 악성 IP 주소에 대한 통신을 탐지합니다. 작업의 일부로 App Service용 Defender의 권장 사항을 검토합니다.", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", - "severity": "보통", - "text": "클라우드용 Defender 사용 - App Service용 Defender", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", + "severity": "높다", + "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure는 네트워크에서 DDoS 기본 보호를 제공하며, 정상적인 트래픽 패턴을 학습하고 비정상적인 동작을 감지할 수 있는 지능형 DDoS 표준 기능으로 개선할 수 있습니다. DDoS 표준은 Virtual Network에 적용되므로 Application Gateway 또는 NVA와 같은 앱 앞의 네트워크 리소스에 대해 구성해야 합니다.", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "severity": "보통", - "text": "WAF VNet에서 DDOS 보호 표준 사용Enable DDOS Protection Standard on the WAF VNet", + "text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다. 또한 사용자 지정된 Azure 정책(Custome 역할)을 사용하여 구독별로 LOCK 제약 조건 및 규칙을 적용할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 프라이빗 엔드포인트 및 앱 설정 'WEBSITE_PULL_IMAGE_OVER_VNET'를 사용하여 Azure Container Registry에서 가상 네트워크를 통해 끌어옵니다.", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", "severity": "보통", - "text": "Virtual Network를 통해 컨테이너 끌어오기", + "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "참여의 침투 테스트 규칙에 따라 웹 응용 프로그램에 대한 침투 테스트를 수행합니다.", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", - "severity": "보통", - "text": "침투 테스트 수행", + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", + "severity": "높다", + "text": "기존 요구 사항에 따라 규정 및 규정 준수 제어(내부/외부) - 필요한 Azure 정책 및 Azure RBAC 역할 결정", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "DevSecOps 사례에 따라 취약성을 검증하고 검사한 신뢰할 수 있는 코드를 배포합니다.", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", - "severity": "보통", - "text": "유효성이 검사된 코드 배포", + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "높다", + "text": "SAP 환경에서 엔드포인트용 Microsoft Defender 사용하도록 설정하는 경우 모든 서버를 대상으로 하는 대신 DBMS 서버에서 데이터 및 로그 파일을 제외하는 것이 좋습니다. 대상 파일을 제외할 때 DBMS 공급업체의 권장 사항을 따릅니다.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", "waf": "안전" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "지원되는 플랫폼, 프로그래밍 언어, 프로토콜 및 프레임워크의 최신 버전을 사용합니다.", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", "severity": "높다", - "text": "최신 플랫폼, 언어, 프로토콜 및 프레임워크 사용", + "text": "클라우드용 Microsoft Defender의 Just-In-Time 액세스 권한이 있는 SAP 관리자 사용자 지정 역할을 위임합니다.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub는 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키는 고객 관리형 키를 사용하여 암호화됩니다. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "severity": "낮다", - "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "text": "타사 보안 제품을 DIAG(SAP GUI)용 SNC(Secure Network Communications), RFC 및 HTTPS용 SPNEGO와 통합하여 전송 중인 데이터를 암호화합니다.", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hubs 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 더 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Event Hubs 네임스페이스를 구성할 수 있습니다. Event Hubs 네임스페이스에 최소 버전의 TLS가 필요한 경우 이전 버전으로 수행된 모든 요청이 실패합니다. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "severity": "보통", - "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "text": "보안 주체 암호화 기능을 위해 기본적으로 Microsoft 관리형 키를 사용하고 필요한 경우 고객 관리형 키를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Event Hubs 네임스페이스를 만들 때 네임스페이스에 대해 RootManageSharedAccessKey라는 정책 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙을 관리 루트 계정처럼 취급하고 응용 프로그램에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", - "severity": "보통", - "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", + "severity": "높다", + "text": "애플리케이션당 환경, 지역별 Azure Key Vault를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure 리소스에 대한 관리 ID는 Azure VM(Virtual Machines), 함수 앱, Virtual Machine Scale Sets 및 기타 서비스에서 실행되는 애플리케이션에서 Azure AD 자격 증명을 사용하여 Event Hubs 리소스에 대한 액세스 권한을 부여할 수 있습니다. Azure AD 인증과 함께 Azure 리소스에 대한 관리 ID를 사용하면 클라우드에서 실행되는 애플리케이션에 자격 증명을 저장하지 않아도 됩니다. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", - "severity": "보통", - "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Event Hub에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", + "severity": "높다", + "text": "비 HANA Windows 및 비 Windows 운영 체제에 대한 디스크 암호화 키 및 비밀을 제어하고 관리하려면 Azure Key Vault를 사용합니다. SAP HANA는 Azure Key Vault에서 지원되지 않으므로 SAP ABAP 또는 SSH 키와 같은 대체 방법을 사용해야 합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "권한을 만들 때 Azure Event Hub에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Event Hub의 사용 권한은 개별 리소스 수준(예: 소비자 그룹, 이벤트 허브 엔터티, 이벤트 허브 네임스페이스 등)으로 범위를 지정할 수 있으며 범위가 지정되어야 합니다.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", "severity": "높다", - "text": "최소 권한 데이터 평면 RBAC 사용", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Azure 스포크 구독의 SAP에 대한 RBAC(역할 기반 액세스 제어) 역할을 사용자 지정하여 실수로 인한 네트워크 관련 변경을 방지합니다.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub 리소스 로그에는 작업 로그, 가상 네트워크 및 Kafka 로그가 포함됩니다. 런타임 감사 로그는 Event Hubs의 모든 데이터 평면 액세스 작업(예: 이벤트 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", - "severity": "보통", - "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그, 런타임 감사 로그 및 Kafka 로그와 같은 메트릭 및 로그를 캡처합니다.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", + "severity": "높다", + "text": "SAP 자산의 나머지 부분에서 DMZ 및 NVA를 격리하고, Azure Private Link를 구성하고, Azure의 SAP 리소스를 안전하게 관리 및 제어합니다.", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Event Hub 간의 트래픽이 Microsoft 백본 네트워크를 통해 트래버스할 수 있습니다. 또한 퍼블릭 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", - "severity": "보통", - "text": "프라이빗 엔드포인트를 사용하여 Azure Event Hub에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", + "severity": "낮다", + "text": "Azure에서 Microsoft 맬웨어 방지 소프트웨어를 사용하여 악성 파일, 애드웨어 및 기타 위협으로부터 가상 머신을 보호하는 것이 좋습니다.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 또는 IPv4 주소 범위 집합으로만 추가로 제한할 수 있습니다. ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", - "severity": "보통", - "text": "특정 IP 주소 또는 범위에서 Azure Event Hub 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", + "severity": "낮다", + "text": "더욱 강력한 보호를 위해 엔드포인트용 Microsoft Defender 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", - "severity": "보통", - "text": "FTA 탄력성 핸드북 활용", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "높다", + "text": "가상 네트워크 피어링을 통해 스포크 네트워크에 연결된 허브 가상 네트워크를 통해 모든 트래픽을 전달하여 인터넷 또는 온-프레미스 네트워크에서 SAP 애플리케이션 및 데이터베이스 서버를 격리합니다. 피어링된 가상 네트워크는 Azure의 SAP 솔루션이 공용 인터넷에서 격리되도록 보장합니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": " 영역 사용 지역의 프리미엄, 전용 또는 표준 SKU를 사용하여 포털에서 만든 새 EH 네임스페이스에 대해 자동으로 설정됩니다. EH 메타데이터와 이벤트 데이터 자체는 모두 영역 간에 복제됩니다", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", - "severity": "높다", - "text": "지역적으로 적용 가능한 경우 가용성 영역 활용Leverage Availability Zones if regionally applicable", - "waf": "신뢰도" + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "낮다", + "text": "SAP Fiori와 같은 인터넷 연결 애플리케이션의 경우 보안 수준을 유지하면서 애플리케이션 요구 사항에 따라 부하를 분산해야 합니다. 계층 7 보안의 경우 Azure Marketplace에서 사용할 수 있는 타사 WAF(Web Application Firewall)를 사용할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "waf": "안전" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "severity": "보통", - "text": "예측 가능한 성능을 위해 프리미엄 또는 전용 SKU 사용", - "waf": "신뢰도" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "기본 제공 지역 재해 복구 기능을 사용하도록 설정하면 네임스페이스(Event Hubs, 소비자 그룹 및 설정)의 전체 구성이 기본 네임스페이스에서 보조 네임스페이스로 지속적으로 복제되며, 언제든지 한 번만 장애 조치(failover)를 주 네임스페이스에서 보조 네임스페이스로 이동할 수 있습니다. 활성/수동 기능은 애플리케이션 구성을 변경할 필요 없이 실패한 Azure 지역에서 더 쉽게 복구하고 중단할 수 있도록 설계되었습니다", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", - "severity": "높다", - "text": "Active Passive 구성을 사용하여 지역 재해 복구 계획Plan for Geo Disaster Recovery using Active Passive configuration", - "waf": "신뢰도" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "다운된 지역에서 이벤트 데이터의 중단 또는 손실을 허용할 수 없는 DR 구성에 사용해야 합니다. 이러한 경우 복제 지침을 따르고 기본 제공 지역 재해 복구 기능(활성/수동)을 사용하지 마세요. 액티브/액티브를 사용하여 서로 다른 지역 및 네임스페이스에서 여러 Event Hubs를 유지 관리하면 허브 간에 이벤트가 복제됩니다", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", - "severity": "보통", - "text": "Business Critical Applications의 경우 Active Active 구성을 사용합니다.", - "waf": "신뢰도" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", - "severity": "보통", - "text": "복원력 있는 Event Hubs 설계", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "severity": "높다", - "text": "읽기 작업에 대해 99.9%의 가용성을 갖도록 복제본 2개 사용", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "severity": "보통", - "text": "읽기/쓰기 작업에 대해 99.9%의 가용성을 갖도록 복제본 3개 사용", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", - "severity": "높다", - "text": "읽기 및/또는 쓰기 복제본을 활성화하여 가용 영역 활용Leverage Availability Zones by enabling read and/or write replicas", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", - "severity": "보통", - "text": "지역 중복의 경우 Manually create services in 2 or more regions for Search는 지리적 지역 간에 검색 인덱스를 복제하는 자동화된 방법을 제공하지 않습니다", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", - "severity": "보통", - "text": "여러 서비스에서 데이터를 동기화하려면 인덱서를 사용하여 여러 서비스의 콘텐츠를 업데이트하거나 REST API를 사용하여 여러 서비스에서 콘텐츠 업데이트를 푸시합니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", - "severity": "보통", - "text": "Azure Traffic Manager를 사용하여 요청 조정", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", - "severity": "높다", - "text": "Azure Cognitive Search 인덱스를 백업 및 복원합니다. 이 샘플 코드를 사용하여 인덱스 정의 및 스냅샷을 일련의 Json 파일에 백업합니다", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", - "severity": "높다", - "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(자동으로 활성화됨)", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "보통", - "text": "Microsoft에서 시작한 장애 조치(failover)에 유의하세요. 드문 경우지만 Microsoft는 영향을 받는 지역의 모든 IoT Hub를 해당 지역 쌍을 이루는 지역으로 장애 조치(failover)하기 위해 이러한 작업을 수행합니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", - "severity": "높다", - "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "높다", - "text": "수동 장애 조치(failover)를 트리거하는 방법을 알아봅니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", - "severity": "높다", - "text": "장애 조치(failover) 후 장애 복구(failback)하는 방법을 알아봅니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", - "severity": "보통", - "text": "Azure Spring Apps는 모든 앱에 대해 두 개의 배포를 허용하며, 그 중 하나만 프로덕션 트래픽을 수신합니다. 블루-그린 배포 전략을 통해 가동 중지 시간 제로를 달성할 수 있습니다. 파란색 녹색 배포는 표준 및 엔터프라이즈 계층에서만 사용할 수 있습니다. ADO/GitHub 작업과 함께 CI/CD를 사용하여 배포를 자동화할 수 있습니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", - "severity": "보통", - "text": "Azure Spring Apps 인스턴스는 애플리케이션에 대해 여러 지역에서 만들 수 있으며 Traffic Manager/Front Door에서 트래픽을 라우팅할 수 있습니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", - "severity": "보통", - "text": "지원되는 지역에서 Azure Spring Apps는 영역 중복으로 배포할 수 있으며, 이는 인스턴스가 가용성 영역에 자동으로 분산됨을 의미합니다. 이 기능은 Standard 및 Enterprise 계층에서만 사용할 수 있습니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", - "severity": "보통", - "text": "앱에 1개 이상의 앱 인스턴스 사용", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", - "severity": "보통", - "text": "로그, 메트릭 및 추적을 사용하여 Azure Spring Apps를 모니터링합니다. ASA를 Application Insights와 통합하고, 오류를 추적하고, 통합 문서를 만듭니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", - "severity": "보통", - "text": "Spring Cloud Gateway에서 자동 크기 조정 설정", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", - "severity": "낮다", - "text": "표준 소비 및 전용 플랜이 있는 앱에 대해 자동 크기 조정을 사용하도록 설정합니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", - "severity": "보통", - "text": "중요 업무용 앱에 대한 Spring Boot의 상업적 지원을 위해 Enterprise 플랜을 사용합니다. 다른 계층에서는 OSS 지원을 받을 수 있습니다.", - "waf": "신뢰도" + "text": "SAP용 Azure Monitor 솔루션에서 보안 통신을 사용하도록 설정하려면 루트 인증서 또는 서버 인증서를 사용하도록 선택할 수 있습니다. 루트 인증서를 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "안전" }, { "arm-service": "Microsoft.KeyVault/vaults", @@ -6310,1735 +5939,2806 @@ "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "Azure OpenAI", - "severity": "높다", - "text": "공명형 AI를 위한 Metaprompting 가드레일 따르기", - "waf": "운영 우수성" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", + "text": "Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview 의 데이터 수집 규칙", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "Azure OpenAI", - "severity": "높다", - "text": "더 나은 속도 제한, 부하 분산, 인증 및 로깅을 위해 APIM 또는 AI Central과 같은 솔루션을 사용하여 게이트웨이 패턴을 고려합니다.", - "waf": "운영 우수성" - }, + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", + "text": "기본 데이터 원본을 찾을 수 없는 백업 인스턴스 확인", + "waf": "비용" + }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "Azure OpenAI", - "severity": "높다", - "text": "AOAI 인스턴스에 대한 모니터링 활성화", - "waf": "운영 우수성" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", + "text": "연결되지 않은 서비스(디스크, NIC, IP 주소 등) 삭제 또는 보관", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "Azure OpenAI", - "severity": "높다", - "text": "리소스에 대해 수행된 작업(예: 구독 키 다시 생성) 또는 메트릭 임계값(예: 한 시간에 10을 초과하는 오류 수)에 의해 생성된 활동 로그의 항목과 같은 이벤트를 팀에 알리는 경고를 만듭니다", - "waf": "운영 우수성" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", + "text": "중요 업무용 응용 프로그램에 대한 Site Recovery 저장소와 백업 간의 적절한 균형을 고려합니다.", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", - "severity": "높다", - "text": "용량으로 인한 서비스 중단을 방지하기 위해 토큰 사용량을 모니터링합니다.", - "waf": "운영 우수성" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", + "text": "40개의 서로 다른 로그 분석 작업 영역 간의 지출 및 절감 기회 확인 - 비프로덕션 작업 영역에 대해 서로 다른 보존 및 데이터 수집 사용-인식 및 계층 크기 조정을 위한 일일 한도 만들기 - 일일 한도를 설정하는 경우 한도에 도달할 때 경고를 만드는 것 외에도 특정 비율(예: 90%)에 도달했을 때 알림을 받을 경고 규칙도 만들어야 합니다. - 가능한 경우 작업 영역 변환 고려 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", - "severity": "보통", - "text": "처리된 추론 토큰, 생성된 완료 토큰, 속도 제한 모니터링과 같은 메트릭 관찰", - "waf": "운영 우수성" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", + "text": "제거 로그 정책 및 자동화 적용(필요한 경우 로그를 콜드 스토리지로 이동할 수 있음)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "Azure OpenAI", - "severity": "낮다", - "text": "진단이 충분하지 않은 경우 Azure OpenAI 앞에 있는 Azure API Managements와 같은 게이트웨이를 사용하여 허용되는 경우 들어오는 프롬프트와 나가는 응답을 모두 기록하는 것이 좋습니다", - "waf": "운영 우수성" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", + "text": "디스크가 실제로 필요한지 확인하고, 그렇지 않은 경우 삭제하십시오. 필요한 경우 더 낮은 스토리지 계층을 찾거나 백업을 사용합니다.", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "Azure OpenAI", - "severity": "높다", - "text": "Infrastructure as code를 사용하여 Azure OpenAI Service, 모델 배포 및 모든 관련 리소스를 배포합니다", - "waf": "운영 우수성" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", + "text": "사용자 지정 규칙을 사용하여 사용하지 않는 스토리지를 하위 계층으로 이동하는 것이 좋습니다 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "높다", - "text": "API 키 대신 관리 ID로 Microsoft Entra 인증 사용", - "waf": "안전" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", + "text": "Advisor가 VM 올바른 크기 조정에 대해 구성되어 있는지 확인합니다. ", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "높다", - "text": "입력과 정답이 있는 알려진 골든 데이터 세트를 사용하여 시스템의 성능/정확도를 평가합니다. 평가를 위해 PromptFlow의 기능을 활용합니다.", - "waf": "운영 우수성" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "description": "Cost analysys에서 Meter Category Licenses를 검색하여 확인합니다.", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", + "text": "모든 Windows VM에서 스크립트 실행 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM을 자주 만드는 경우 정책 구현을 고려합니다.", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "Azure OpenAI", - "severity": "높다", - "text": "프로비저닝된 처리량 모델의 사용 평가 ", - "waf": "공연" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", + "text": " 이미 라이선스가 있는 경우 AHUB에 넣을 수도 https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "Azure OpenAI", - "severity": "높다", - "text": "Azure AI 콘텐츠 안전성 검토 및 구현", - "waf": "운영 우수성" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", + "text": "유연성 옵션을 사용하여 예약된 VM 제품군 통합(4-5개 이하의 제품군)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "Azure OpenAI", - "severity": "높다", - "text": "분당 토큰 및 응답을 기반으로 시스템의 처리량을 정의 및 평가하고 요구 사항에 맞춥니다.", - "waf": "공연" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", + "text": "Azure Reserved Instances 활용: 이 기능을 사용하면 1년 또는 3년 동안 VM을 예약할 수 있으므로 PAYG 가격에 비해 상당한 비용 절감 효과를 얻을 수 있습니다.", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "Azure OpenAI", - "severity": "보통", - "text": "토큰 크기, 스트리밍 옵션을 제한하여 시스템의 대기 시간을 개선합니다.", - "waf": "공연" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", + "text": "더 큰 디스크만 예약할 수 있습니다 => 1TiB -", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", - "severity": "보통", - "text": "탄력성 요구를 예측하여 우선 순위에 따라 동기 및 일괄 처리 요청 분리를 결정합니다. 우선 순위가 높은 경우 동기 접근 방식을 사용하고 낮은 우선 순위의 경우 큐를 사용한 비동기 일괄 처리가 선호됩니다", - "waf": "공연" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", + "text": "적절한 크기 최적화 후", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", - "severity": "높다", - "text": "소비자의 예상 수요를 기반으로 토큰 사용 요구 사항을 벤치마킹합니다. 프로비저닝된 처리량 단위 배포를 사용하는 경우 처리량의 유효성을 검사하는 데 도움이 되도록 Azure OpenAI 벤치마킹 도구를 사용하는 것이 좋습니다", - "waf": "공연" + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", + "text": "적용 가능한 경우 확인 및 정책/변경 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations 시행", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", - "severity": "보통", - "text": "PTU(프로비저닝된 처리량 단위)를 사용하는 경우 오버플로 요청에 대한 TPM(분당 토큰) 배포를 배포하는 것이 좋습니다. 게이트웨이를 사용하여 PTU 제한에 도달할 때 TPM 배포로 요청을 라우팅합니다.", - "waf": "공연" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", + "text": "VM + 라이선스 부분 할인(ahub + 3YRI)은 약 70% 할인입니다.", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "Azure OpenAI", - "severity": "높다", - "text": "올바른 작업에 적합한 모델을 선택하십시오. 속도, 응답 품질 및 출력 복잡성 간에 적절한 절충점이 있는 모델 선택", - "waf": "공연" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", + "text": "플랫 사이징보다는 VMSS를 사용하여 수요에 맞추는 것이 좋습니다", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", + "text": "AKS 자동 크기 조정기를 사용하여 클러스터 사용량과 일치시킵니다(Pod 요구 사항이 스케일러와 일치하는지 확인).", + "waf": "비용" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", + "text": "해당하는 경우 복구 지점을 자격 증명 모음 보관으로 이동(유효성 검사)Move recovery points to vault-archive where applicable (Validate)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", + "text": "가능한 경우 대체와 함께 스폿 VM을 사용하는 것이 좋습니다. 클러스터의 자동 종료를 고려합니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", + "text": "함수 - 연결 재사용", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", + "text": "함수 - 로컬에 데이터 캐시", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", + "text": "기능 - 콜드 스타트 - '패키지에서 실행' 기능을 사용합니다. 이렇게 하면 코드가 단일 zip 파일로 다운로드됩니다. 예를 들어, 이것은 많은 노드 모듈이 있는 Javascript 함수를 크게 개선할 수 있습니다. 언어별 도구를 사용하여 패키지 크기를 줄입니다(예: 트리 쉐이킹 Javascript 애플리케이션).", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", + "text": "기능 - 기능을 따뜻하게 유지", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", + "text": "다른 함수와 함께 자동 크기 조정을 사용하는 경우 모든 리소스에 대한 모든 자동 크기 조정을 구동하는 것이 있을 수 있으므로 별도의 소비 계획으로 이동하는 것이 좋습니다(CPU에 대한 더 높은 계획 고려).", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", + "text": "지정된 계획의 함수 앱은 모두 함께 크기가 조정되므로 크기 조정과 관련된 모든 문제는 계획의 모든 앱에 영향을 줄 수 있습니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", + "text": "'대기 시간'에 대한 요금이 청구되나요? 이 질문은 일반적으로 비동기 작업을 수행하고 결과를 기다리는 C # 함수 (예 : await Task.Delay(1000) 또는 await client )의 컨텍스트에서 묻습니다. GetAsync('http://google.com')입니다. 대답은 '예'입니다 - GB 초 계산은 함수의 시작 및 종료 시간과 해당 기간 동안의 메모리 사용량을 기반으로 합니다. CPU 작업 측면에서 해당 시간 동안 실제로 발생하는 일은 계산에 포함되지 않습니다. 이 규칙의 한 가지 예외는 지속성 함수를 사용하는 경우입니다. 오케스트레이터 함수에서 대기하는 데 소요된 시간에 대해서는 요금이 청구되지 않습니다.가능한 경우 수요 형성 기술을 적용합니다(개발 환경?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "비용" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", + "text": "Frontdoor - 기본 홈페이지 끄기앱의 애플리케이션 설정에서 AzureWebJobsDisableHomepage를 true로 설정합니다. 이렇게 하면 PoP에 204(콘텐츠 없음)가 반환되므로 헤더 데이터만 반환됩니다.", + "waf": "비용" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", + "text": "Frontdoor 프론트도어 - 아무것도 반환하지 않는 무언가로 라우팅합니다. 함수, 함수 프록시를 설정하거나 WebApp에서 200(정상)을 반환하고 콘텐츠를 보내지 않거나 최소한으로 보내는 경로를 추가합니다. 이것의 장점은 호출될 때 로그아웃할 수 있다는 것입니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", + "text": "덜 사용되는 데이터에 대한 보관 계층 고려", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", + "text": "크기가 계층과 일치하지 않는 디스크 크기를 확인합니다(예: 513GiB 디스크는 P30(1TiB)를 지불하고 크기 조정을 고려합니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", + "text": "가능하면 프리미엄 또는 울트라 대신 표준 SSD를 사용하는 것이 좋습니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", + "text": "스토리지 계정의 경우 선택한 계층이 트랜잭션 요금을 합산하지 않는지 확인합니다(다음 계층으로 이동하는 것이 더 저렴할 수 있음).", + "waf": "비용" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", + "text": "ASR의 경우 RPO/RTO 및 복제 처리량이 허용하는 경우 표준 SSD 디스크를 사용하는 것이 좋습니다", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", + "text": "스토리지 계정: 핫 계층 및/또는 GRS 필요 확인", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", + "text": "디스크 - 모든 곳에서 프리미엄 SSD 디스크 사용의 유효성을 검사합니다. 예를 들어 비프로덕션은 표준 SSD 또는 주문형 프리미엄 SSD로 교환할 수 있습니다. ", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", + "text": "예산을 만들어 비용을 관리하고 이해 관계자에게 지출 이상 및 초과 지출 위험을 자동으로 알리는 경고를 만듭니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", + "text": "추가 데이터 분석을 위해 비용 데이터를 스토리지 계정으로 내보냅니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", + "text": "리소스를 사용하지 않을 때 일시 중지하여 전용 SQL 풀에 대한 비용을 제어합니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", + "text": "서버리스 Apache Spark 자동 일시 중지 기능을 활성화하고 그에 따라 제한 시간 값을 설정합니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", + "text": "다양한 크기의 Apache Spark 풀 정의를 여러 개 만듭니다.", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", + "text": "사전 구매 플랜으로 1년 동안 Azure Synapse SCU(커밋 단위)를 구매하여 Azure Synapse Analytics 비용을 절감하세요.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", + "text": "인터럽트 가능한 작업에 스폿 VM 사용: 할인된 가격으로 입찰 및 구매할 수 있는 VM으로, 중요하지 않은 워크로드에 비용 효율적인 솔루션을 제공합니다.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", + "text": "모든 VM의 적절한 크기 조정", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", + "text": "VM 크기를 정규화된 최신 크기로 바꾸기", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "적절한 크기 조정 VM - 사용량을 5% 미만으로 모니터링하는 것으로 시작한 다음 최대 40%까지 작업", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "비용" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "애플리케이션을 컨테이너화하면 VM 밀도를 개선하고 확장 비용을 절감할 수 있습니다", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "비용" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub는 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키는 고객 관리형 키를 사용하여 암호화됩니다. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", + "severity": "낮다", + "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "안전" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hubs 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 더 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Event Hubs 네임스페이스를 구성할 수 있습니다. Event Hubs 네임스페이스에 최소 버전의 TLS가 필요한 경우 이전 버전으로 수행된 모든 요청이 실패합니다. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", + "severity": "보통", + "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "안전" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Event Hubs 네임스페이스를 만들 때 네임스페이스에 대해 RootManageSharedAccessKey라는 정책 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙을 관리 루트 계정처럼 취급하고 응용 프로그램에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", + "severity": "보통", + "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "안전" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure 리소스에 대한 관리 ID는 Azure VM(Virtual Machines), 함수 앱, Virtual Machine Scale Sets 및 기타 서비스에서 실행되는 애플리케이션에서 Azure AD 자격 증명을 사용하여 Event Hubs 리소스에 대한 액세스 권한을 부여할 수 있습니다. Azure AD 인증과 함께 Azure 리소스에 대한 관리 ID를 사용하면 클라우드에서 실행되는 애플리케이션에 자격 증명을 저장하지 않아도 됩니다. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", + "severity": "보통", + "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Event Hub에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "안전" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "권한을 만들 때 Azure Event Hub에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Event Hub의 사용 권한은 개별 리소스 수준(예: 소비자 그룹, 이벤트 허브 엔터티, 이벤트 허브 네임스페이스 등)으로 범위를 지정할 수 있으며 범위가 지정되어야 합니다.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", + "severity": "높다", + "text": "최소 권한 데이터 평면 RBAC 사용", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "안전" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub 리소스 로그에는 작업 로그, 가상 네트워크 및 Kafka 로그가 포함됩니다. 런타임 감사 로그는 Event Hubs의 모든 데이터 평면 액세스 작업(예: 이벤트 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", + "severity": "보통", + "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그, 런타임 감사 로그 및 Kafka 로그와 같은 메트릭 및 로그를 캡처합니다.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "안전" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Event Hub 간의 트래픽이 Microsoft 백본 네트워크를 통해 트래버스할 수 있습니다. 또한 퍼블릭 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", + "severity": "보통", + "text": "프라이빗 엔드포인트를 사용하여 Azure Event Hub에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "안전" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 또는 IPv4 주소 범위 집합으로만 추가로 제한할 수 있습니다. ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", + "severity": "보통", + "text": "특정 IP 주소 또는 범위에서 Azure Event Hub 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "안전" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", + "severity": "보통", + "text": "FTA 탄력성 핸드북 활용", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": " 영역 사용 지역의 프리미엄, 전용 또는 표준 SKU를 사용하여 포털에서 만든 새 EH 네임스페이스에 대해 자동으로 설정됩니다. EH 메타데이터와 이벤트 데이터 자체는 모두 영역 간에 복제됩니다", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", + "severity": "높다", + "text": "지역적으로 적용 가능한 경우 가용성 영역 활용Leverage Availability Zones if regionally applicable", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", + "severity": "보통", + "text": "예측 가능한 성능을 위해 프리미엄 또는 전용 SKU 사용", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "기본 제공 지역 재해 복구 기능을 사용하도록 설정하면 네임스페이스(Event Hubs, 소비자 그룹 및 설정)의 전체 구성이 기본 네임스페이스에서 보조 네임스페이스로 지속적으로 복제되며, 언제든지 한 번만 장애 조치(failover)를 주 네임스페이스에서 보조 네임스페이스로 이동할 수 있습니다. 활성/수동 기능은 애플리케이션 구성을 변경할 필요 없이 실패한 Azure 지역에서 더 쉽게 복구하고 중단할 수 있도록 설계되었습니다", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", + "severity": "높다", + "text": "Active Passive 구성을 사용하여 지역 재해 복구 계획Plan for Geo Disaster Recovery using Active Passive configuration", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "다운된 지역에서 이벤트 데이터의 중단 또는 손실을 허용할 수 없는 DR 구성에 사용해야 합니다. 이러한 경우 복제 지침을 따르고 기본 제공 지역 재해 복구 기능(활성/수동)을 사용하지 마세요. 액티브/액티브를 사용하여 서로 다른 지역 및 네임스페이스에서 여러 Event Hubs를 유지 관리하면 허브 간에 이벤트가 복제됩니다", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", + "severity": "보통", + "text": "Business Critical Applications의 경우 Active Active 구성을 사용합니다.", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", + "severity": "보통", + "text": "복원력 있는 Event Hubs 설계", + "waf": "신뢰도" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "데이터 플레인 액세스에 대한 로컬 인증 방법의 사용을 제한합니다. 대신 Microsoft Entra ID를 기본 인증 방법으로 사용하여 데이터 평면 액세스를 제어합니다.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "service": "Azure Synapse Analytics", + "severity": "높다", + "text": "Synapse의 SQL 워크로드에서 로컬 사용자 사용 제한", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Microsoft Entra ID를 기본 인증 방법으로 사용하여 데이터 평면 액세스를 제어합니다.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "관리 ID를 사용하여 서비스에 인증", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "일상적인 관리 작업에 필요하지 않은 경우 긴급 용도로만 로컬 관리자 계정을 사용하지 않도록 설정하거나 제한합니다.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "service": "Azure Synapse Analytics", + "severity": "높다", + "text": "높은 권한이 부여된/관리 사용자를 분리 및 제한하고 MFA 및 조건부 정책을 사용하도록 설정합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse에는 Synapse Studio의 다양한 측면을 관리하기 위한 Synapse RBAC(역할 기반 액세스 제어) 역할도 포함되어 있습니다. 이러한 기본 제공 역할을 활용하여 사용자, 그룹 또는 기타 보안 주체에 권한을 할당하여 코드 아티팩트를 게시하고, 게시된 코드 아티팩트를 나열하거나 액세스할 수 있는 사용자를 관리하고, Apache Spark 풀 및 통합 런타임에서 코드를 실행하고, 자격 증명으로 보호되는 연결된(데이터) 서비스에 액세스하고, 작업 실행을 모니터링 또는 취소하고, 작업 출력 및 실행 로그를 검토합니다.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "Azure RBAC를 사용하여 스토리지에 대한 액세스를 제어하고 Synapse RBAC를 사용하여 팀의 가상 사용자에 따라 작업 영역 수준에서 액세스를 제어하여 데이터 및 컴퓨팅에 대한 액세스를 세분화합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "전용 SQL 풀에서 SQL 워크로드에 RLS, CLS 및 데이터 마스킹을 구현하여 보안 계층을 추가합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse 작업 영역을 만들 때 Microsoft Azure Virtual Network에 연결하도록 선택할 수 있습니다. 작업 영역과 연결된 Virtual Network는 Azure Synapse에서 관리됩니다. 이 Virtual Network를 관리형 작업 영역 Virtual Network라고 합니다. 작업 영역을 배포할 때 선택할 수 있습니다", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "관리되는 vnet 작업 영역을 사용하여 공용 인터넷을 통한 액세스 제한", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "중요한 데이터를 보호하려면 작업 영역 엔드포인트에 대한 공용 액세스를 완전히 사용하지 않도록 설정하는 것이 좋습니다. 이렇게 하면 프라이빗 엔드포인트를 통해서만 모든 작업 영역 엔드포인트에 액세스할 수 있습니다.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "외부 서비스에 연결하고 공용 액세스를 사용하지 않도록 프라이빗 엔드포인트를 구성합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "공용 액세스를 사용하도록 설정해야 하는 경우 지정된 공용 IP 주소 목록에서만 인바운드 연결을 허용하도록 IP 방화벽 규칙을 구성하는 것이 좋습니다.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "text": "공용 액세스를 사용하도록 설정하는 경우 IP 방화벽 규칙을 구성하는 것이 좋습니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "회사 네트워크를 벗어나지 않아야 하는 중요한 데이터로 작업하는 경우 VN에 SHIR VM을 배포합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "이 작업은 작업 영역을 배포할 때만 수행할 수 있지만 PyPI와 같은 공용 리포지토리에서 설치된 Python 라이브러리는 지원되지 않습니다. (활성화하기 전에 제한 사항에 대해 생각하십시오)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "DEP(데이터 반출 보호) 사용", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "첫 번째 암호화 계층은 Microsoft 관리형 키에 의해 수행되며, 고객 관리형 키를 사용하여 두 번째 암호화 계층을 추가할 수 있습니다", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "작업 영역에 대한 고객 관리형 키를 사용한 미사용 데이터 암호화Data Encryption at rest using Customer managed Keys for workspace", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse는 TLS를 활용하여 이동 중인 데이터가 암호화되도록 합니다. SQL 전용 풀은 암호화를 위해 TLS 1.0, TLS 1.1 및 TLS 1.2 버전을 지원하며, Microsoft에서 제공하는 드라이버는 기본적으로 TLS 1.2를 사용합니다. 서버리스 SQL 풀 및 Apache Spark 풀은 모든 아웃바운드 연결에 TLS 1.2를 사용합니다.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "severity": "보통", + "text": "전송 중 데이터 암호화 ", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Keyvaults를 사용하여 비밀 및 자격 증명 저장", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "service": "Azure Synapse Analytics", + "severity": "높다", + "text": "Azure Key Vault에 암호, secerts 및 키 저장Store passwords, secerts and keys in Azure key vault", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "데이터 플레인 액세스에 대한 로컬 인증 방법의 사용을 제한합니다. 대신 Microsoft Entra ID를 기본 인증 방법으로 사용하여 데이터 평면 액세스를 제어합니다.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "service": "Azure Data Factory", + "severity": "높다", + "text": "필요한 경우 로컬 사용자 사용 제한", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "관리 ID를 사용하면 자격 증명을 관리할 필요가 없습니다. 관리 ID는 Microsoft Entra 인증을 지원하는 리소스에 연결할 때 서비스 인스턴스에 대한 ID를 제공합니다.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", + "severity": "보통", + "text": "관리 ID를 사용하여 서비스에 인증", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "일상적인 관리 작업에 필요하지 않은 경우 긴급 용도로만 로컬 관리자 계정을 사용하지 않도록 설정하거나 제한합니다.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "service": "Azure Data Factory", + "severity": "높다", + "text": "높은 권한이 부여된/관리 사용자를 분리 및 제한하고 MFA 및 조건부 정책을 사용하도록 설정합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "service": "Azure Data Factory", + "severity": "보통", + "text": "회사 네트워크를 벗어나지 않아야 하는 중요한 데이터로 작업하는 경우 VN에 SHIR VM을 배포합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Data Factory 관리 가상 네트워크 내에서 Azure 통합 런타임을 만들 때 통합 런타임은 관리되는 가상 네트워크로 프로비전됩니다. 프라이빗 엔드포인트를 사용하여 지원되는 데이터 저장소에 안전하게 연결합니다.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "service": "Azure Data Factory", + "severity": "보통", + "text": "관리형 vnet IR을 사용하여 Azure Integration Runtime에 대한 공용 인터넷을 통한 액세스 제한", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "관리형 프라이빗 엔드포인트는 Azure 리소스에 대한 프라이빗 링크를 설정하는 Data Factory 관리형 가상 네트워크에서 만든 프라이빗 엔드포인트입니다. Data Factory는 사용자를 대신하여 이러한 프라이빗 엔드포인트를 관리합니다.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", + "severity": "보통", + "text": "관리형 Azure IR을 사용하여 리소스에 연결하도록 관리형 프라이빗 엔드포인트 구성", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "이것이 기본 설정입니다", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "service": "Azure Data Factory", + "severity": "보통", + "text": "Microsoft 관리형 키를 통한 미사용 데이터 암호화", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "이것이 기본 설정입니다", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "service": "Azure Data Factory", + "severity": "보통", + "text": "Microsoft 관리형 키를 통한 전송 중 데이터 암호화", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "고객 관리형 키를 지정하면 Data Factory는 팩터리 시스템 키와 CMK를 모두 사용하여 고객 데이터를 암호화합니다. 둘 중 하나라도 누락되면 데이터 및 공장에 대한 액세스가 거부됩니다.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", + "severity": "보통", + "text": "BYOK에 의한 전송 중 데이터 암호화(고객 관리형 키)", + "waf": "안전" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", + "severity": "높다", + "text": "Azure Key Vault에 암호, 비밀 저장Store passwords, secrets in Azure Key Vault", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "service": "Microsoft Purview", + "severity": "보통", + "text": "컨트롤 플레인 및 데이터 플레인에서 Microsoft Purview를 관리하기 위한 역할 및 책임 정의", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "이를 위해 Azure RBAC를 사용합니다.", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Azure 구독(컨트롤 플레인) 내에서 Microsoft Purview를 배포하고 관리하는 데 필요한 역할 및 작업 정의", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "이를 위해 Microsoft Purview 역할을 사용합니다.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Microsoft Purview를 사용하여 데이터 관리 및 거버넌스를 수행하는 데 필요한 역할과 작업을 정의합니다. (데이터 맵 및 데이터 카탈로그에 대한 데이터 평면)", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "service": "Microsoft Purview", + "severity": "보통", + "text": "개별 사용자에게 역할을 할당하는 대신 Microsoft Entra 그룹에 역할을 할당합니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Azure Active Directory 권한 관리를 사용하여 액세스 패키지를 통해 Microsoft Entra 그룹에 대한 사용자 액세스를 매핑합니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "service": "Microsoft Purview", + "severity": "높다", + "text": "Microsoft Purview 사용자, 특히 컬렉션 관리자, 데이터 원본 관리자 또는 데이터 큐레이터와 같은 권한 있는 역할이 있는 사용자에 대해 다단계 인증을 적용합니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "service": "Microsoft Purview", + "severity": "높다", + "text": "Microsoft Entra ID를 사용하여 모든 사용자, Entra에 등록된 보안 그룹, 서비스 주체 및 Microsoft Purview의 컬렉션 내 관리 ID에 인증 및 권한 부여를 제공합니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "service": "Microsoft Purview", + "severity": "높다", + "text": "Least Privilege 모델을 정의하고 권한 있는 계정의 노출을 줄입니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Private Link 서비스를 사용하여 엔드투엔드 네트워크 격리를 사용하도록 설정합니다. (Microsoft Purview 데이터 맵)", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Microsoft Purview 방화벽을 사용하여 공용 액세스를 사용하지 않도록 설정합니다. (Microsoft Purview 데이터 맵)", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Azure 데이터 원본 프라이빗 엔드포인트, Microsoft Purview 프라이빗 엔드포인트 및 자체 호스팅 런타임 VM이 배포되는 서브넷에 대한 NSG(네트워크 보안 그룹) 규칙을 배포합니다. (Microsoft Purview 데이터 맵)", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", + "severity": "보통", + "text": "네트워크 검사 및 네트워크 필터링을 위한 Azure Firewall과 같은 네트워크 가상 어플라이언스에서 관리하는 프라이빗 엔드포인트를 사용하여 Microsoft Purview를 구현합니다. (Microsoft Purview 데이터 맵)", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "이 프라이빗 엔드포인트는 포털 프라이빗 엔드포인트의 필수 구성 요소이기도 합니다. 프라이빗 네트워크를 사용하여 Microsoft Purview 거버넌스 포털에 연결할 수 있도록 하려면 Microsoft Purview 포털 프라이빗 엔드포인트가 필요합니다. Microsoft Purview는 수집 프라이빗 엔드포인트를 사용하여 Azure 또는 온-프레미스 환경에서 데이터 원본을 검사할 수 있습니다. 프라이빗 엔드포인트 사용에 대한 제한 사항 https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", "severity": "보통", - "text": "미세 조정으로 모델 성능이 향상되었는지 여부를 파악하기 위해 미세 조정 없이 성능에 대한 기준이 있습니다.", - "waf": "공연" + "text": "Microsoft Purview 계정에 대한 프라이빗 엔드포인트를 배포하여 또 다른 보안 계층을 추가하면 가상 네트워크 내에서 시작된 클라이언트 호출만 Microsoft Purview 계정에 액세스할 수 있습니다", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. 검토해야 할 제한 사항: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Microsoft Purview 방화벽을 사용하여 공용 액세스 차단", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "보통", + "text": "네트워크 보안 그룹을 사용하여 Azure 가상 네트워크의 Azure 리소스에서 들어오고 나가는 네트워크 트래픽 필터링Use Network Security Groups to filter network traffic into Azure resources in an Azure virtual network", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "service": "Microsoft Purview", + "severity": "높다", + "text": "온-프레미스 vnet의 경계를 벗어날 수 없는 중요한 데이터가 있는 경우 회사 vnet 내에서 SHIR VM을 사용하여 메타데이터를 추출하는 것이 좋습니다 ", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "메타데이터는 추출되어 Microsoft Purview 데이터 맵에 저장되며, Purview 계정에 관리 스토리지 계정을 사용하지 않는 경우 모든 사용자가 액세스할 수 있도록 열려 있으므로 적절한 RBAC를 구현하고 의도된 사용자에게만 데이터 액세스를 제한합니다. 2023년 12월 15일 이후에 배포된 계정(또는 API 버전 2023-05-01-preview 이후를 사용하여 배포된 계정)에 적용됩니다.", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Azure RBAC를 사용하여 스토리지 계정(MS에서 관리하지 않음)의 액세스를 의도한 사용자로만 제한합니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "service": "Microsoft Purview", + "severity": "보통", + "text": "미사용 데이터는 Microsoft 관리형 키로 암호화됩니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "service": "Microsoft Purview", + "severity": "보통", + "text": "전송 중인 데이터는 TLS 1.3으로 암호화됩니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "service": "Microsoft Purview", + "severity": "높다", + "text": "관리 ID를 사용하지 않거나 암호 필요 메서드가 없는 경우 항상 Azure Key Vault를 사용하여 모든 자격 증명을 저장합니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "service": "Microsoft Purview", + "severity": "보통", + "text": "리소스 잠금을 적용하여 Microsoft Purview 계정의 실수로 삭제되는 것을 방지합니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", + "severity": "보통", + "text": "테넌트 전체 계정 잠금을 방지하기 위해 Microsoft Entra 테넌트, Azure 구독 및 Microsoft Purview 계정에 대한 비상 전략을 계획합니다.", + "waf": "안전" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "service": "Microsoft Purview", + "severity": "보통", + "text": "Microsoft 365 및 클라우드용 Microsoft Defender와 통합", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "관리자 계정을 일반 사용자 계정과 구분합니다.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "service": "Azure Databricks", + "severity": "높다", + "text": "Least Privilege 모델을 정의하고 권한 있는 계정의 노출을 줄입니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Databricks는 관리자가 사용자가 Azure Databricks에 로그인할 수 있는 위치와 시기를 제어할 수 있는 Microsoft Entra ID 조건부 액세스를 지원합니다. 조건부 액세스 정책은 회사 네트워크에 대한 로그인을 제한하거나 MFA(다단계 인증)를 요구할 수 있습니다.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "높다", + "text": "Single Sign-On 및 통합 로그인을 구성합니다. Multi-Factor Authentication을 사용하도록 설정합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "고객은 토큰 관리 API 또는 UI 컨트롤을 사용하여 REST API 인증을 위해 PAT(개인용 액세스 토큰)를 사용하거나 사용하지 않도록 설정하고, PAT를 사용할 수 있는 사용자를 제한하고, 새 토큰의 최대 수명을 설정하고, 기존 토큰을 관리할 수 있습니다. 보안이 매우 안전한 고객은 일반적으로 작업 영역의 새 토큰에 대한 최대 토큰 수명을 프로비전합니다. 이 기능을 사용하려면 프리미엄 가격 책정 계층이 필요합니다.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", + "severity": "보통", + "text": "토큰 관리를 사용합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Databricks 플랫폼의 일반 사용자이기도 한 Databricks 관리자가 있는 경우(예: 플랫폼을 관리하고 데이터 엔지니어링 작업도 수행하는 수석 데이터 엔지니어가 있는 경우) Databricks는 관리 작업을 위해 별도의 계정을 만드는 것이 좋습니다. Azure RBAC 모델의 일부로, 배포된 Azure Databricks 작업 영역에 대한 리소스 그룹에 대한 기여자 이상의 권한이 부여된 사용자는 해당 작업 영역에 로그인할 때 자동으로 관리자가 된다는 점에 유의해야 합니다. 따라서 위에서 설명한 것과 동일한 고려 사항을 Azure Portal 사용자에게도 적용해야 합니다.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "service": "Azure Databricks", + "severity": "높다", + "text": "일반 사용자 계정과 관리자 계정 분리", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "SCIM(System for Cross-domain Identity Management)을 사용하면 Microsoft Entra ID에서 Azure Databricks로 사용자 및 그룹을 동기화할 수 있습니다. 이 방법에는 세 가지 주요 이점이 있습니다. 1. 사용자를 제거하면 사용자가 Databricks에서 자동으로 제거됩니다. 2. SCIM을 통해 사용자를 일시적으로 비활성화할 수도 있습니다. 고객은 계정이 손상되었을 수 있으며 조사가 필요하다고 생각하는 시나리오에 이 기능을 사용했습니다 3. 그룹이 자동으로 동기화됨 Azure Databricks에 대해 SCIM을 구성하는 방법에 대한 자세한 지침은 설명서를 참조하세요. 이 기능을 사용하려면 프리미엄 가격 책정 계층이 필요합니다", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "보통", + "text": "사용자 및 그룹의 SCIM 동기화.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "관리자는 클러스터 정책 또는 이전 클러스터 ACL을 사용하여 조직 내에서 클러스터를 생성할 수 있는 사용자 또는 그룹을 정의할 수 있습니다. 클러스터 ACL을 사용하면 지정된 클러스터에 노트북을 연결할 수 있는 사용자를 지정할 수 있습니다. 사용자가 표준 모드 클러스터에 이미 연결된 Notebook을 공유하는 경우 수신자도 해당 클러스터에서 코드를 실행할 수 있습니다. 이는 사용자 격리를 적용하는 클러스터(SQL 웨어하우스, 테이블 ACL 클러스터와의 높은 동시성, 자격 증명 통과 클러스터의 높은 동시성)에는 적용되지 않습니다. Unity 카탈로그를 사용하는 고객은 단일 사용자 클러스터를 활성화하여 격리 클러스터를 적용할 수도 있습니다.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "service": "Azure Databricks", + "severity": "보통", + "text": "클러스터 생성 권한을 제한합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "고객이 Azure Key Vault를 사용하여 비밀을 저장하더라도 Azure Databricks 내에서 액세스 제어를 정의해야 합니다. 이는 Azure Databricks 작업 영역의 모든 사용자에 대한 비밀을 검색하는 데 동일한 서비스 ID가 사용되기 때문입니다.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "service": "Azure Databricks", + "severity": "높다", + "text": "Azure Key Vault에 암호, 비밀 저장Store passwords, secrets in Azure Key Vault", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "사용자 격리가 있는 클러스터에는 각 사용자가 클러스터 호스트에서 권한이 없는 다른 사용자 계정으로 실행되는 적용이 포함됩니다. 또한 언어는 격리된 방식으로 구현할 수 있는 언어(SQL 및 Python)로 제한되며, Spark API는 격리로부터 안전하다고 생각되는 언어의 허용 목록에 있어야 합니다.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "service": "Azure Databricks", + "severity": "보통", + "text": "사용자 격리를 지원하는 클러스터를 사용합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "프로덕션 워크로드를 개별 사용자 계정에 연결하는 것은 보안 모범 사례에 위배되므로 Databricks 내에서 서비스 주체를 구성하는 것이 좋습니다. 서비스 원칙은 관리자와 사용자 작업을 워크로드에서 분리하고 사용자가 조직을 떠날 경우 워크로드가 영향을 받지 않도록 합니다. Databricks를 사용하면 서비스 주체로 실행되고 서비스 주체에 대한 개인용 액세스 토큰을 생성하도록 작업을 구성할 수 있습니다.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "보통", + "text": "서비스 주체를 사용하여 프로덕션 작업을 실행합니다. 워크스페이스 레벨(ACL), 계정 레벨(RBAC) 및 데이터 레벨(Unity 카탈로그) 보안 컨트롤에 대한 적절한 액세스 제어 사용", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "기본적으로 DBFS는 지정된 작업 영역의 모든 사용자가 액세스할 수 있고 API를 통해 액세스할 수 있는 파일 시스템입니다. IP 액세스 목록 또는 개인 네트워크 액세스를 사용하여 DBFS API 또는 Databricks CLI를 통해 데이터 액세스에 대한 액세스를 제한할 수 있으므로 반드시 주요 데이터 반출 문제는 아닙니다. 그러나 Azure Databricks의 사용이 증가하고 더 많은 사용자가 작업 영역에 참여함에 따라 해당 사용자는 DBFS에 저장된 모든 데이터에 액세스할 수 있으므로 원치 않는 정보 공유가 발생할 수 있습니다. Databricks는 고객이 프로덕션 데이터를 DBFS에 저장하지 않는 것을 권장합니다.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "service": "Azure Databricks", + "severity": "높다", + "text": "프로덕션 데이터를 DBFS에 저장하지 마십시오.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "관리하는 스토리지 계정의 경우 스토리지 계정이 요구 사항에 따라 보호되도록 하는 것은 사용자의 책임입니다. 예를 들어 고객 관리형 키를 사용한 암호화, 스토리지 방화벽을 사용하여 신뢰할 수 있는 네트워크에 대한 액세스 제한, 익명 공용 액세스는 허용되지 않음 등이 있습니다", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "보통", + "text": "스토리지를 암호화하고 액세스를 제한합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Notebook, 비밀, Databricks SQL 쿼리 및 Databricks SQL 쿼리 기록과 같은 Azure Databricks 컨트롤 플레인 내에 저장된 선택 데이터 및 DBFS에 사용되는 루트 스토리지 계정에 대한 고객 관리형 키를 추가합니다. Azure Databricks는 진행 중인 작업을 위해 이 키에 액세스해야 합니다. 키에 대한 액세스를 취소하여 Azure Databricks가 컨트롤 플레인(또는 백업) 내에서 암호화된 데이터에 액세스하지 못하도록 할 수 있습니다. 이는 작업 공간이 기능을 멈추는 핵 옵션과 같지만 극한 상황에 대한 비상 제어를 제공합니다. 이 기능을 사용하려면 프리미엄 가격 책정 계층이 필요합니다.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "보통", + "text": "관리 서비스 및 작업 영역 스토리지에 대한 고객 관리형 키 추가Add a customer-managed key for managed services and workspace storage", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "사용자 또는 API 클라이언트가 VPN 또는 사무실 네트워크와 같은 알려진 양호한 IP 주소 범위에서 오는지 확인하여 계정 콘솔 및 작업 영역 수준에서 Databricks에 인증할 수 있는 IP 주소를 제한하는 IP 액세스 목록을 구성합니다. 사용자가 VPN 연결을 끊을 때와 같이 잘못된 IP 주소로 이동하는 경우 설정된 사용자 세션이 작동하지 않습니다. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "severity": "보통", + "text": "IP 액세스 목록을 활성화하여 특정 IP 주소에 대한 액세스를 제한합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Private Link는 한 Azure 환경에서 다른 환경으로의 프라이빗 네트워크 경로를 제공합니다. Private Link는 Azure Databricks 사용자와 컨트롤 플레인 간에, 그리고 컨트롤 플레인과 데이터 플레인 사이에도 구성할 수 있습니다. Databricks 사용자와 컨트롤 플레인 간에 Private Link는 인바운드 요청의 원본을 제한하는 강력한 컨트롤을 제공합니다. 회사가 이미 Azure 환경을 통해 트래픽을 라우팅하는 경우 사용자와 Azure Databricks 컨트롤 플레인 간의 통신이 공용 IP 주소를 트래버스하지 않도록 Private Link를 사용할 수 있습니다. 이 기능을 사용하려면 프리미엄 가격 책정 계층이 필요합니다. Azure Private Link를 사용하여 Azure Databricks에서 Azure 리소스로 연결합니다. Private Link는 다음을 보장합니다.", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", + "severity": "보통", + "text": "Azure Private Link를 구성하고 사용하여 Azure 리소스에 액세스합니다.", + "waf": "안전" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", "severity": "낮다", - "text": "여러 지역에 여러 OAI 인스턴스 배포", + "text": "모범 사례는 기준 고가용성 영역 중복 웹 애플리케이션 아키텍처를 참조하세요.", "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "보통", + "text": "프리미엄 및 표준 계층을 사용합니다. 이러한 계층은 스테이징 슬롯 및 자동 백업을 지원합니다.", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", + "service": "App Services", "severity": "높다", - "text": "APIM과 같은 게이트웨이 패턴을 사용하여 재시도 및 상태 확인 구현Implement retry & healthchecks with gateway pattern like APIM", + "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(프리미엄 v2 또는 v3 계층 필요)", "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", "severity": "보통", - "text": "워크로드에 대한 TPM 및 RPM의 적절한 할당량이 있는지 확인합니다.", + "text": "상태 확인 구현", "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "Azure OpenAI", - "severity": "보통", - "text": "HAI 도구 키트 지침의 고려 사항을 검토하고 slution에 대한 이러한 상호 작용 방법을 적용합니다", - "waf": "운영 우수성" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", + "service": "App Services", + "severity": "높다", + "text": "Azure App Service에 대한 백업 및 복원 모범 사례를 참조하세요.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", + "severity": "높다", + "text": "Azure App Service 안정성 모범 사례 구현", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", + "severity": "낮다", + "text": "App Service 앱을 다른 지역으로 이동하는 방법을 숙지합니다. 재해가 발생하는 동안", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", + "service": "App Services", + "severity": "높다", + "text": "Azure App Service의 안정성 지원 숙지", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", "severity": "보통", - "text": "미세 조정이 사용되는 경우 지역 간에 별도의 미세 조정된 모델을 배포합니다.", + "text": "App Service 계획에서 실행되는 Function Apps에 대해 \"Always On\"이 사용하도록 설정되어 있는지 확인합니다.", "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", "severity": "보통", - "text": "중요한 데이터를 정기적으로 백업 및 복제하여 데이터 손실 또는 시스템 장애 발생 시 데이터 가용성과 복구 가능성을 보장합니다. Azure의 백업 및 재해 복구 서비스를 활용하여 데이터를 보호하세요.", + "text": "상태 검사를 사용하여 App Service 인스턴스 모니터링Monitor App Service instances using Health checks", "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "Azure OpenAI", - "severity": "높다", - "text": "SLA를 갖도록 Azure AI 검색 서비스 계층을 선택해야 합니다. ", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", + "service": "App Services", + "severity": "보통", + "text": "Application Insights 가용성 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링", "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", "severity": "낮다", - "text": "임베딩을 생성하기 전에 데이터 및 민감도를 분류하고 Microsoft Purview를 사용하여 레이블을 지정하고 생성된 임베딩을 동일한 민감도 및 분류로 처리해야 합니다", - "waf": "안전" + "text": "Application Insights 표준 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Key Vault를 사용하여 애플리케이션에 필요한 모든 비밀을 저장합니다. Key Vault는 비밀을 저장하기 위한 안전하고 감사된 환경을 제공하며 Key Vault SDK 또는 App Service Key Vault 참조를 통해 App Service와 잘 통합됩니다.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "severity": "높다", - "text": "BYOK(옵션)를 사용한 SSE/디스크 암호화로 RAG에 사용되는 데이터 암호화", + "text": "Key Vault를 사용하여 비밀 저장", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "관리 ID를 사용하여 Key Vault SDK를 사용하거나 App Service Key Vault 참조를 통해 Key Vault에 연결합니다.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "severity": "높다", - "text": "데이터 소스 간 전송 중인 데이터, RAG(Retrieval-Augmented Generation) 및 LLM 통신에 사용되는 AI 검색에 TLS가 적용되는지 확인합니다.", + "text": "관리 ID를 사용하여 Key Vault에 연결", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service TLS 인증서를 Key Vault에 저장합니다.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", "severity": "높다", - "text": "RBAC를 사용하여 Azure OpenAI 서비스에 대한 액세스를 관리합니다. 사용자에게 적절한 권한을 할당하고 사용자의 역할과 책임에 따라 액세스를 제한합니다.", + "text": "Key Vault를 사용하여 TLS 인증서를 저장합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "중요한 정보를 처리하는 시스템은 격리해야 합니다. 이렇게 하려면 별도의 App Service 계획 또는 App Service Environment를 사용하고 다른 구독 또는 관리 그룹을 사용하는 것이 좋습니다.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", "severity": "보통", - "text": "데이터 암호화, 마스킹 또는 수정 기술을 구현하여 비프로덕션 환경에서 또는 테스트 또는 문제 해결을 위해 데이터를 공유할 때 민감한 데이터를 숨기거나 난독화된 값으로 대체합니다.", + "text": "민감한 정보를 처리하는 시스템 격리", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", - "service": "Azure OpenAI", - "severity": "높다", - "text": "Azure Defender를 활용하여 보안 위협을 탐지 및 대응하고 의심스러운 활동 또는 위반을 식별하기 위한 모니터링 및 경고 메커니즘을 설정합니다. 고급 위협 탐지 및 대응을 위해 Azure Sentinel 활용", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service의 로컬 디스크는 암호화되지 않으며 중요한 데이터를 저장해서는 안 됩니다. (예: D:\\\\Local and %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", + "severity": "보통", + "text": "로컬 디스크에 중요한 데이터를 저장하지 마십시오.", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "인증된 웹 애플리케이션의 경우 Azure AD 또는 Azure AD B2C와 같이 잘 설정된 ID 공급자를 사용합니다. 선택한 애플리케이션 프레임워크를 활용하여 이 공급자와 통합하거나 App Service 인증/권한 부여 기능을 사용합니다.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", "severity": "보통", - "text": "규정 준수 규정을 준수하기 위해 데이터 보존 및 폐기 정책을 수립합니다. 더 이상 필요하지 않은 데이터에 대한 안전한 삭제 방법을 구현하고 데이터 보존 및 폐기 활동에 대한 감사 추적을 유지 관리합니다.", + "text": "인증에 설정된 ID 공급자 사용", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "잘 관리되고 안전한 DevOps 배포 파이프라인과 같이 제어되고 신뢰할 수 있는 환경에서 App Service에 코드를 배포합니다. 이렇게 하면 버전이 제어되지 않고 악성 호스트에서 배포되는 것으로 확인되지 않은 코드를 방지할 수 있습니다.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", "severity": "높다", - "text": "Content Safety를 사용하여 Prompt shields 및 groundedness detection 구현 ", - "waf": "운영 우수성" + "text": "신뢰할 수 있는 환경에서 배포", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "FTP/FTPS 및 WebDeploy/SCM 모두에 대한 기본 인증을 사용 안함으로 설정합니다. 이렇게 하면 이러한 서비스에 대한 액세스가 비활성화되고 배포에 Azure AD 보안 엔드포인트가 사용됩니다. SCM 사이트는 Azure AD 자격 증명을 사용하여 열 수도 있습니다.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", "severity": "높다", - "text": "개인 정보 보호 제어를 구현하고 데이터 처리 활동에 필요한 동의 또는 권한을 얻어 GDPR 또는 HIPAA와 같은 관련 데이터 보호 규정을 준수하도록 합니다.", + "text": "기본 인증 사용 안 함", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "Azure OpenAI", - "severity": "보통", - "text": "데이터 보안 모범 사례, 데이터 안전한 처리의 중요성, 데이터 침해와 관련된 잠재적 위험에 대해 직원을 교육합니다. 데이터 보안 프로토콜을 성실히 따르도록 권장합니다.", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "가능한 경우 관리 ID를 사용하여 Azure AD 보안 리소스에 연결합니다. 이렇게 할 수 없는 경우 Key Vault에 비밀을 저장하고 대신 관리 ID를 사용하여 Key Vault에 연결합니다.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", + "severity": "높다", + "text": "관리 ID를 사용하여 리소스에 연결", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 관리 ID를 사용하여 끌어옵니다.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", "severity": "높다", - "text": "생산 데이터를 개발 및 테스트 데이터와 분리합니다. 프로덕션에서는 실제 민감한 데이터만 사용하고 개발 및 테스트 환경에서는 익명 또는 합성 데이터를 활용합니다.", + "text": "관리 ID를 사용하여 컨테이너 끌어오기", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service의 진단 설정을 구성하면 모든 원격 분석을 로깅 및 모니터링의 중앙 대상으로 Log Analytics에 보낼 수 있습니다. 이를 통해 HTTP 로그, 애플리케이션 로그, 플랫폼 로그 등과 같은 App Service의 런타임 활동을 모니터링할 수 있습니다.", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", "severity": "보통", - "text": "데이터 민감도 수준이 다양하다면 각 수준에 대해 별도의 인덱스를 만드는 것이 좋습니다. 예를 들어, 일반 데이터에 대한 인덱스와 민감한 데이터에 대한 인덱스가 있을 수 있으며, 각각 다른 액세스 프로토콜에 의해 제어됩니다", + "text": "Log Analytics에 App Service 런타임 로그 보내기Send App Service runtime logs to Log Analytics", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "활동 로그를 Log Analytics에 로깅 및 모니터링의 중앙 대상으로 보내도록 진단 설정을 지정합니다. 이렇게 하면 App Service 리소스 자체에서 컨트롤 플레인 작업을 모니터링할 수 있습니다.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", "severity": "보통", - "text": "한 단계 더 나아가 중요한 데이터 세트를 서비스의 다른 인스턴스에 배치합니다. 각 인스턴스는 고유한 특정 RBAC 정책 집합으로 제어할 수 있습니다", + "text": "Log Analytics에 App Service 활동 로그 보내기Send App Service activity logs to Log Analytics", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "지역 VNet 통합, 네트워크 보안 그룹 및 UDR의 조합을 사용하여 아웃바운드 네트워크 액세스를 제어합니다. 트래픽은 Azure Firewall과 같은 NVA로 라우팅되어야 합니다. 방화벽의 로그를 모니터링해야 합니다.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", + "severity": "보통", + "text": "아웃바운드 네트워크 액세스를 제어해야 함", + "waf": "안전" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "VNet 통합을 사용하고 VNet NAT Gateway 또는 NVA와 같은 Azure Firewall을 사용하여 안정적인 아웃바운드 IP를 제공할 수 있습니다. 이렇게 하면 필요한 경우 수신 당사자가 IP를 기반으로 허용 목록을 만들 수 있습니다. Azure 서비스에 대한 통신의 경우 IP 주소에 의존할 필요가 없는 경우가 많으며 서비스 엔드포인트와 같은 메커니즘을 대신 사용해야 합니다. (또한 수신 끝에서 프라이빗 엔드포인트를 사용하면 SNAT가 발생하지 않고 안정적인 아웃바운드 IP 범위를 제공합니다.)", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", + "severity": "낮다", + "text": "인터넷 주소에 대한 아웃바운드 통신을 위한 안정적인 IP 보장", + "waf": "안전" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service 액세스 제한, 서비스 엔드포인트 또는 프라이빗 엔드포인트의 조합을 사용하여 인바운드 네트워크 액세스를 제어합니다. 웹앱 자체 및 SCM 사이트에 대해 서로 다른 액세스 제한이 필요하고 구성될 수 있습니다.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "severity": "높다", - "text": "민감한 정보에서 생성된 임베딩과 벡터는 그 자체로 민감하다는 점을 인식해야 합니다. 이 데이터에는 원본 자료와 동일한 보호 조치가 제공되어야 합니다", + "text": "인바운드 네트워크 액세스를 제어해야 합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Application Gateway 또는 Azure Front Door와 같은 Web Application Firewall을 사용하여 악의적인 인바운드 트래픽으로부터 보호합니다. WAF의 로그를 모니터링해야 합니다.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", "severity": "높다", - "text": "임베딩 및 벡터가 있는 데이터 저장소에 RBAC를 적용하고 역할의 액세스 요구 사항에 따라 액세스 범위를 지정합니다.", + "text": "App Service 앞에서 WAF 사용Use a WAF in front of App Service", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "WAF에 대한 액세스만 잠궈 WAF를 우회할 수 없는지 확인합니다. 액세스 제한, 서비스 엔드포인트 및 프라이빗 엔드포인트의 조합을 사용합니다.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "severity": "높다", - "text": "AI 서비스에 대한 프라이빗 엔드포인트를 구성하여 네트워크 내 서비스 액세스를 제한합니다.", + "text": "WAF가 우회되지 않도록 방지", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service 구성에서 최소 TLS 정책을 1.2로 설정합니다.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", + "severity": "보통", + "text": "최소 TLS 정책을 1.2로 설정합니다.", + "waf": "안전" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "HTTPS만 사용하도록 App Service를 구성합니다. 이로 인해 App Service가 HTTP에서 HTTPS로 리디렉션됩니다. 코드 또는 WAF에서 HSTS(HTTP Strict Transport Security)를 사용하여 HTTPS를 통해서만 사이트에 액세스해야 함을 브라우저에 알리는 것이 좋습니다.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", + "severity": "높다", + "text": "HTTPS만 사용", + "waf": "안전" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "CORS 구성에서 와일드카드를 사용하면 모든 원본이 서비스에 액세스할 수 있으므로 CORS의 목적에 어긋나므로 사용하지 마세요. 특히 서비스에 액세스할 수 있을 것으로 예상되는 원본만 허용합니다.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", "severity": "높다", - "text": "Azure Firewall 및 UDR을 사용하여 엄격한 인바운드 및 아웃바운드 트래픽 제어를 적용하고 외부 통합 지점을 제한합니다.", + "text": "와일드카드는 CORS에 사용할 수 없습니다.", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "원격 디버깅은 서비스에서 추가 포트를 열어 공격 노출 영역을 증가시키므로 프로덕션에서 켜면 안 됩니다. 서비스는 48시간 후에 자동으로 원격 디버깅을 설정합니다.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", "severity": "높다", - "text": "네트워크 세분화 및 액세스 제어를 구현하여 LLM 애플리케이션에 대한 액세스를 인증된 사용자 및 시스템으로만 제한하고 측면 이동을 방지합니다.", + "text": "원격 디버깅 끄기", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "App Service용 Defender를 사용하도록 설정합니다. 이는 다른 위협 중에서도 알려진 악성 IP 주소에 대한 통신을 탐지합니다. 작업의 일부로 App Service용 Defender의 권장 사항을 검토합니다.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", "severity": "보통", - "text": "LLMLingua 또는 gprtrim과 같은 프롬프트 압축 도구 사용", - "waf": "비용 최적화" + "text": "클라우드용 Defender 사용 - App Service용 Defender", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "높다", - "text": "LLM 애플리케이션에서 사용하는 API 및 엔드포인트가 관리 ID, API 키 또는 OAuth와 같은 인증 및 권한 부여 메커니즘으로 적절하게 보호되어 무단 액세스를 방지해야 합니다.", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure는 네트워크에서 DDoS 기본 보호를 제공하며, 정상적인 트래픽 패턴을 학습하고 비정상적인 동작을 감지할 수 있는 지능형 DDoS 표준 기능으로 개선할 수 있습니다. DDoS 표준은 Virtual Network에 적용되므로 Application Gateway 또는 NVA와 같은 앱 앞의 네트워크 리소스에 대해 구성해야 합니다.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", + "severity": "보통", + "text": "WAF VNet에서 DDOS 보호 표준 사용Enable DDOS Protection Standard on the WAF VNet", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 프라이빗 엔드포인트 및 앱 설정 'WEBSITE_PULL_IMAGE_OVER_VNET'를 사용하여 Azure Container Registry에서 가상 네트워크를 통해 끌어옵니다.", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", "severity": "보통", - "text": "다단계 인증(multi-factor authentication)과 같은 강력한 최종 사용자 인증 메커니즘을 적용하여 LLM 애플리케이션 및 관련 네트워크 리소스에 대한 무단 액세스를 방지합니다.", + "text": "Virtual Network를 통해 컨테이너 끌어오기", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "참여의 침투 테스트 규칙에 따라 웹 응용 프로그램에 대한 침투 테스트를 수행합니다.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", "severity": "보통", - "text": "네트워크 모니터링 도구를 구현하여 의심스럽거나 악의적인 활동에 대한 네트워크 트래픽을 탐지하고 분석합니다. 로깅을 활성화하여 네트워크 이벤트를 캡처하고 보안 사고 발생 시 포렌식 분석을 용이하게 합니다.", + "text": "침투 테스트 수행", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "DevSecOps 사례에 따라 취약성을 검증하고 검사한 신뢰할 수 있는 코드를 배포합니다.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", "severity": "보통", - "text": "보안 감사 및 침투 테스트를 수행하여 LLM 애플리케이션의 네트워크 인프라에서 네트워크 보안 약점 또는 취약성을 식별하고 해결합니다.", + "text": "유효성이 검사된 코드 배포", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "Azure OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "지원되는 플랫폼, 프로그래밍 언어, 프로토콜 및 프레임워크의 최신 버전을 사용합니다.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", + "severity": "높다", + "text": "최신 플랫폼, 언어, 프로토콜 및 프레임워크 사용", + "waf": "안전" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", "severity": "낮다", - "text": "Azure AI 서비스는 더 나은 관리를 위해 적절하게 태그가 지정됩니다.", - "waf": "운영 우수성" + "text": "AKS Windows 워크로드에 필요한 경우 HostProcess 컨테이너를 사용할 수 있습니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", "severity": "낮다", - "text": "Azure AI Service 계정은 조직의 명명 규칙을 따릅니다.", - "waf": "운영 우수성" + "text": "이벤트 기반 워크로드를 실행하는 경우 KEDA 사용Use KEDA if running event-driven workloads", + "waf": "공연" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "Azure OpenAI", - "severity": "높다", - "text": "Azure AI Services 리소스의 진단 로그를 사용하도록 설정해야 함", - "waf": "운영 우수성" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", + "severity": "낮다", + "text": "Dapr을 사용하여 마이크로 서비스 개발 용이", + "waf": "작업" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", "severity": "높다", - "text": "키 액세스(로컬 인증)는 보안을 위해 사용하지 않도록 설정하는 것이 좋습니다. 키 기반 액세스를 사용하지 않도록 설정하면 Microsoft Entra ID가 유일한 액세스 방법이 되어 최소 권한 원칙과 세분화된 제어를 유지할 수 있습니다. ", - "waf": "안전" + "text": "SLA 지원 AKS 제품 사용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", - "severity": "높다", - "text": "Azure Key Vault를 사용하여 키를 안전하게 저장하고 관리하세요. LLM 애플리케이션의 코드 내에 중요한 키를 하드 코딩하거나 포함하지 않도록 하고 관리 ID를 사용하여 Azure Key Vault에서 안전하게 검색합니다.", - "waf": "안전" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "낮다", + "text": "Pod 및 배포 정의에서 중단 예산 사용Use Disruption Budgets in your pod and deployment definitions", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", "severity": "높다", - "text": "Azure Key Vault에 저장된 키를 정기적으로 회전하고 만료하여 무단 액세스의 위험을 최소화합니다.", - "waf": "안전" + "text": "개인 레지스트리를 사용하는 경우 여러 지역에 이미지를 저장하도록 지역 복제를 구성합니다", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "Azure OpenAI", - "severity": "높다", - "text": "tiktoken을 사용하여 대화 모드에서 토큰 최적화를 위한 토큰 크기 이해", - "waf": "비용 최적화" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", + "severity": "낮다", + "text": "kubecost와 같은 외부 애플리케이션을 사용하여 다른 사용자에게 비용 할당", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "Azure OpenAI", - "severity": "높다", - "text": "보안 코딩 관행에 따라 주입 공격, XSS(교차 사이트 스크립팅) 또는 보안 구성 오류와 같은 일반적인 취약성을 방지합니다", - "waf": "안전" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", + "severity": "낮다", + "text": "축소 모드를 사용하여 노드 삭제/할당 취소", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "Azure OpenAI", - "severity": "높다", - "text": "LLM 라이브러리와 다른 시스템 컴포넌트를 정기적으로 업데이트하고 패치하는 프로세스를 설정합니다.", - "waf": "안전" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", + "severity": "보통", + "text": "필요한 경우 AKS 클러스터에서 다중 인스턴스 분할 GPU 사용", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "Azure OpenAI", - "severity": "높다", - "text": "Azure OpenAI 또는 기타 LLM 사용 약관, 정책 및 지침, 허용되는 사용 사례 준수", - "waf": "운영 우수성" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", + "severity": "낮다", + "text": "개발/테스트 클러스터를 실행하는 경우 NodePool 시작/중지를 사용합니다.", + "waf": "비용" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", "severity": "보통", - "text": "기본 모델과 미세 조정된 모델 및 토큰 단계 크기의 비용 차이를 이해합니다.", - "waf": "비용 최적화" + "text": "Kubernetes용 Azure Policy를 사용하여 클러스터 규정 준수 보장", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", - "severity": "높다", - "text": "가능한 경우 호출당 오버헤드를 최소화하여 전체 비용을 줄일 수 있는 일괄 처리 요청. 배치 크기를 최적화해야 합니다.", - "waf": "비용 최적화" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "보통", + "text": "사용자/시스템 노드 풀이 있는 컨트롤 플레인에서 응용 프로그램 분리", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", - "severity": "보통", - "text": "모델 사용을 모니터링하는 비용 추적 시스템을 설정하고 해당 정보를 사용하여 모델 선택 및 프롬프트 크기를 알립니다", - "waf": "비용 최적화" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "낮다", + "text": "시스템 nodepool에 taint를 추가하여 전용으로 만듭니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", "severity": "보통", - "text": "모델 응답당 토큰 수에 대한 최대 제한을 설정합니다. 유효한 응답에 사용할 수 있을 만큼 충분히 큰지 확인하기 위해 크기를 최적화합니다", - "waf": "비용 최적화" + "text": "이미지에 개인 레지스트리(예: ACR) 사용", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", "severity": "보통", - "text": "안정성을 위한 AI 검색 설정에 대해 제공된 지침을 검토합니다.", - "waf": "운영 우수성" + "text": "이미지에서 취약성 검사", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "Azure OpenAI", - "severity": "보통", - "text": "AI Search Vector 스토리지 계획 및 관리", - "waf": "운영 우수성" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", + "severity": "높다", + "text": "앱 분리 요구 사항 정의(네임스페이스/노드 풀/클러스터)", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", "severity": "보통", - "text": "LLMOps 사례를 적용하여 GenAI 애플리케이션의 라이프사이클 관리를 자동화합니다.", - "waf": "운영 우수성" + "text": "CSI 비밀 저장소 드라이버를 사용하여 Azure Key Vault에 비밀 저장", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", "severity": "높다", - "text": "청구 모델 사용 평가 - PAYG 대 PTU", - "waf": "비용 최적화" + "text": "클러스터에 서비스 주체를 사용하는 경우 주기적으로(예: 분기별) 자격 증명을 새로 고칩니다", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", "severity": "보통", - "text": "모델 버전 간에 전환할 때 프롬프트와 응용 프로그램의 품질을 평가합니다.", - "waf": "운영 우수성" + "text": "필요한 경우 키 관리 서비스 etcd 암호화를 추가합니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "보통", - "text": "GenAI 앱을 평가, 모니터링 및 개선하여 근거, 관련성, 정확성, 일관성, 유창성 등의 기능을 제공합니다.", - "waf": "운영 우수성" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", + "severity": "낮다", + "text": "필요한 경우 AKS용 기밀 컴퓨팅을 사용하는 것이 좋습니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", "severity": "보통", - "text": "다양한 검색 매개 변수를 기반으로 Azure AI Search 결과를 평가합니다", - "waf": "운영 우수성" + "text": "컨테이너용 Defender 사용 고려", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "Azure OpenAI", - "severity": "보통", - "text": "데이터를 사용하여 프롬프트 엔지니어링 및 RAG와 같은 다른 기본 접근 방식을 시도한 경우에만 모델을 미세 조정하여 정확도를 높이는 방법으로 살펴보십시오", - "waf": "운영 우수성" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", + "severity": "높다", + "text": "서비스 주체 대신 관리 ID 사용", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", "severity": "보통", - "text": "프롬프트 엔지니어링 기법을 사용하여 LLM 응답의 정확도 향상", - "waf": "운영 우수성" + "text": "AAD와 인증 통합(관리형 통합 사용)", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", "severity": "보통", - "text": "GenAI 애플리케이션을 위한 레드 팀", + "text": "관리자 kubeconfig에 대한 액세스 제한(get-credentials --admin)", "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", "severity": "보통", - "text": "최종 사용자에게 LLM 응답에 대한 점수 매기기 옵션을 제공하고 이러한 점수를 추적합니다. ", - "waf": "운영 우수성" + "text": "AAD RBAC와 권한 부여 통합", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", "severity": "높다", - "text": "할당량 관리 방법 고려", - "waf": "비용 최적화" + "text": "쿠버네티스에서 RBAC 권한을 제한하기 위해 네임스페이스 사용", + "waf": "안전" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "Azure OpenAI", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", "severity": "보통", - "text": "APIM 기반 게이트웨이와 같은 Load Balancer 솔루션을 사용하여 서비스 및 지역 간에 부하와 용량을 분산합니다", - "waf": "운영 우수성" + "text": "Pod ID 액세스 관리의 경우 Azure AD 워크로드 ID(미리 보기)를 사용합니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "스토리지와 관련된 Microsoft 클라우드 보안 벤치마크의 지침 적용", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", + "severity": "보통", + "text": "AKS 비대화형 로그인의 경우 kubelogin(미리 보기)을 사용합니다.", + "waf": "안전" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", "severity": "보통", - "text": "'스토리지에 대한 Azure 보안 기준'을 고려합니다.", + "text": "AKS 로컬 계정 사용 안 함", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Azure Storage는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 액세스가 필요한 Azure Compute 리소스에만 Azure Storage를 안전하게 노출할 수 있으므로 공용 인터넷에 노출되지 않습니다", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", - "severity": "높다", - "text": "Azure Storage에 프라이빗 엔드포인트를 사용하는 것이 좋습니다.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "낮다", + "text": "필요한 경우 Just-in-time 클러스터 액세스 구성", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "새로 만든 스토리지 계정은 ARM 배포 모델을 사용하여 생성되므로 RBAC, 감사 등이 모두 활성화됩니다. 구독에 클래식 배포 모델을 사용하는 이전 저장소 계정이 없는지 확인합니다.", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", - "severity": "보통", - "text": "이전 스토리지 계정이 '클래식 배포 모델'을 사용하지 않는지 확인", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "낮다", + "text": "AKS에 필요한 경우 AAD 조건부 액세스 구성", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Microsoft Defender를 활용하여 의심스러운 활동 및 잘못된 구성에 대해 알아보세요.", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", - "severity": "높다", - "text": "모든 스토리지 계정에 대해 Microsoft Defender 사용", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", + "severity": "낮다", + "text": "Windows AKS 워크로드에 필요한 경우 gMSA를 구성합니다. ", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "일시 삭제 메커니즘을 사용하면 실수로 삭제된 Blob을 복구할 수 있습니다.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", "severity": "보통", - "text": "Blob에 대해 '일시 삭제' 사용Enable 'soft delete' for blobs", + "text": "더 세밀하게 제어하려면 관리형 Kubelet ID를 사용하는 것이 좋습니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", "severity": "보통", - "text": "Blob에 대해 '일시 삭제' 사용 안 함", - "waf": "안전" + "text": "AGIC를 사용하는 경우 클러스터 간에 AppGW를 공유하지 마세요", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "컨테이너에 대한 일시 삭제를 사용하면 컨테이너가 삭제된 후 복구할 수 있습니다(예: 실수로 삭제한 작업에서 복구).", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", "severity": "높다", - "text": "컨테이너에 대해 '일시 삭제' 사용Enable 'soft delete' for containers", - "waf": "안전" + "text": "AKS HTTP 라우팅 추가 기능을 사용하지 말고, 애플리케이션 라우팅 추가 기능과 함께 관리되는 NGINX 수신을 대신 사용합니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", "severity": "보통", - "text": "컨테이너에 대해 '일시 삭제' 사용 안 함", - "waf": "안전" + "text": "Windows 워크로드의 경우 가속화된 네트워킹을 사용합니다.", + "waf": "공연" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "사용자가 삭제하기 전에 먼저 삭제 잠금을 제거하도록 강제하여 스토리지 계정의 우발적인 삭제를 방지합니다.", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "severity": "높다", - "text": "스토리지 계정에 대한 리소스 잠금 사용Enable resource locks on storage accounts", - "waf": "안전" + "text": "표준 ALB 사용(기본 ALB와 반대)", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Blob에 대한 '법적 보존' 또는 '시간 기반 보존' 정책을 고려하면 Blob, 컨테이너 또는 스토리지 계정을 삭제할 수 없습니다. '불가능한'은 실제로 '불가능한'을 의미합니다. 스토리지 계정에 변경할 수 없는 Blob이 포함되면 해당 스토리지 계정을 '제거'하는 유일한 방법은 Azure 구독을 취소하는 것입니다.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", - "severity": "높다", - "text": "변경할 수 없는 Blob 고려", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", + "severity": "보통", + "text": "Azure CNI를 사용하는 경우 NodePools에 다른 서브넷을 사용하는 것이 좋습니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "스토리지 계정에 대한 보호되지 않는 HTTP/80 액세스를 사용하지 않도록 설정하여 모든 데이터 전송이 암호화되고 무결성이 보호되며 서버가 인증되도록 하는 것이 좋습니다. ", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", - "severity": "높다", - "text": "HTTPS 필요, 즉 스토리지 계정에서 포트 80 사용 안 함Require HTTPS, i.e. disable port 80 on the storage account", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", + "severity": "보통", + "text": "프라이빗 엔드포인트(기본 설정) 또는 Virtual Network 서비스 엔드포인트를 사용하여 클러스터에서 PaaS 서비스에 액세스", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "스토리지 계정에서 사용자 지정 도메인(호스트 이름)을 구성할 때 TLS/HTTPS가 필요한지 확인합니다. 이 경우 스토리지 계정 앞에 Azure CDN을 배치해야 할 수 있습니다.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "높다", - "text": "HTTPS를 적용(HTTP 사용 안 함)할 때 스토리지 계정에 사용자 지정 도메인(CNAME)을 사용하지 않는지 확인합니다.", - "waf": "안전" + "text": "요구 사항에 가장 적합한 CNI 네트워크 플러그 인 선택(Azure CNI 권장)", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "클라이언트가 SAS 토큰을 사용하여 Blob 데이터에 액세스할 때 HTTPS를 요구하면 자격 증명 손실 위험을 최소화하는 데 도움이 됩니다.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", - "severity": "보통", - "text": "SAS(공유 액세스 서명) 토큰을 HTTPS 연결로만 제한", - "waf": "안전" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "높다", + "text": "Azure CNI를 사용하는 경우 노드당 최대 Pod 수를 고려하여 서브넷 크기를 적절하게 조정합니다", + "waf": "공연" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": ". 최신 TLS 버전을 적용하면 이전 버전을 사용하는 클라이언트의 요청이 거부됩니다. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "높다", - "text": "스토리지 계정에 대한 최신 TLS 버전 적용Enforce the latest TLS version for a storage account", + "text": "Azure CNI를 사용하는 경우 최대 Pod/노드(기본값 30)를 확인합니다.", + "waf": "공연" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "내부 앱의 경우 조직은 방화벽에서 전체 AKS 서브넷을 여는 경우가 많습니다. 이렇게 하면 노드에 대한 네트워크 액세스도 열리고 잠재적으로 Pod에 대한 액세스도 열립니다(Azure CNI를 사용하는 경우). LoadBalancer IP가 다른 서브넷에 있는 경우 앱 클라이언트에서 이 IP만 사용할 수 있어야 합니다. 또 다른 이유는 AKS 서브넷의 IP 주소가 부족한 리소스인 경우 서비스에 해당 IP 주소를 사용하면 클러스터의 최대 확장성이 감소하기 때문입니다.", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "severity": "낮다", + "text": "개인 IP LoadBalancer 서비스를 사용하는 경우 AKS 서브넷이 아닌 전용 서브넷을 사용합니다", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "가능한 경우 Microsoft Entra ID 토큰을 공유 액세스 서명보다 선호해야 합니다", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "높다", - "text": "Blob 액세스에 Microsoft Entra ID 토큰 사용Use Microsoft Entra ID tokens for blob access", + "text": "그에 따라 서비스 IP 주소 범위의 크기를 조정합니다(클러스터 확장성이 제한됨).", + "waf": "신뢰도" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", + "severity": "낮다", + "text": "필요한 경우 자체 CNI 플러그인을 추가합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "사용자, 그룹 또는 응용 프로그램에 역할을 할당할 때 해당 보안 주체가 작업을 수행하는 데 필요한 권한만 부여합니다. 리소스에 대한 액세스를 제한하면 의도하지 않은 데이터 오용과 악의적인 데이터 오용을 모두 방지할 수 있습니다.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", + "severity": "낮다", + "text": "필요한 경우 AKS에서 노드당 공용 IP 구성", + "waf": "공연" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", "severity": "보통", - "text": "IaM 권한의 최소 권한", - "waf": "안전" + "text": "수신 컨트롤러를 사용하여 LoadBalancer 유형 서비스를 사용하여 노출하는 대신 웹 기반 앱을 노출합니다", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "사용자 위임 SAS는 Azure AD(Azure Active Directory) 자격 증명과 SAS에 대해 지정된 권한으로 보호됩니다. 사용자 위임 SAS는 범위와 기능 측면에서 서비스 SAS와 유사하지만 서비스 SAS에 비해 보안상의 이점을 제공합니다. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "높다", - "text": "SAS를 사용하는 경우 스토리지 계정 키 기반 SAS보다 '사용자 위임 SAS'를 선호합니다.", - "waf": "안전" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", + "severity": "낮다", + "text": "송신 트래픽 크기 조정을 위해 Azure NAT Gateway를 outboundType으로 사용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "스토리지 계정 키('공유 키')에는 감사 기능이 거의 없습니다. 누가/언제 키 복사본을 가져왔는지 모니터링할 수 있지만 키가 여러 사람의 손에 들어가면 특정 사용자의 사용을 귀속시킬 수 없습니다. Entra ID 인증에만 의존하면 스토리지 액세스를 사용자에게 더 쉽게 연결할 수 있습니다. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", - "severity": "높다", - "text": "Microsoft Entra ID 액세스(및 사용자 위임 SAS)만 지원되도록 스토리지 계정 키를 사용하지 않도록 설정하는 것이 좋습니다.", - "waf": "안전" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", + "severity": "보통", + "text": "Azure CNI IP 소모를 방지하기 위해 IP의 동적 할당 사용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "활동 로그 데이터를 사용하여 스토리지 계정의 보안을 '언제', '누가', '무엇을' 및 '어떻게' 확인하거나 변경합니다(예: 스토리지 계정 키, 액세스 정책 등).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", "severity": "높다", - "text": "Azure Monitor를 사용하여 스토리지 계정에 대한 컨트롤 플레인 작업을 감사하는 것이 좋습니다", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "키 만료 정책을 사용하면 계정 액세스 키의 교체에 대한 미리 알림을 설정할 수 있습니다. 지정된 간격이 경과하고 키가 아직 회전되지 않은 경우 알림이 표시됩니다.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", - "severity": "보통", - "text": "스토리지 계정 키를 사용하는 경우 '키 만료 정책'을 사용하도록 설정하는 것이 좋습니다.", + "text": "보안 요구 사항에 필요한 경우 AzFW/NVA를 사용하여 송신 트래픽 필터링", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS 만료 정책은 SAS가 유효한 권장 간격을 지정합니다. SAS 만료 정책은 서비스 SAS 또는 계정 SAS에 적용됩니다. 사용자가 권장 간격보다 큰 유효성 간격으로 서비스 SAS 또는 계정 SAS를 생성하면 경고가 표시됩니다.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", "severity": "보통", - "text": "SAS 만료 정책을 구성하는 것이 좋습니다.", + "text": "퍼블릭 API 엔드포인트를 사용하는 경우 액세스할 수 있는 IP 주소를 제한합니다", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "저장된 액세스 정책은 스토리지 계정 키를 다시 생성할 필요 없이 서비스 SAS에 대한 사용 권한을 취소할 수 있는 옵션을 제공합니다. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", - "severity": "보통", - "text": "SAS를 저장된 액세스 정책에 연결하는 것이 좋습니다.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", + "severity": "높다", + "text": "요구 사항에 따라 개인 클러스터를 사용합니다", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "보통", - "text": "체크 인된 연결 문자열 및 저장소 계정 키를 검색하도록 응용 프로그램의 소스 코드 리포지토리를 구성하는 것이 좋습니다.", + "text": "Windows 2019 및 2022 AKS 노드의 경우 Calico 네트워크 정책을 사용할 수 있습니다. ", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "이상적으로 애플리케이션은 관리 ID를 사용하여 Azure Storage에 인증해야 합니다. 가능하지 않은 경우 Azure KeyVault 또는 동등한 서비스에 스토리지 자격 증명(연결 문자열, 스토리지 계정 키, SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "높다", - "text": "Azure KeyVault에 연결 문자열을 저장하는 것이 좋습니다(관리 ID를 사용할 수 없는 시나리오에서).", + "text": "Kubernetes 네트워크 정책 옵션 사용(Calico/Azure)", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "임시 SAS 서비스 SAS 또는 계정 SAS에서 가까운 만료 시간을 사용합니다. 이러한 방식으로 SAS가 손상되더라도 짧은 시간 동안만 유효합니다. 이 방법은 저장된 액세스 정책을 참조할 수 없는 경우에 특히 중요합니다. 또한 단기 만료 시간은 Blob에 업로드할 수 있는 시간을 제한하여 Blob에 쓸 수 있는 데이터의 양을 제한합니다.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "높다", - "text": "임시 SAS의 유효 기간을 단축하기 위해 노력", + "text": "쿠버네티스 네트워크 정책을 사용하여 클러스터 내 보안 강화", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS를 만들 때는 가능한 한 구체적이고 제한적이어야 합니다. 훨씬 더 광범위한 액세스를 제공하는 SAS보다 단일 리소스 및 작업에 대해 SAS를 선호합니다.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", - "severity": "보통", - "text": "SAS에 좁은 범위 적용", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "높다", + "text": "웹 워크로드(UI 또는 API)에 WAF 사용Use a WAF for web workloads (UIs or APIs)", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS에는 SAS를 사용하여 리소스를 요청할 수 있는 권한이 있는 클라이언트 IP 주소 또는 주소 범위에 대한 매개 변수가 포함될 수 있습니다. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", "severity": "보통", - "text": "가능한 경우 SAS 범위를 특정 클라이언트 IP 주소로 지정하는 것이 좋습니다", + "text": "AKS Virtual Network에서 DDoS 표준 사용Use DDoS Standard in the AKS Virtual Network", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS는 클라이언트가 업로드하는 데이터의 양을 제한할 수 없습니다. 시간 경과에 따른 스토리지 양의 가격 책정 모델을 감안할 때 클라이언트가 악의적으로 큰 콘텐츠를 업로드했는지 여부를 확인하는 것이 합리적일 수 있습니다.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", "severity": "낮다", - "text": "클라이언트가 SAS를 사용하여 파일을 업로드한 후 업로드된 데이터를 확인하는 것이 좋습니다. ", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "'로컬 사용자 계정'을 사용하여 SFTP를 통해 Blob Storage에 액세스하는 경우 '일반적인' RBAC 컨트롤이 적용되지 않습니다. NFS 또는 REST를 통한 Blob 액세스는 SFTP 액세스보다 더 제한적일 수 있습니다. 안타깝게도 2023년 초부터 로컬 사용자는 현재 SFTP 엔드포인트에 대해 지원되는 유일한 ID 관리 형태입니다", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", - "severity": "높다", - "text": "SFTP: SFTP 액세스를 위한 '로컬 사용자'의 수를 제한하고 시간이 지남에 따라 액세스가 필요한지 여부를 감사합니다.", + "text": "필요한 경우 회사 HTTP 프록시를 추가합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", "severity": "보통", - "text": "SFTP: SFTP 엔드포인트는 POSIX와 유사한 ACL을 지원하지 않습니다.", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "스토리지는 CORS(Cross-Origin Resource Sharing), 즉 다른 도메인의 웹 앱이 동일 출처 정책을 완화할 수 있도록 하는 HTTP 기능을 지원합니다. CORS를 사용하도록 설정하는 경우 CorsRules를 최소 권한으로 유지합니다.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", - "severity": "높다", - "text": "지나치게 광범위한 CORS 정책 방지", + "text": "고급 마이크로서비스 통신 관리를 위해 서비스 메시를 사용하는 것이 좋습니다", "waf": "안전" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "미사용 데이터는 항상 서버 쪽에서 암호화되며 클라이언트 쪽에서도 암호화될 수 있습니다. 서버 쪽 암호화는 플랫폼 관리형 키(기본값) 또는 고객 관리형 키를 사용하여 발생할 수 있습니다. 클라이언트 쪽 암호화는 클라이언트가 Azure Storage에 Blob별로 암호화/암호 해독 키를 제공하도록 하거나 클라이언트 쪽에서 암호화를 완전히 처리하여 발생할 수 있습니다. 따라서 기밀 보장을 위해 Azure Storage에 전혀 의존하지 않습니다.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", "severity": "높다", - "text": "미사용 데이터를 암호화하는 방법을 결정합니다. 데이터에 대한 스레드 모델을 이해합니다.", - "waf": "안전" + "text": "가장 중요한 메트릭에 대한 경고 구성(권장 사항은 Container Insights 참조)", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", - "severity": "보통", - "text": "어떤 플랫폼 암호화를 사용해야 하는지 확인합니다.", - "waf": "안전" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", + "severity": "낮다", + "text": "Azure Advisor에서 클러스터에 대한 권장 사항을 정기적으로 확인합니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", - "severity": "보통", - "text": "클라이언트 쪽 암호화를 사용해야 하는지 여부를 결정합니다.", - "waf": "안전" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", + "severity": "낮다", + "text": "AKS 자동 인증서 회전 사용", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "리소스 그래프 탐색기(리소스 | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)를 활용하여 익명 Blob 액세스를 허용하는 스토리지 계정을 찾습니다.", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", "severity": "높다", - "text": "공용 Blob 익명 액세스가 필요한지 또는 특정 스토리지 계정에 대해 사용하지 않도록 설정할 수 있는지 여부를 고려합니다. ", - "waf": "안전" + "text": "kubernetes 버전을 주기적으로(예: 분기별) 업그레이드하거나 AKS 자동 업그레이드 기능을 사용하는 정기적인 프로세스가 있습니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", "severity": "높다", - "text": "성능 및 안정성 향상을 위해 storagev2 계정 유형 활용", - "waf": "신뢰도" + "text": "node-image upgrade를 사용하지 않는 경우 Linux 노드 업그레이드에 kured를 사용합니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", "severity": "높다", - "text": "최고의 가용성을 위해 GRS, ZRS 또는 GZRS 스토리지 활용", - "waf": "신뢰도" + "text": "클러스터 노드 이미지를 주기적으로(예: 매주) 업그레이드하는 정기적인 프로세스가 있습니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Azure Storage", - "severity": "보통", - "text": "장애 조치(failover) 후 쓰기 작업의 경우 고객 관리 장애 조치(failover)를 사용합니다. ", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", + "severity": "낮다", + "text": "gitops를 고려하여 애플리케이션 또는 클러스터 구성을 여러 클러스터에 배포합니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Azure Storage", - "severity": "보통", - "text": "Microsoft 관리 장애 조치(failover) 세부 정보 이해", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", + "severity": "낮다", + "text": "프라이빗 클러스터에서 AKS 명령 호출을 사용하는 것이 좋습니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Azure Storage", - "severity": "보통", - "text": "일시 삭제 사용", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", + "severity": "낮다", + "text": "계획된 이벤트의 경우 노드 자동 드레인 사용을 고려하십시오.", + "waf": "작업" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", - "severity": "보통", - "text": "Azure Bot Service의 안정성 지원 권장 사항을 따릅니다", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", + "severity": "높다", + "text": "노드 RG(일명 '인프라 RG')의 운영자가 변경을 수행하지 않도록 자체 거버넌스 관행을 개발합니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", - "severity": "보통", - "text": "로컬 데이터 레지던시 및 지역 규정 준수를 통해 봇 배포Deploying bots with local data residency and regional compliance", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "낮다", + "text": "사용자 정의 노드 RG (일명 '인프라 RG') 이름 사용", + "waf": "작업" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", "severity": "보통", - "text": "Azure Bot Service는 글로벌 및 지역 서비스 모두에 대해 활성-활성 모드로 실행됩니다. 중단이 발생하면 오류를 감지하거나 서비스를 관리할 필요가 없습니다. Azure Bot Service는 다중 지역 지리적 아키텍처에서 자동 장애 조치(failover) 및 자동 복구를 자동으로 수행합니다. EU 봇 지역 서비스의 경우 Azure Bot Service는 중복성을 보장하기 위해 활성/활성 복제가 있는 유럽 내 두 개의 전체 지역을 제공합니다. 글로벌 봇 서비스의 경우 사용 가능한 모든 지역/지역을 글로벌 공간으로 제공할 수 있습니다.", - "waf": "신뢰도" - }, - { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", - "severity": "높다", - "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 기능 호스팅 계획을 선택하십시오.", - "waf": "신뢰도" + "text": "YAML 매니페스트에서 더 이상 사용되지 않는 Kubernetes API를 사용하지 마십시오.", + "waf": "작업" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", - "severity": "높다", - "text": "지역적으로 적용 가능한 가용성 영역 활용(소비 계층에는 사용할 수 없음)", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", + "severity": "낮다", + "text": "테인트 Windows 노드", + "waf": "작업" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", - "severity": "보통", - "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", + "severity": "낮다", + "text": "Windows 컨테이너 패치 수준을 호스트 패치 수준과 동기화된 상태로 유지", + "waf": "작업" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", - "severity": "높다", - "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "클러스터 수준의 진단 설정을 통해Via Diagnostic Settings at the cluster level", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", + "severity": "낮다", + "text": "마스터 로그(즉, API 로그)를 Azure Monitor 또는 기본 로그 관리 솔루션으로 보냅니다", + "waf": "작업" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "Azure Functions", - "severity": "높다", - "text": "App Service 계획에서 실행되는 모든 함수 앱에 대해 'Always On'이 사용하도록 설정되어 있는지 확인합니다.", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", + "severity": "낮다", + "text": "필요한 경우 nodePool 스냅샷을 사용합니다.", + "waf": "비용" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", - "severity": "보통", - "text": "함수 앱을 자체 스토리지 계정에 페어링합니다. 긴밀하게 결합되지 않는 한 함수 앱에 대한 스토리지 계정을 다시 사용하지 마세요", - "waf": "신뢰도" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", + "severity": "낮다", + "text": "시간에 민감하지 않은 워크로드에 대한 스폿 노드 풀 고려", + "waf": "작업" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", - "severity": "보통", - "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 함수 앱 코드를 보호합니다.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "낮다", + "text": "빠른 버스팅을 위해 AKS 가상 노드 고려", "waf": "작업" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Azure Monitor", - "text": "Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview 의 데이터 수집 규칙", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "높다", + "text": "Container Insights(또는 Prometheus와 같은 다른 도구)를 사용하여 클러스터 지표 모니터링", + "waf": "작업" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Azure Backup", - "text": "기본 데이터 원본을 찾을 수 없는 백업 인스턴스 확인", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "높다", + "text": "Container Insights(또는 Telegraf/ElasticSearch와 같은 다른 도구)를 사용하여 클러스터 로그를 저장하고 분석합니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", - "text": "연결되지 않은 서비스(디스크, NIC, IP 주소 등) 삭제 또는 보관", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", + "severity": "보통", + "text": "노드의 CPU 및 메모리 사용률 모니터링", + "waf": "작업" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Azure Backup", - "text": "중요 업무용 응용 프로그램에 대한 Site Recovery 저장소와 백업 간의 적절한 균형을 고려합니다.", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "보통", + "text": "Azure CNI를 사용하는 경우 노드당 사용되는 Pod IP의 %를 모니터링합니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Azure Monitor", - "text": "40개의 서로 다른 로그 분석 작업 영역 간의 지출 및 절감 기회 확인 - 비프로덕션 작업 영역에 대해 서로 다른 보존 및 데이터 수집 사용-인식 및 계층 크기 조정을 위한 일일 한도 만들기 - 일일 한도를 설정하는 경우 한도에 도달할 때 경고를 만드는 것 외에도 특정 비율(예: 90%)에 도달했을 때 알림을 받을 경고 규칙도 만들어야 합니다. - 가능한 경우 작업 영역 변환 고려 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "OS 디스크의 I/O는 중요한 리소스입니다. 노드의 OS가 I/O에서 제한되면 예측할 수 없는 동작이 발생할 수 있으며, 일반적으로 노드가 NotReady로 선언됩니다", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", + "severity": "보통", + "text": "노드에서 OS 디스크 큐 크기 모니터링Monitor OS disk queue depth in nodes", + "waf": "작업" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Azure Monitor", - "text": "제거 로그 정책 및 자동화 적용(필요한 경우 로그를 콜드 스토리지로 이동할 수 있음)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "severity": "보통", + "text": "AzFW/NVA에서 송신 필터링을 사용하지 않는 경우 표준 ALB 할당 SNAT 포트를 모니터링합니다", + "waf": "작업" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", - "text": "디스크가 실제로 필요한지 확인하고, 그렇지 않은 경우 삭제하십시오. 필요한 경우 더 낮은 스토리지 계층을 찾거나 백업을 사용합니다.", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", + "severity": "보통", + "text": "AKS 클러스터에 대한 Resource Health 알림 구독Subscribe to resource health notifications for your AKS cluster", + "waf": "작업" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", - "text": "사용자 지정 규칙을 사용하여 사용하지 않는 스토리지를 하위 계층으로 이동하는 것이 좋습니다 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "높다", + "text": "Pod 규격에서 요청 및 제한 구성", + "waf": "작업" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", - "text": "Advisor가 VM 올바른 크기 조정에 대해 구성되어 있는지 확인합니다. ", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "보통", + "text": "네임스페이스에 대한 리소스 할당량 적용Enforce resource quotas for namespaces", + "waf": "작업" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "description": "Cost analysys에서 Meter Category Licenses를 검색하여 확인합니다.", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", - "service": "VM", - "text": "모든 Windows VM에서 스크립트 실행 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM을 자주 만드는 경우 정책 구현을 고려합니다.", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", + "severity": "높다", + "text": "구독에 노드 풀을 확장할 수 있는 충분한 할당량이 있는지 확인합니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "VM", - "text": " 이미 라이선스가 있는 경우 AHUB에 넣을 수도 https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "보통", + "text": "Cluster Autoscaler 사용", + "waf": "공연" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", - "text": "유연성 옵션을 사용하여 예약된 VM 제품군 통합(4-5개 이하의 제품군)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", + "severity": "낮다", + "text": "AKS 노드 풀에 대한 노드 구성 사용자 지정", + "waf": "공연" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", - "text": "Azure Reserved Instances 활용: 이 기능을 사용하면 1년 또는 3년 동안 VM을 예약할 수 있으므로 PAYG 가격에 비해 상당한 비용 절감 효과를 얻을 수 있습니다.", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "보통", + "text": "필요한 경우 Horizontal Pod Autoscaler 사용", + "waf": "공연" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", - "text": "더 큰 디스크만 예약할 수 있습니다 => 1TiB -", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "노드가 클수록 임시 디스크 및 가속화된 네트워킹과 같은 더 높은 성능과 기능을 제공하지만 폭발 반경이 증가하고 크기 조정 세분성이 감소합니다", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", + "severity": "높다", + "text": "너무 크거나 너무 작지 않은 적절한 노드 크기를 고려합니다", + "waf": "공연" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", - "text": "적절한 크기 최적화 후", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", + "severity": "낮다", + "text": "확장성을 위해 5,000개 이상의 노드가 필요한 경우 추가 AKS 클러스터를 사용하는 것이 좋습니다", + "waf": "공연" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", - "text": "적용 가능한 경우 확인 및 정책/변경 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations 시행", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", + "severity": "낮다", + "text": "AKS 자동화를 위해 EventGrid 이벤트를 구독하는 것이 좋습니다.", + "waf": "공연" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", - "text": "VM + 라이선스 부분 할인(ahub + 3YRI)은 약 70% 할인입니다.", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", + "severity": "낮다", + "text": "AKS 클러스터에서 장기 실행 작업의 경우 이벤트 종료를 고려합니다.", + "waf": "공연" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", - "text": "플랫 사이징보다는 VMSS를 사용하여 수요에 맞추는 것이 좋습니다", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", + "severity": "낮다", + "text": "필요한 경우 AKS 노드에 Azure Dedicated Host를 사용하는 것이 좋습니다", + "waf": "공연" }, { "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", "service": "AKS", - "text": "AKS 자동 크기 조정기를 사용하여 클러스터 사용량과 일치시킵니다(Pod 요구 사항이 스케일러와 일치하는지 확인).", - "waf": "비용" + "severity": "높다", + "text": "임시 OS 디스크 사용", + "waf": "공연" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Azure Backup", - "text": "해당하는 경우 복구 지점을 자격 증명 모음 보관으로 이동(유효성 검사)Move recovery points to vault-archive where applicable (Validate)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", + "severity": "높다", + "text": "임시 디스크가 아닌 디스크의 경우 여러 Pod를 실행하는 데 고성능이 필요하고 기본 AKS 로그 회전 임계값을 사용하여 대규모 로그를 생성하므로 많은 Pod/노드를 실행할 때 노드에 높은 IOPS 및 더 큰 OS 디스크를 사용합니다", + "waf": "공연" }, { - "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", - "text": "가능한 경우 대체와 함께 스폿 VM을 사용하는 것이 좋습니다. 클러스터의 자동 종료를 고려합니다.", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", + "severity": "낮다", + "text": "고성능 스토리지 옵션의 경우 AKS에서 Ultra Disks를 사용합니다.", + "waf": "공연" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Azure Functions", - "text": "함수 - 연결 재사용", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", + "severity": "보통", + "text": "클러스터에서 상태를 유지하지 않고 외부(AzStorage, AzSQL, Cosmos 등)에 데이터를 저장합니다.", + "waf": "공연" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Azure Functions", - "text": "함수 - 로컬에 데이터 캐시", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", + "severity": "보통", + "text": "AzFiles 표준을 사용하는 경우 성능상의 이유로 AzFiles 프리미엄 및/또는 ANF를 고려합니다", + "waf": "공연" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Azure Functions", - "text": "기능 - 콜드 스타트 - '패키지에서 실행' 기능을 사용합니다. 이렇게 하면 코드가 단일 zip 파일로 다운로드됩니다. 예를 들어, 이것은 많은 노드 모듈이 있는 Javascript 함수를 크게 개선할 수 있습니다. 언어별 도구를 사용하여 패키지 크기를 줄입니다(예: 트리 쉐이킹 Javascript 애플리케이션).", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "비용" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", + "severity": "보통", + "text": "Azure 디스크 및 AZ를 사용하는 경우 올바른 영역에 스토리지를 프로비전하기 위해 VolumeBindingMode::WaitForFirstConsumer를 사용하여 LRS 디스크의 영역 내에 노드 풀을 사용하거나 여러 영역에 걸쳐 있는 노드 풀에 ZRS 디스크를 사용하는 것이 좋습니다", + "waf": "공연" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", "service": "Azure Functions", - "text": "기능 - 기능을 따뜻하게 유지", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "비용" + "severity": "높다", + "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 기능 호스팅 계획을 선택하십시오.", + "waf": "신뢰도" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", "service": "Azure Functions", - "text": "다른 함수와 함께 자동 크기 조정을 사용하는 경우 모든 리소스에 대한 모든 자동 크기 조정을 구동하는 것이 있을 수 있으므로 별도의 소비 계획으로 이동하는 것이 좋습니다(CPU에 대한 더 높은 계획 고려).", - "waf": "비용" + "severity": "높다", + "text": "지역적으로 적용 가능한 가용성 영역 활용(소비 계층에는 사용할 수 없음)", + "waf": "신뢰도" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", "service": "Azure Functions", - "text": "지정된 계획의 함수 앱은 모두 함께 크기가 조정되므로 크기 조정과 관련된 모든 문제는 계획의 모든 앱에 영향을 줄 수 있습니다.", - "waf": "비용" + "severity": "보통", + "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려", + "waf": "신뢰도" }, { "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", "service": "Azure Functions", - "text": "'대기 시간'에 대한 요금이 청구되나요? 이 질문은 일반적으로 비동기 작업을 수행하고 결과를 기다리는 C # 함수 (예 : await Task.Delay(1000) 또는 await client )의 컨텍스트에서 묻습니다. GetAsync('http://google.com')입니다. 대답은 '예'입니다 - GB 초 계산은 함수의 시작 및 종료 시간과 해당 기간 동안의 메모리 사용량을 기반으로 합니다. CPU 작업 측면에서 해당 시간 동안 실제로 발생하는 일은 계산에 포함되지 않습니다. 이 규칙의 한 가지 예외는 지속성 함수를 사용하는 경우입니다. 오케스트레이터 함수에서 대기하는 데 소요된 시간에 대해서는 요금이 청구되지 않습니다.가능한 경우 수요 형성 기술을 적용합니다(개발 환경?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "비용" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", - "text": "Frontdoor - 기본 홈페이지 끄기앱의 애플리케이션 설정에서 AzureWebJobsDisableHomepage를 true로 설정합니다. 이렇게 하면 PoP에 204(콘텐츠 없음)가 반환되므로 헤더 데이터만 반환됩니다.", - "waf": "비용" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", - "text": "Frontdoor 프론트도어 - 아무것도 반환하지 않는 무언가로 라우팅합니다. 함수, 함수 프록시를 설정하거나 WebApp에서 200(정상)을 반환하고 콘텐츠를 보내지 않거나 최소한으로 보내는 경로를 추가합니다. 이것의 장점은 호출될 때 로그아웃할 수 있다는 것입니다.", - "waf": "비용" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", - "text": "덜 사용되는 데이터에 대한 보관 계층 고려", - "waf": "비용" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", - "text": "크기가 계층과 일치하지 않는 디스크 크기를 확인합니다(예: 513GiB 디스크는 P30(1TiB)를 지불하고 크기 조정을 고려합니다.", - "waf": "비용" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", - "text": "가능하면 프리미엄 또는 울트라 대신 표준 SSD를 사용하는 것이 좋습니다.", - "waf": "비용" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", - "text": "스토리지 계정의 경우 선택한 계층이 트랜잭션 요금을 합산하지 않는지 확인합니다(다음 계층으로 이동하는 것이 더 저렴할 수 있음).", - "waf": "비용" - }, - { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", - "text": "ASR의 경우 RPO/RTO 및 복제 처리량이 허용하는 경우 표준 SSD 디스크를 사용하는 것이 좋습니다", - "waf": "비용" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", - "text": "스토리지 계정: 핫 계층 및/또는 GRS 필요 확인", - "waf": "비용" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "text": "디스크 - 모든 곳에서 프리미엄 SSD 디스크 사용의 유효성을 검사합니다. 예를 들어 비프로덕션은 표준 SSD 또는 주문형 프리미엄 SSD로 교환할 수 있습니다. ", - "waf": "비용" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", - "text": "예산을 만들어 비용을 관리하고 이해 관계자에게 지출 이상 및 초과 지출 위험을 자동으로 알리는 경고를 만듭니다.", - "waf": "비용" + "severity": "높다", + "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", - "text": "추가 데이터 분석을 위해 비용 데이터를 스토리지 계정으로 내보냅니다.", - "waf": "비용" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "Azure Functions", + "severity": "높다", + "text": "App Service 계획에서 실행되는 모든 함수 앱에 대해 'Always On'이 사용하도록 설정되어 있는지 확인합니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", - "text": "리소스를 사용하지 않을 때 일시 중지하여 전용 SQL 풀에 대한 비용을 제어합니다.", - "waf": "비용" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", + "severity": "보통", + "text": "함수 앱을 자체 스토리지 계정에 페어링합니다. 긴밀하게 결합되지 않는 한 함수 앱에 대한 스토리지 계정을 다시 사용하지 마세요", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", - "text": "서버리스 Apache Spark 자동 일시 중지 기능을 활성화하고 그에 따라 제한 시간 값을 설정합니다.", - "waf": "비용" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", + "severity": "보통", + "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 함수 앱 코드를 보호합니다.", + "waf": "작업" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", - "text": "다양한 크기의 Apache Spark 풀 정의를 여러 개 만듭니다.", - "waf": "비용" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", + "severity": "보통", + "text": "Azure Spring Apps는 모든 앱에 대해 두 개의 배포를 허용하며, 그 중 하나만 프로덕션 트래픽을 수신합니다. 블루-그린 배포 전략을 통해 가동 중지 시간 제로를 달성할 수 있습니다. 파란색 녹색 배포는 표준 및 엔터프라이즈 계층에서만 사용할 수 있습니다. ADO/GitHub 작업과 함께 CI/CD를 사용하여 배포를 자동화할 수 있습니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", - "text": "사전 구매 플랜으로 1년 동안 Azure Synapse SCU(커밋 단위)를 구매하여 Azure Synapse Analytics 비용을 절감하세요.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "비용" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", + "severity": "보통", + "text": "Azure Spring Apps 인스턴스는 애플리케이션에 대해 여러 지역에서 만들 수 있으며 Traffic Manager/Front Door에서 트래픽을 라우팅할 수 있습니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", - "text": "인터럽트 가능한 작업에 스폿 VM 사용: 할인된 가격으로 입찰 및 구매할 수 있는 VM으로, 중요하지 않은 워크로드에 비용 효율적인 솔루션을 제공합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "비용" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", + "severity": "보통", + "text": "지원되는 지역에서 Azure Spring Apps는 영역 중복으로 배포할 수 있으며, 이는 인스턴스가 가용성 영역에 자동으로 분산됨을 의미합니다. 이 기능은 Standard 및 Enterprise 계층에서만 사용할 수 있습니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", - "text": "모든 VM의 적절한 크기 조정", - "waf": "비용" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", + "severity": "보통", + "text": "앱에 1개 이상의 앱 인스턴스 사용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", - "text": "VM 크기를 정규화된 최신 크기로 바꾸기", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "비용" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", + "severity": "보통", + "text": "로그, 메트릭 및 추적을 사용하여 Azure Spring Apps를 모니터링합니다. ASA를 Application Insights와 통합하고, 오류를 추적하고, 통합 문서를 만듭니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "적절한 크기 조정 VM - 사용량을 5% 미만으로 모니터링하는 것으로 시작한 다음 최대 40%까지 작업", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "비용" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", + "severity": "보통", + "text": "Spring Cloud Gateway에서 자동 크기 조정 설정", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "애플리케이션을 컨테이너화하면 VM 밀도를 개선하고 확장 비용을 절감할 수 있습니다", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "비용" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", + "severity": "낮다", + "text": "표준 소비 및 전용 플랜이 있는 앱에 대해 자동 크기 조정을 사용하도록 설정합니다.", + "waf": "신뢰도" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", + "severity": "보통", + "text": "중요 업무용 앱에 대한 Spring Boot의 상업적 지원을 위해 Enterprise 플랜을 사용합니다. 다른 계층에서는 OSS 지원을 받을 수 있습니다.", + "waf": "신뢰도" }, { "arm-service": "Microsoft.DataFactory/datafactories", @@ -8102,1885 +8802,1773 @@ "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", "severity": "보통", - "text": "다중 지역 애플리케이션 랜딩 존 및 재해 복구 시나리오를 신속하게 지원할 수 있도록 여러 지역에 Azure 랜딩 존 연결 리소스를 배포합니다.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "신뢰도" + "text": "전역 수준에서 오류 처리 정책 구현", + "waf": "작업" }, { - "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", "severity": "보통", - "text": "다중 테넌트에 대한 명확한 규정 또는 비즈니스 요구 사항이 없는 한 Azure 리소스를 관리하기 위해 하나의 Entra 테넌트를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "text": "모든 API 정책에 요소가 포함되어 있는지 확인합니다.", "waf": "작업" }, { - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", - "severity": "낮다", - "text": "다중 테넌트 자동화 접근 방식을 사용하여 Microsoft Entra ID 테넌트를 관리합니다.", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", + "severity": "보통", + "text": "정책 조각을 사용하여 여러 API에서 동일한 정책 정의를 반복하지 않도록 합니다.", "waf": "작업" }, { - "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", - "severity": "높다", - "text": "동일한 ID로 다중 테넌트 관리에 Azure Lighthouse를 사용합니다.", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", + "severity": "보통", + "text": "API로 수익을 창출할 계획이라면 '수익 창출 지원' 도움말에서 권장사항을 확인하세요", "waf": "작업" }, { - "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", - "severity": "높다", - "text": "파트너에게 테넌트를 관리할 수 있는 액세스 권한을 부여하는 경우 Azure Lighthouse를 사용합니다.", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "비용" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", "severity": "높다", - "text": "클라우드 운영 모델에 맞는 RBAC 모델을 적용합니다. 관리 그룹 및 구독에서 범위를 지정하고 할당합니다.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "안전" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", - "severity": "보통", - "text": "모든 계정 유형에 대해 회사 또는 학교 계정 인증 유형만 사용합니다. Microsoft 계정을 사용하지 마십시오.", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "안전" + "text": "진단 설정을 사용하도록 설정하여 로그를 Azure Monitor로 내보내기", + "waf": "작업" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "severity": "보통", - "text": "그룹만 사용하여 사용 권한을 할당합니다. 그룹 관리 시스템이 이미 있는 경우 Entra ID 전용 그룹에 온-프레미스 그룹을 추가합니다.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "안전" + "text": "더 자세한 원격 분석을 위해 Application Insights 사용", + "waf": "작업" }, { - "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", "severity": "높다", - "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 Microsoft Entra ID 조건부 액세스 정책을 적용합니다.", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "안전" + "text": "가장 중요한 메트릭에 대한 경고 구성", + "waf": "작업" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", "severity": "높다", - "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 다단계 인증을 적용합니다.", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "text": "사용자 지정 SSL 인증서가 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되어 있는지 확인합니다", "waf": "안전" }, { - "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", - "severity": "보통", - "text": "Microsoft Entra ID PIM(Privileged Identity Management)을 적용하여 제로 스탠딩 액세스 및 최소 권한을 설정합니다.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", + "severity": "높다", + "text": "Azure AD를 사용하여 API(데이터 평면)에 들어오는 요청 보호", "waf": "안전" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", "severity": "보통", - "text": "Active Directory Domain Services에서 Entra Domain Services로 전환하려는 경우 모든 워크로드의 호환성을 평가합니다.", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "text": "Microsoft Entra ID를 사용하여 개발자 포털에서 사용자 인증", "waf": "안전" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", - "severity": "보통", - "text": "Microsoft Entra Domain Services를 사용하는 경우 복제본 세트를 사용합니다. 복제본 세트는 관리되는 도메인의 복원력을 향상시키고 추가 지역에 배포할 수 있도록 합니다. ", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", - "waf": "신뢰도" - }, - { - "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", "severity": "보통", - "text": "Microsoft Entra ID 로그를 플랫폼 중앙 Azure Monitor와 통합합니다. Azure Monitor는 Azure의 로그 및 모니터링 데이터에 대한 단일 정보 소스를 허용하여 조직에 로그 수집 및 보존에 대한 요구 사항을 충족할 수 있는 클라우드 네이티브 옵션을 제공합니다.", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", - "waf": "안전" - }, - { - "ammp": true, - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", - "severity": "높다", - "text": "응급 액세스 또는 비상 계정을 구현하여 테넌트 전체 계정 잠금을 방지합니다. MFA는 2024년 10월에 모든 사용자에 대해 기본적으로 설정됩니다. 암호 키(FIDO2)를 사용하거나 MFA에 대한 인증서 기반 인증을 구성하도록 이러한 계정을 업데이트하는 것이 좋습니다. ", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "text": "제품의 가시성을 제어하기 위해 적절한 그룹을 만듭니다", "waf": "안전" }, { - "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", "severity": "보통", - "text": "특별히 필요한 시나리오가 없는 한 Microsoft Entra ID 역할 할당에 온-프레미스 동기화 계정을 사용하지 마세요.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", - "waf": "안전" + "text": "백엔드 기능을 사용하여 중복 API 백엔드 구성 제거", + "waf": "작업" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", "severity": "보통", - "text": "Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 애플리케이션에 대한 액세스 권한을 부여하는 경우 테넌트당 하나의 인스턴스만 가질 수 있으므로 플랫폼 리소스로 관리합니다.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "안전" + "text": "명명된 값을 사용하여 정책에서 사용할 수 있는 공통 값 저장", + "waf": "작업" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", "severity": "보통", - "text": "최대한의 유연성이 필요한 네트워크 시나리오에는 허브 및 스포크(hub-and-spoke) 네트워크 토폴로지를 사용합니다.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "안전" + "text": "DR의 경우 99.99% SLA를 위해 둘 이상의 지역에 걸쳐 확장된 배포와 함께 프리미엄 계층을 활용합니다", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", - "severity": "높다", - "text": "ExpressRoute 게이트웨이, VPN 게이트웨이 및 Azure Firewall 또는 파트너 NVA를 포함한 공유 네트워킹 서비스를 중앙 허브 가상 네트워크에 배포합니다. 필요한 경우 DNS 서비스도 배포합니다.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "비용" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", + "severity": "보통", + "text": "99.99%의 SLA 증가를 위해 둘 이상의 가용성 영역에 하나 이상의 단위를 배포합니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", "severity": "높다", - "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "안전" + "text": "자동화된 백업 루틴이 있는지 확인", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", "severity": "보통", - "text": "파트너 네트워킹 기술 또는 NVA를 배포할 때 파트너 공급업체의 지침을 따릅니다.", + "text": "정책을 사용하여 장애 조치 백엔드 URL 및 캐싱을 추가하여 실패한 호출을 줄입니다.", "waf": "신뢰도" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", - "severity": "낮다", - "text": "허브 및 스포크 시나리오에서 ExpressRoute와 VPN 게이트웨이 간의 전송이 필요한 경우 Azure Route Server를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", - "waf": "안전" - }, - { - "arm-service": "Microsoft.Network/virtualHubs", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", "severity": "낮다", - "text": "Route Server를 사용하는 경우 Route Server 서브넷에 /27 접두사를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", - "waf": "안전" + "text": "고성능 수준에서 기록해야 하는 경우 Event Hubs 정책을 고려합니다", + "waf": "작업" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", "severity": "보통", - "text": "Azure 지역 간에 여러 허브 및 스포크 토폴로지가 있는 네트워크 아키텍처의 경우 허브 VNet 간의 글로벌 가상 네트워크 피어링을 사용하여 지역을 서로 연결합니다.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "text": "제한 정책을 적용하여 초당 요청 수 제어Apply throttling policies to control the number of requests per second", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", "waf": "공연" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", "severity": "보통", - "text": "네트워크용 Azure Monitor를 사용하여 Azure에서 네트워크의 엔드투엔드 상태를 모니터링합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "작업" + "text": "부하가 증가할 때 인스턴스 수를 확장하도록 자동 크기 조정 구성Configure autoscaling to scale out the number of instances when the load increases", + "waf": "공연" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", "severity": "보통", - "text": "한 지역에 400개 이상의 스포크 네트워크가 있는 경우 VNet 피어링 제한(500) 및 ExpressRoute를 통해 보급할 수 있는 최대 접두사 수(1000)를 우회하기 위해 추가 허브를 배포합니다.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "신뢰도" + "text": "Azure에 백 엔드 API에 가까운 지역이 없는 자체 호스팅 게이트웨이를 배포합니다.", + "waf": "공연" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", "severity": "보통", - "text": "경로 테이블당 경로 수를 400개로 제한합니다.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "프로덕션 워크로드에 프리미엄 계층을 사용합니다.", "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", - "severity": "높다", - "text": "VNet 피어링을 구성할 때 '원격 가상 네트워크에 대한 트래픽 허용' 설정을 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", + "severity": "보통", + "text": "다중 리전 모델에서는 Policies를 사용하여 가용성 또는 지연 시간에 따라 리전 백엔드로 요청을 라우팅합니다.", "waf": "신뢰도" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", "severity": "높다", - "text": "영역 중복 배포와 함께 표준 Load Balancer SKU를 사용하는 경우 표준 SKU Load Balancer를 선택하면 가용성 영역 및 영역 복원력을 통해 안정성이 향상되어 배포가 영역 및 지역 오류를 견딜 수 있습니다. Basic과 달리 전역 부하 분산을 지원하고 SLA를 제공합니다.", + "text": "APIM의 제한에 유의해야 합니다.", "waf": "신뢰도" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", "severity": "높다", - "text": "부하 분산 장치 백 엔드 풀에 두 개 이상의 인스턴스가 포함되어 있는지 확인하고, 백 엔드에 두 개 이상의 인스턴스를 사용하여 Azure Load Balancer를 배포하면 단일 실패 지점을 방지하고 확장성을 지원할 수 있습니다.", + "text": "자체 호스팅 게이트웨이 배포가 복원력이 있는지 확인합니다.", "waf": "신뢰도" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", + "service": "APIM", "severity": "보통", - "text": "ExpressRoute Direct를 사용하는 경우 조직의 라우터와 MSEE 간의 계층 2 수준에서 트래픽을 암호화하도록 MACsec을 구성합니다. 다이어그램은 흐름에서 이 암호화를 보여 줍니다.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "안전" + "text": "다중 지역 배포를 위해 APIM 앞에서 Azure Front Door 사용Use Azure Front Door in front of APIM for multi-region deployment", + "waf": "공연" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", + "service": "APIM", "severity": "보통", - "text": "MACsec을 사용할 수 없는 시나리오(예: ExpressRoute Direct를 사용하지 않음)의 경우 VPN Gateway를 사용하여 ExpressRoute 개인 피어링을 통해 IPsec 터널을 설정합니다.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "VNet(Virtual Network) 내에 서비스 배포Deploy the service within a Virtual Network (VNet)", "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", - "severity": "높다", - "text": "Azure 지역 및 온-프레미스 위치에서 겹치는 IP 주소 공간이 사용되지 않는지 확인합니다.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", + "service": "APIM", + "severity": "보통", + "text": "서브넷에 NSG(네트워크 보안 그룹)를 배포하여 APIM에서 들어오고 나가는 트래픽을 제한하거나 모니터링합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", + "service": "APIM", "severity": "보통", - "text": "개인 인터넷(RFC 1918)에 대한 주소 할당 범위의 IP 주소를 사용합니다.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "text": "프라이빗 엔드포인트를 배포하여 APIM이 VNet에 배포되지 않은 경우 들어오는 트래픽을 필터링합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", - "severity": "높다", - "text": "IP 주소 공간이 낭비되지 않는지 확인하고 불필요하게 큰 가상 네트워크(예: /16)를 만들지 마세요.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "공연" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", - "severity": "높다", - "text": "프로덕션 및 재해 복구 사이트에 대해 겹치는 IP 주소 범위를 사용하지 마세요.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "신뢰도" - }, - { - "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", + "service": "APIM", "severity": "높다", - "text": "해당하는 경우 표준 SKU 및 영역 중복 IP를 사용하며, Azure의 공용 IP 주소는 비영역, 영역 또는 영역 중복으로 사용할 수 있는 표준 SKU일 수 있습니다. 영역 중복 IP는 모든 영역에서 액세스할 수 있으므로 단일 영역 오류에 저항하여 더 높은 복원력을 제공합니다. ", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", - "waf": "신뢰도" + "text": "공용 네트워크 액세스 사용 안 함", + "waf": "안전" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", "severity": "보통", - "text": "Azure의 이름 확인만 필요한 환경의 경우 이름 확인을 위해 위임된 영역(예: 'azure.contoso.com')을 사용하여 Azure 프라이빗 DNS를 확인합니다.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "PowerShell 자동화 스크립트로 관리 간소화", "waf": "작업" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", + "service": "APIM", "severity": "보통", - "text": "Azure 및 온-프레미스에서 이름 확인이 필요하고 Active Directory와 같은 기존 엔터프라이즈 DNS 서비스가 없는 환경의 경우 Azure DNS Private Resolver를 사용하여 DNS 요청을 Azure 또는 온-프레미스 DNS 서버로 라우팅합니다.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "안전" + "text": "Infrastructure-as-code를 통해 APIM을 구성합니다. Cloud Adaption Framework APIM 랜딩 존 가속기에서 DevOps 모범 사례 검토", + "waf": "작업" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", - "severity": "낮다", - "text": "자체 DNS(예: Red Hat OpenShift)를 요구하고 배포하는 특수 워크로드는 선호하는 DNS 솔루션을 사용해야 합니다.", - "training": "https://learn.microsoft.com/training/courses/az-700t00", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", + "service": "APIM", + "severity": "보통", + "text": "더 빠른 API 개발을 위해 Visual Studio Code APIM 확장 사용 촉진", "waf": "작업" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", - "severity": "높다", - "text": "Azure DNS에 대한 자동 등록을 사용하도록 설정하여 가상 네트워크 내에 배포된 가상 머신에 대한 DNS 레코드의 수명 주기를 자동으로 관리합니다.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", + "service": "APIM", + "severity": "보통", + "text": "워크플로에서 DevOps 및 CI/CD 구현", "waf": "작업" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", + "service": "APIM", "severity": "보통", - "text": "여러 Azure 지역 간의 DNS 확인을 관리하기 위한 계획과 서비스가 다른 지역으로 장애 조치(failover)되는 경우 계획 구현", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "신뢰도" + "text": "클라이언트 인증서 인증을 사용하여 API 보안", + "waf": "안전" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", + "service": "APIM", "severity": "보통", - "text": "Azure Bastion을 사용하여 네트워크에 안전하게 연결합니다.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "text": "클라이언트 인증서 인증을 사용한 보안 백엔드 서비스", "waf": "안전" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", + "service": "APIM", "severity": "보통", - "text": "서브넷 /26 이상에서 Azure Bastion을 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "text": "'OWASP API 보안 상위 10개 위협을 완화하기 위한 권장 사항' 문서를 검토하고 API에 적용할 수 있는 항목을 확인합니다.", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", + "service": "APIM", "severity": "보통", - "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역 전체에서 글로벌 보호를 제공합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "권한 부여 기능을 사용하여 백엔드 API에 대한 OAuth 2.0 토큰 관리 간소화", + "waf": "안전" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", + "severity": "높다", + "text": "전송 중인 정보를 암호화할 때 최신 TLS 버전을 사용합니다. 가능한 경우 오래되고 불필요한 프로토콜과 암호를 사용하지 않도록 설정합니다.", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "낮다", - "text": "Azure Front Door 및 Azure Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Azure Front Door에서 WAF 정책을 사용합니다. Azure Front Door에서만 트래픽을 수신하도록 Azure Application Gateway를 잠급니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", + "severity": "높다", + "text": "비밀(명명된 값)이 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되었는지 확인합니다.", "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "높다", - "text": "인바운드 HTTP/S 연결에 WAF 및 기타 역방향 프록시가 필요한 경우 랜딩 존 가상 네트워크 내에 배포하고 보호하고 인터넷에 노출하는 앱과 함께 배포합니다.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", + "severity": "보통", + "text": "가능할 때마다 관리 ID를 사용하여 다른 Azure 리소스에 인증", "waf": "안전" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", "severity": "높다", - "text": "Azure DDoS 네트워크 또는 IP 보호 계획을 사용하여 가상 네트워크 내의 공용 IP 주소 엔드포인트를 보호할 수 있습니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "APIM 앞에 Application Gateway를 배포하여 WAF(웹 애플리케이션 방화벽) 사용Use Web Application Firewall (WAF) by deploying Application Gateway in of APIM", "waf": "안전" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", "severity": "높다", - "text": "예정된 호환성이 손상되는 변경 전에 네트워크 아웃바운드 트래픽 구성 및 전략을 관리하는 방법을 계획합니다. 2025년 9월 30일에 새 배포에 대한 기본 아웃바운드 액세스가 사용 중지되고 명시적 액세스 구성만 허용됩니다.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements", "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", "severity": "높다", - "text": "보호된 모든 공용 IP 주소(DDoS IP 또는 네트워크 보호)에 대한 DDoS 관련 로그를 저장하는 진단 설정을 추가합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "안전" + "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", "severity": "높다", - "text": "Virtual Machines에 직접 연결된 공용 IP 주소를 거부하는 정책 할당이 있는지 확인합니다. 특정 VM에서 공용 IP가 필요한 경우 제외를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "안전" + "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", - "severity": "보통", - "text": "ExpressRoute를 Azure에 대한 기본 연결로 사용합니다. VPN을 백업 연결의 소스로 사용합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "공연" + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", + "severity": "높다", + "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "description": "AS-path 접두사 및 연결 가중치를 사용하여 Azure에서 온-프레미스로의 트래픽에 영향을 주고, 자체 라우터의 전체 BGP 특성 범위를 사용하여 온-프레미스에서 Azure로의 트래픽에 영향을 줄 수 있습니다.", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", "severity": "보통", - "text": "여러 ExpressRoute 회로 또는 여러 온-프레미스 위치를 사용하는 경우 BGP 특성을 사용하여 라우팅을 최적화합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "신뢰도" + "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.", + "waf": "작업" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "스토리지와 관련된 Microsoft 클라우드 보안 벤치마크의 지침 적용", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", "severity": "보통", - "text": "대역폭 및 성능 요구 사항에 따라 ExpressRoute/VPN 게이트웨이에 적합한 SKU를 선택합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "공연" + "text": "'스토리지에 대한 Azure 보안 기준'을 고려합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Azure Storage는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 액세스가 필요한 Azure Compute 리소스에만 Azure Storage를 안전하게 노출할 수 있으므로 공용 인터넷에 노출되지 않습니다", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", "severity": "높다", - "text": "비용을 정당화하는 대역폭에 도달하는 경우에만 무제한 데이터 ExpressRoute 회로를 사용하고 있는지 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "비용" + "text": "Azure Storage에 프라이빗 엔드포인트를 사용하는 것이 좋습니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "새로 만든 스토리지 계정은 ARM 배포 모델을 사용하여 생성되므로 RBAC, 감사 등이 모두 활성화됩니다. 구독에 클래식 배포 모델을 사용하는 이전 저장소 계정이 없는지 확인합니다.", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", + "severity": "보통", + "text": "이전 스토리지 계정이 '클래식 배포 모델'을 사용하지 않는지 확인", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Microsoft Defender를 활용하여 의심스러운 활동 및 잘못된 구성에 대해 알아보세요.", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", "severity": "높다", - "text": "회로 피어링 위치가 로컬 SKU에 대한 Azure 지역을 지원하는 경우 ExpressRoute의 로컬 SKU를 활용하여 회로 비용을 줄입니다.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "비용" + "text": "모든 스토리지 계정에 대해 Microsoft Defender 사용", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "일시 삭제 메커니즘을 사용하면 실수로 삭제된 Blob을 복구할 수 있습니다.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "severity": "보통", - "text": "지원되는 Azure 지역에 영역 중복 ExpressRoute 게이트웨이를 배포합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "신뢰도" + "text": "Blob에 대해 '일시 삭제' 사용Enable 'soft delete' for blobs", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "보통", - "text": "10Gbps보다 높은 대역폭 또는 전용 10/100Gbps 포트가 필요한 시나리오의 경우 ExpressRoute Direct를 사용합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "공연" + "text": "Blob에 대해 '일시 삭제' 사용 안 함", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "컨테이너에 대한 일시 삭제를 사용하면 컨테이너가 삭제된 후 복구할 수 있습니다(예: 실수로 삭제한 작업에서 복구).", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", + "severity": "높다", + "text": "컨테이너에 대해 '일시 삭제' 사용Enable 'soft delete' for containers", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", "severity": "보통", - "text": "짧은 대기 시간이 필요하거나 온-프레미스에서 Azure로의 처리량이 10Gbps보다 커야 하는 경우 FastPath를 사용하여 데이터 경로에서 ExpressRoute 게이트웨이를 우회할 수 있습니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "공연" + "text": "컨테이너에 대해 '일시 삭제' 사용 안 함", + "waf": "안전" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "사용자가 삭제하기 전에 먼저 삭제 잠금을 제거하도록 강제하여 스토리지 계정의 우발적인 삭제를 방지합니다.", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", + "severity": "높다", + "text": "스토리지 계정에 대한 리소스 잠금 사용Enable resource locks on storage accounts", + "waf": "안전" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", - "severity": "보통", - "text": "영역 중복 VPN 게이트웨이를 사용하여 분기 또는 원격 위치를 Azure(사용 가능한 경우)에 연결합니다.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "신뢰도" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Blob에 대한 '법적 보존' 또는 '시간 기반 보존' 정책을 고려하면 Blob, 컨테이너 또는 스토리지 계정을 삭제할 수 없습니다. '불가능한'은 실제로 '불가능한'을 의미합니다. 스토리지 계정에 변경할 수 없는 Blob이 포함되면 해당 스토리지 계정을 '제거'하는 유일한 방법은 Azure 구독을 취소하는 것입니다.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", + "severity": "높다", + "text": "변경할 수 없는 Blob 고려", + "waf": "안전" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", - "severity": "보통", - "text": "온-프레미스에서 중복 VPN 어플라이언스(활성/활성 또는 활성/수동)를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "신뢰도" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "스토리지 계정에 대한 보호되지 않는 HTTP/80 액세스를 사용하지 않도록 설정하여 모든 데이터 전송이 암호화되고 무결성이 보호되며 서버가 인증되도록 하는 것이 좋습니다. ", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "높다", + "text": "HTTPS 필요, 즉 스토리지 계정에서 포트 80 사용 안 함Require HTTPS, i.e. disable port 80 on the storage account", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "스토리지 계정에서 사용자 지정 도메인(호스트 이름)을 구성할 때 TLS/HTTPS가 필요한지 확인합니다. 이 경우 스토리지 계정 앞에 Azure CDN을 배치해야 할 수 있습니다.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", "severity": "높다", - "text": "ExpressRoute Direct를 사용하는 경우 비용을 절감하기 위해 로컬 Azure 지역에 대한 ExpressRoute 로컬 회로를 사용하는 것이 좋습니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "비용" + "text": "HTTPS를 적용(HTTP 사용 안 함)할 때 스토리지 계정에 사용자 지정 도메인(CNAME)을 사용하지 않는지 확인합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "클라이언트가 SAS 토큰을 사용하여 Blob 데이터에 액세스할 때 HTTPS를 요구하면 자격 증명 손실 위험을 최소화하는 데 도움이 됩니다.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "severity": "보통", - "text": "트래픽 격리 또는 전용 대역폭이 필요한 경우(예: 프로덕션 환경과 비프로덕션 환경을 분리하기 위해) 다른 ExpressRoute 회로를 사용합니다. 이는 격리된 라우팅 도메인을 보장하고 시끄러운 이웃 위험을 완화하는 데 도움이 됩니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "SAS(공유 액세스 서명) 토큰을 HTTPS 연결로만 제한", "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", - "severity": "보통", - "text": "기본 제공 Express Route Insights를 사용하여 ExpressRoute 가용성 및 사용률을 모니터링합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "작업" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": ". 최신 TLS 버전을 적용하면 이전 버전을 사용하는 클라이언트의 요청이 거부됩니다. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Azure Storage", + "severity": "높다", + "text": "스토리지 계정에 대한 최신 TLS 버전 적용Enforce the latest TLS version for a storage account", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", - "severity": "보통", - "text": "네트워크를 통한 연결, 특히 온-프레미스와 Azure 간의 연결을 모니터링하기 위해 연결 모니터를 사용합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "작업" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "가능한 경우 Microsoft Entra ID 토큰을 공유 액세스 서명보다 선호해야 합니다", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "높다", + "text": "Blob 액세스에 Microsoft Entra ID 토큰 사용Use Microsoft Entra ID tokens for blob access", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "사용자, 그룹 또는 응용 프로그램에 역할을 할당할 때 해당 보안 주체가 작업을 수행하는 데 필요한 권한만 부여합니다. 리소스에 대한 액세스를 제한하면 의도하지 않은 데이터 오용과 악의적인 데이터 오용을 모두 방지할 수 있습니다.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "보통", - "text": "중복성을 위해 서로 다른 피어링 위치의 ExpressRoute 회로를 사용합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "신뢰도" + "text": "IaM 권한의 최소 권한", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", - "severity": "보통", - "text": "단일 ExpressRoute 회로만 사용하는 경우 사이트 간 VPN을 ExpressRoute의 장애 조치(failover)로 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "신뢰도" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "사용자 위임 SAS는 Azure AD(Azure Active Directory) 자격 증명과 SAS에 대해 지정된 권한으로 보호됩니다. 사용자 위임 SAS는 범위와 기능 측면에서 서비스 SAS와 유사하지만 서비스 SAS에 비해 보안상의 이점을 제공합니다. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", + "severity": "높다", + "text": "SAS를 사용하는 경우 스토리지 계정 키 기반 SAS보다 '사용자 위임 SAS'를 선호합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "스토리지 계정 키('공유 키')에는 감사 기능이 거의 없습니다. 누가/언제 키 복사본을 가져왔는지 모니터링할 수 있지만 키가 여러 사람의 손에 들어가면 특정 사용자의 사용을 귀속시킬 수 없습니다. Entra ID 인증에만 의존하면 스토리지 액세스를 사용자에게 더 쉽게 연결할 수 있습니다. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", "severity": "높다", - "text": "GatewaySubnet에서 경로 테이블을 사용하는 경우 게이트웨이 경로가 전파되었는지 확인합니다.", - "waf": "신뢰도" + "text": "Microsoft Entra ID 액세스(및 사용자 위임 SAS)만 지원되도록 스토리지 계정 키를 사용하지 않도록 설정하는 것이 좋습니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "활동 로그 데이터를 사용하여 스토리지 계정의 보안을 '언제', '누가', '무엇을' 및 '어떻게' 확인하거나 변경합니다(예: 스토리지 계정 키, 액세스 정책 등).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", "severity": "높다", - "text": "ExpressRoute를 사용하는 경우 온-프레미스 라우팅은 동적이어야 하며, 연결 오류가 발생할 경우 회로의 나머지 연결로 수렴해야 합니다. 로드는 두 연결 모두에서 액티브/액티브로 이상적으로 공유되어야 하지만 액티브/패시브도 지원됩니다.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "신뢰도" + "text": "Azure Monitor를 사용하여 스토리지 계정에 대한 컨트롤 플레인 작업을 감사하는 것이 좋습니다", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "키 만료 정책을 사용하면 계정 액세스 키의 교체에 대한 미리 알림을 설정할 수 있습니다. 지정된 간격이 경과하고 키가 아직 회전되지 않은 경우 알림이 표시됩니다.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "보통", - "text": "ExpressRoute 회로의 두 물리적 링크가 네트워크에 있는 두 개의 고유한 에지 디바이스에 연결되어 있는지 확인합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "신뢰도" + "text": "스토리지 계정 키를 사용하는 경우 '키 만료 정책'을 사용하도록 설정하는 것이 좋습니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS 만료 정책은 SAS가 유효한 권장 간격을 지정합니다. SAS 만료 정책은 서비스 SAS 또는 계정 SAS에 적용됩니다. 사용자가 권장 간격보다 큰 유효성 간격으로 서비스 SAS 또는 계정 SAS를 생성하면 경고가 표시됩니다.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "severity": "보통", - "text": "BFD(Bidirectional Forwarding Detection)가 고객 또는 프로바이더 에지 라우팅 디바이스에서 활성화되고 구성되도록 보장합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "신뢰도" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", - "severity": "높다", - "text": "복원력을 높이기 위해 ExpressRoute 게이트웨이를 서로 다른 피어링 위치에서 둘 이상의 회로에 연결합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "신뢰도" + "text": "SAS 만료 정책을 구성하는 것이 좋습니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "저장된 액세스 정책은 스토리지 계정 키를 다시 생성할 필요 없이 서비스 SAS에 대한 사용 권한을 취소할 수 있는 옵션을 제공합니다. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", "severity": "보통", - "text": "ExpressRoute 가상 네트워크 게이트웨이에 대한 진단 로그 및 경고를 구성합니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "작업" + "text": "SAS를 저장된 액세스 정책에 연결하는 것이 좋습니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", "severity": "보통", - "text": "VNet 간 통신에 ExpressRoute 회로를 사용하지 마세요.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "공연" + "text": "체크 인된 연결 문자열 및 저장소 계정 키를 검색하도록 응용 프로그램의 소스 코드 리포지토리를 구성하는 것이 좋습니다.", + "waf": "안전" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", - "severity": "낮다", - "text": "검사를 위해 Azure 트래픽을 하이브리드 위치로 보내지 마세요. 대신 'Azure의 트래픽이 Azure에 유지' 원칙을 따라 Azure의 리소스 간 통신이 Microsoft 백본 네트워크를 통해 발생하도록 합니다.", - "waf": "공연" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "이상적으로 애플리케이션은 관리 ID를 사용하여 Azure Storage에 인증해야 합니다. 가능하지 않은 경우 Azure KeyVault 또는 동등한 서비스에 스토리지 자격 증명(연결 문자열, 스토리지 계정 키, SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", + "severity": "높다", + "text": "Azure KeyVault에 연결 문자열을 저장하는 것이 좋습니다(관리 ID를 사용할 수 없는 시나리오에서).", + "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "임시 SAS 서비스 SAS 또는 계정 SAS에서 가까운 만료 시간을 사용합니다. 이러한 방식으로 SAS가 손상되더라도 짧은 시간 동안만 유효합니다. 이 방법은 저장된 액세스 정책을 참조할 수 없는 경우에 특히 중요합니다. 또한 단기 만료 시간은 Blob에 업로드할 수 있는 시간을 제한하여 Blob에 쓸 수 있는 데이터의 양을 제한합니다.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "높다", - "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "임시 SAS의 유효 기간을 단축하기 위해 노력", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS를 만들 때는 가능한 한 구체적이고 제한적이어야 합니다. 훨씬 더 광범위한 액세스를 제공하는 SAS보다 단일 리소스 및 작업에 대해 SAS를 선호합니다.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "보통", - "text": "글로벌 Azure Firewall 정책을 만들어 글로벌 네트워크 환경에서 보안 태세를 제어하고 모든 Azure Firewall 인스턴스에 할당합니다. Azure 역할 기반 액세스 제어를 통해 증분 방화벽 정책을 로컬 보안 팀에 위임하여 특정 지역의 요구 사항을 충족하는 세분화된 정책을 허용합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "SAS에 좁은 범위 적용", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", - "severity": "낮다", - "text": "조직에서 아웃바운드 연결을 보호하기 위해 이러한 솔루션을 사용하려는 경우 Firewall Manager 내에서 지원되는 파트너 SaaS 보안 공급자를 구성합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS에는 SAS를 사용하여 리소스를 요청할 수 있는 권한이 있는 클라이언트 IP 주소 또는 주소 범위에 대한 매개 변수가 포함될 수 있습니다. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", + "severity": "보통", + "text": "가능한 경우 SAS 범위를 특정 클라이언트 IP 주소로 지정하는 것이 좋습니다", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", - "severity": "높다", - "text": "응용 프로그램 규칙을 사용하여 지원되는 프로토콜에 대한 대상 호스트 이름에서 아웃바운드 트래픽을 필터링합니다. FQDN 기반 네트워크 규칙 및 DNS 프록시와 함께 Azure Firewall을 사용하여 다른 프로토콜을 통해 인터넷으로의 송신 트래픽을 필터링합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS는 클라이언트가 업로드하는 데이터의 양을 제한할 수 없습니다. 시간 경과에 따른 스토리지 양의 가격 책정 모델을 감안할 때 클라이언트가 악의적으로 큰 콘텐츠를 업로드했는지 여부를 확인하는 것이 합리적일 수 있습니다.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "낮다", + "text": "클라이언트가 SAS를 사용하여 파일을 업로드한 후 업로드된 데이터를 확인하는 것이 좋습니다. ", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "'로컬 사용자 계정'을 사용하여 SFTP를 통해 Blob Storage에 액세스하는 경우 '일반적인' RBAC 컨트롤이 적용되지 않습니다. NFS 또는 REST를 통한 Blob 액세스는 SFTP 액세스보다 더 제한적일 수 있습니다. 안타깝게도 2023년 초부터 로컬 사용자는 현재 SFTP 엔드포인트에 대해 지원되는 유일한 ID 관리 형태입니다", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "severity": "높다", - "text": "Azure Firewall 프리미엄을 사용하여 추가 보안 기능을 사용하도록 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "SFTP: SFTP 액세스를 위한 '로컬 사용자'의 수를 제한하고 시간이 지남에 따라 액세스가 필요한지 여부를 감사합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", - "severity": "높다", - "text": "추가 보호를 위해 Azure Firewall 위협 인텔리전스 모드를 경고 및 거부로 구성합니다.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", + "severity": "보통", + "text": "SFTP: SFTP 엔드포인트는 POSIX와 유사한 ACL을 지원하지 않습니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "스토리지는 CORS(Cross-Origin Resource Sharing), 즉 다른 도메인의 웹 앱이 동일 출처 정책을 완화할 수 있도록 하는 HTTP 기능을 지원합니다. CORS를 사용하도록 설정하는 경우 CorsRules를 최소 권한으로 유지합니다.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", "severity": "높다", - "text": "추가 보호를 위해 Azure Firewall IDPS 모드를 거부로 구성합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "지나치게 광범위한 CORS 정책 방지", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "미사용 데이터는 항상 서버 쪽에서 암호화되며 클라이언트 쪽에서도 암호화될 수 있습니다. 서버 쪽 암호화는 플랫폼 관리형 키(기본값) 또는 고객 관리형 키를 사용하여 발생할 수 있습니다. 클라이언트 쪽 암호화는 클라이언트가 Azure Storage에 Blob별로 암호화/암호 해독 키를 제공하도록 하거나 클라이언트 쪽에서 암호화를 완전히 처리하여 발생할 수 있습니다. 따라서 기밀 보장을 위해 Azure Storage에 전혀 의존하지 않습니다.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", "severity": "높다", - "text": "Virtual WAN에 연결되지 않은 VNet의 서브넷의 경우 인터넷 트래픽이 Azure Firewall 또는 네트워크 가상 어플라이언스로 리디렉션되도록 경로 테이블을 연결합니다.", + "text": "미사용 데이터를 암호화하는 방법을 결정합니다. 데이터에 대한 스레드 모델을 이해합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", "severity": "보통", - "text": "모든 Azure Firewall 배포에 대해 리소스별 대상 테이블을 사용하여 로그를 저장하는 진단 설정을 추가합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "작업" + "text": "어떤 플랫폼 암호화를 사용해야 하는지 확인합니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", - "severity": "중요하다", - "text": "Azure Firewall 클래식 규칙(있는 경우)에서 방화벽 정책으로 마이그레이션합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "작업" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", + "severity": "보통", + "text": "클라이언트 쪽 암호화를 사용해야 하는지 여부를 결정합니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "리소스 그래프 탐색기(리소스 | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)를 활용하여 익명 Blob 액세스를 허용하는 스토리지 계정을 찾습니다.", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", "severity": "높다", - "text": "Azure Firewall 서브넷에 /26 접두사를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "공용 Blob 익명 액세스가 필요한지 또는 특정 스토리지 계정에 대해 사용하지 않도록 설정할 수 있는지 여부를 고려합니다. ", "waf": "안전" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", - "severity": "보통", - "text": "방화벽 정책 내의 규칙을 Rule Collection Groups(규칙 수집 그룹) 및 Rule Collections(규칙 컬렉션)로 정렬하고 사용 빈도에 따라 정렬합니다.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "공연" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", + "severity": "높다", + "text": "성능 및 안정성 향상을 위해 storagev2 계정 유형 활용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", - "severity": "보통", - "text": "IP 그룹 또는 IP 접두사를 사용하여 IP 테이블 규칙의 수를 줄입니다.", - "waf": "공연" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", + "severity": "높다", + "text": "최고의 가용성을 위해 GRS, ZRS 또는 GZRS 스토리지 활용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Azure Storage", "severity": "보통", - "text": "와일드카드를 DNAT의 소스 IP로 사용하지 마십시오(예: * 또는 any). 들어오는 DNAT에 대한 소스 IP를 지정해야 합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "공연" + "text": "장애 조치(failover) 후 쓰기 작업의 경우 고객 관리 장애 조치(failover)를 사용합니다. ", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Azure Storage", "severity": "보통", - "text": "SNAT 포트 사용량을 모니터링하고, NAT 게이트웨이 설정을 평가하고, 원활한 장애 조치(failover)를 보장하여 SNAT 포트 고갈을 방지합니다. 포트 수가 제한에 가까워지면 SNAT 고갈이 임박했을 수 있다는 신호입니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "공연" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", - "severity": "높다", - "text": "Azure Firewall 프리미엄을 사용하는 경우 TLS 검사를 사용하도록 설정합니다.", - "waf": "공연" + "text": "Microsoft 관리 장애 조치(failover) 세부 정보 이해", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", - "severity": "낮다", - "text": "웹 범주를 사용하여 특정 주제에 대한 아웃바운드 액세스를 허용하거나 거부할 수 있습니다.", - "waf": "공연" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Azure Storage", + "severity": "보통", + "text": "일시 삭제 사용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", "severity": "보통", - "text": "TLS 검사의 일환으로 검사를 위해 Azure App Gateway에서 트래픽 수신을 계획합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "공연" + "text": "유연한 서버 활용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", + "severity": "높다", + "text": "지역적으로 적용 가능한 경우 가용 영역 활용Leverage Availability Zones where regionally applicable", + "waf": "신뢰도" + }, + { + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", "severity": "보통", - "text": "Azure Firewall DNS 프록시 구성을 사용하도록 설정합니다.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "안전" + "text": "지역 간 DR 시나리오에 입력 데이터 복제 활용", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "Azure OpenAI", "severity": "높다", - "text": "Azure Firewall을 Azure Monitor와 통합하고 진단 로깅을 사용하도록 설정하여 방화벽 로그 및 메트릭을 저장하고 분석합니다.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "작업" + "text": "공명형 AI를 위한 Metaprompting 가드레일 따르기", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", - "severity": "낮다", - "text": "방화벽 규칙에 대한 백업 구현Implement backups for your firewall rules", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "작업" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "Azure OpenAI", + "severity": "높다", + "text": "더 나은 속도 제한, 부하 분산, 인증 및 로깅을 위해 APIM 또는 AI Central과 같은 솔루션을 사용하여 게이트웨이 패턴을 고려합니다.", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "Azure OpenAI", "severity": "높다", - "text": "여러 가용성 영역에 Azure Firewall을 배포합니다. Azure Firewall은 배포에 따라 다른 SLA를 제공합니다. 단일 가용 영역 또는 여러 가용 영역에서 작동하여 안정성과 성능을 향상시킬 수 있습니다.", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "신뢰도" + "text": "AOAI 인스턴스에 대한 모니터링 활성화", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "Azure OpenAI", "severity": "높다", - "text": "Azure Firewall VNet에서 DDoS Protection을 구성하고, DDoS 보호 계획을 Azure Firewall을 호스트하는 가상 네트워크와 연결하여 DDoS 공격에 대한 향상된 완화를 제공합니다. Azure Firewall Manager는 방화벽 인프라 및 DDoS 보호 계획 생성을 통합합니다. ", - "waf": "신뢰도" + "text": "리소스에 대해 수행된 작업(예: 구독 키 다시 생성) 또는 메트릭 임계값(예: 한 시간에 10을 초과하는 오류 수)에 의해 생성된 활동 로그의 항목과 같은 이벤트를 팀에 알리는 경고를 만듭니다", + "waf": "운영 우수성" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "severity": "높다", - "text": "컨트롤 플레인 트래픽을 차단하는 0.0.0.0/0 경로 또는 NSG 규칙과 같이 가상 네트워크에 삽입된 Azure PaaS 서비스에 대한 컨트롤 플레인 통신을 중단하지 마세요.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "안전" + "text": "용량으로 인한 서비스 중단을 방지하기 위해 토큰 사용량을 모니터링합니다.", + "waf": "운영 우수성" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "severity": "보통", - "text": "프라이빗 엔드포인트 및 ExpressRoute 프라이빗 피어링을 통해 온-프레미스에서 Azure PaaS 서비스에 액세스하세요. 이 방법을 사용하면 공용 인터넷을 통해 전송하지 않아도 됩니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "안전" + "text": "처리된 추론 토큰, 생성된 완료 토큰, 속도 제한 모니터링과 같은 메트릭 관찰", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "Azure OpenAI", + "severity": "낮다", + "text": "진단이 충분하지 않은 경우 Azure OpenAI 앞에 있는 Azure API Managements와 같은 게이트웨이를 사용하여 허용되는 경우 들어오는 프롬프트와 나가는 응답을 모두 기록하는 것이 좋습니다", + "waf": "운영 우수성" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "Azure OpenAI", "severity": "높다", - "text": "모든 서브넷에서 기본적으로 가상 네트워크 서비스 엔드포인트를 사용하도록 설정하지 마세요.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "안전" + "text": "Infrastructure as code를 사용하여 Azure OpenAI Service, 모델 배포 및 모든 관련 리소스를 배포합니다", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", - "severity": "보통", - "text": "Azure Firewall 또는 NVA의 IP 주소 대신 FQDN을 사용하여 Azure PaaS 서비스에 대한 송신 트래픽을 필터링하여 데이터 반출을 방지합니다. Private Link를 사용하는 경우 모든 FQDN을 차단할 수 있으며, 그렇지 않으면 필요한 PaaS 서비스만 허용할 수 있습니다.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", + "severity": "높다", + "text": "API 키 대신 관리 ID로 Microsoft Entra 인증 사용", "waf": "안전" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "Azure OpenAI", "severity": "높다", - "text": "게이트웨이 서브넷에 /27 접두사 이상을 사용합니다.", - "waf": "안전" + "text": "입력과 정답이 있는 알려진 골든 데이터 세트를 사용하여 시스템의 성능/정확도를 평가합니다. 평가를 위해 PromptFlow의 기능을 활용합니다.", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "Azure OpenAI", "severity": "높다", - "text": "VirtualNetwork 서비스 태그를 사용하여 연결을 제한하는 NSG 인바운드 기본 규칙에 의존하지 마세요.", - "waf": "안전" + "text": "프로비저닝된 처리량 모델의 사용 평가 ", + "waf": "공연" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "Azure OpenAI", + "severity": "높다", + "text": "Azure AI 콘텐츠 안전성 검토 및 구현", + "waf": "운영 우수성" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "Azure OpenAI", + "severity": "높다", + "text": "분당 토큰 및 응답을 기반으로 시스템의 처리량을 정의 및 평가하고 요구 사항에 맞춥니다.", + "waf": "공연" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "Azure OpenAI", "severity": "보통", - "text": "NSG를 사용하여 서브넷 전체의 트래픽과 플랫폼 전체의 동쪽/서쪽 트래픽(랜딩 존 간 트래픽)을 보호할 수 있습니다.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "안전" + "text": "토큰 크기, 스트리밍 옵션을 제한하여 시스템의 대기 시간을 개선합니다.", + "waf": "공연" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "severity": "보통", - "text": "NSG 및 애플리케이션 보안 그룹을 사용하여 랜딩 존 내의 트래픽을 마이크로 세그먼트화하고 중앙 NVA를 사용하여 트래픽 흐름을 필터링하지 않도록 합니다.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "안전" + "text": "탄력성 요구를 예측하여 우선 순위에 따라 동기 및 일괄 처리 요청 분리를 결정합니다. 우선 순위가 높은 경우 동기 접근 방식을 사용하고 낮은 우선 순위의 경우 큐를 사용한 비동기 일괄 처리가 선호됩니다", + "waf": "공연" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", - "severity": "보통", - "text": "VNet 흐름 로그를 사용하도록 설정하고 트래픽 분석에 제공하여 내부 및 외부 트래픽 흐름에 대한 인사이트를 얻을 수 있습니다.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "안전" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", + "severity": "높다", + "text": "소비자의 예상 수요를 기반으로 토큰 사용 요구 사항을 벤치마킹합니다. 프로비저닝된 처리량 단위 배포를 사용하는 경우 처리량의 유효성을 검사하는 데 도움이 되도록 Azure OpenAI 벤치마킹 도구를 사용하는 것이 좋습니다", + "waf": "공연" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "보통", - "text": "1,000개의 규칙 제한으로 인해 NSG당 900개 이상의 NSG 규칙을 구현하지 마세요.", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "waf": "신뢰도" + "text": "PTU(프로비저닝된 처리량 단위)를 사용하는 경우 오버플로 요청에 대한 TPM(분당 토큰) 배포를 배포하는 것이 좋습니다. 게이트웨이를 사용하여 PTU 제한에 도달할 때 TPM 배포로 요청을 라우팅합니다.", + "waf": "공연" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", - "severity": "보통", - "text": "시나리오가 Virtual WAN 라우팅 디자인 목록에 명시적으로 설명된 경우 Virtual WAN을 사용합니다.", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", - "waf": "작업" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "Azure OpenAI", + "severity": "높다", + "text": "올바른 작업에 적합한 모델을 선택하십시오. 속도, 응답 품질 및 출력 복잡성 간에 적절한 절충점이 있는 모델 선택", + "waf": "공연" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "severity": "보통", - "text": "Azure 지역당 Virtual WAN 허브를 사용하여 공통 글로벌 Azure Virtual WAN을 통해 Azure 지역 간에 여러 랜딩 존을 함께 연결합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "미세 조정으로 모델 성능이 향상되었는지 여부를 파악하기 위해 미세 조정 없이 성능에 대한 기준이 있습니다.", "waf": "공연" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", - "severity": "보통", - "text": "아웃바운드 인터넷 트래픽 보호 및 필터링을 위해 보안 허브에 Azure Firewall을 배포합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "안전" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", + "severity": "낮다", + "text": "여러 지역에 여러 OAI 인스턴스 배포", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", - "severity": "보통", - "text": "Virtual WAN 네트워크 아키텍처가 식별된 아키텍처 시나리오에 맞는지 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", + "severity": "높다", + "text": "APIM과 같은 게이트웨이 패턴을 사용하여 재시도 및 상태 확인 구현Implement retry & healthchecks with gateway pattern like APIM", "waf": "신뢰도" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "Azure OpenAI", "severity": "보통", - "text": "Virtual WAN용 Azure Monitor Insights를 사용하여 Virtual WAN의 엔드투엔드 토폴로지, 상태 및 주요 메트릭을 모니터링합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "작업" + "text": "워크로드에 대한 TPM 및 RPM의 적절한 할당량이 있는지 확인합니다.", + "waf": "신뢰도" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "Azure OpenAI", "severity": "보통", - "text": "이러한 흐름을 명시적으로 차단해야 하는 경우가 아니면 Virtual WAN에서 분기 간 트래픽을 사용하지 않도록 설정하지 마세요.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "신뢰도" + "text": "HAI 도구 키트 지침의 고려 사항을 검토하고 slution에 대한 이러한 상호 작용 방법을 적용합니다", + "waf": "운영 우수성" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Azure OpenAI", "severity": "보통", - "text": "AS-Path는 ExpressRoute 또는 VPN보다 유연하므로 허브 라우팅 기본 설정으로 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "미세 조정이 사용되는 경우 지역 간에 별도의 미세 조정된 모델을 배포합니다.", "waf": "신뢰도" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "Azure OpenAI", "severity": "보통", - "text": "Virtual WAN에서 레이블 기반 전파를 구성하지 않으면 가상 허브 간의 연결이 손상됩니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "중요한 데이터를 정기적으로 백업 및 복제하여 데이터 손실 또는 시스템 장애 발생 시 데이터 가용성과 복구 가능성을 보장합니다. Azure의 백업 및 재해 복구 서비스를 활용하여 데이터를 보호하세요.", "waf": "신뢰도" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "Azure OpenAI", "severity": "높다", - "text": "가상 허브에 /23 이상의 접두사를 할당하여 충분한 IP 공간을 사용할 수 있도록 합니다.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "SLA를 갖도록 Azure AI 검색 서비스 계층을 선택해야 합니다. ", "waf": "신뢰도" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "Azure OpenAI", + "severity": "낮다", + "text": "임베딩을 생성하기 전에 데이터 및 민감도를 분류하고 Microsoft Purview를 사용하여 레이블을 지정하고 생성된 임베딩을 동일한 민감도 및 분류로 처리해야 합니다", + "waf": "안전" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "Azure OpenAI", "severity": "높다", - "text": "Azure Policy를 전략적으로 활용하고, 정책 이니셔티브를 사용하여 관련 정책을 그룹화하여 환경에 대한 컨트롤을 정의합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "BYOK(옵션)를 사용한 SSE/디스크 암호화로 RAG에 사용되는 데이터 암호화", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "Azure OpenAI", + "severity": "높다", + "text": "데이터 소스 간 전송 중인 데이터, RAG(Retrieval-Augmented Generation) 및 LLM 통신에 사용되는 AI 검색에 TLS가 적용되는지 확인합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "높다", + "text": "RBAC를 사용하여 Azure OpenAI 서비스에 대한 액세스를 관리합니다. 사용자에게 적절한 권한을 할당하고 사용자의 역할과 책임에 따라 액세스를 제한합니다.", + "waf": "안전" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "Azure OpenAI", "severity": "보통", - "text": "규정 및 규정 준수 요구 사항을 Azure Policy 정의 및 Azure 역할 할당에 매핑합니다.", - "training": "https://learn.microsoft.com/training/modules/governance-security/", + "text": "데이터 암호화, 마스킹 또는 수정 기술을 구현하여 비프로덕션 환경에서 또는 테스트 또는 문제 해결을 위해 데이터를 공유할 때 민감한 데이터를 숨기거나 난독화된 값으로 대체합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", + "service": "Azure OpenAI", + "severity": "높다", + "text": "Azure Defender를 활용하여 보안 위협을 탐지 및 대응하고 의심스러운 활동 또는 위반을 식별하기 위한 모니터링 및 경고 메커니즘을 설정합니다. 고급 위협 탐지 및 대응을 위해 Azure Sentinel 활용", + "waf": "안전" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "Azure OpenAI", "severity": "보통", - "text": "상속된 범위에서 할당할 수 있도록 중간 루트 관리 그룹에서 Azure Policy 정의를 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "규정 준수 규정을 준수하기 위해 데이터 보존 및 폐기 정책을 수립합니다. 더 이상 필요하지 않은 데이터에 대한 안전한 삭제 방법을 구현하고 데이터 보존 및 폐기 활동에 대한 감사 추적을 유지 관리합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", + "severity": "높다", + "text": "Content Safety를 사용하여 Prompt shields 및 groundedness detection 구현 ", + "waf": "운영 우수성" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "Azure OpenAI", "severity": "높다", - "text": "필요한 경우 최하위 수준에서 제외를 사용하여 가장 적절한 수준에서 정책 할당을 관리합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "개인 정보 보호 제어를 구현하고 데이터 처리 활동에 필요한 동의 또는 권한을 얻어 GDPR 또는 HIPAA와 같은 관련 데이터 보호 규정을 준수하도록 합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", - "severity": "낮다", - "text": "Azure Policy를 사용하여 사용자가 구독/관리 그룹 수준에서 프로비전할 수 있는 서비스를 제어합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "Azure OpenAI", + "severity": "보통", + "text": "데이터 보안 모범 사례, 데이터 안전한 처리의 중요성, 데이터 침해와 관련된 잠재적 위험에 대해 직원을 교육합니다. 데이터 보안 프로토콜을 성실히 따르도록 권장합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "Azure OpenAI", "severity": "높다", - "text": "가능한 경우 기본 제공 정책을 사용하여 운영 오버헤드를 최소화합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "생산 데이터를 개발 및 테스트 데이터와 분리합니다. 프로덕션에서는 실제 민감한 데이터만 사용하고 개발 및 테스트 환경에서는 익명 또는 합성 데이터를 활용합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "description": "Resource Policy Contributor 역할을 특정 범위에 할당하면 정책 관리를 관련 팀에 위임할 수 있습니다. 예를 들어 중앙 IT 팀은 관리 그룹 수준 정책을 감독할 수 있고, 응용 프로그램 팀은 구독에 대한 정책을 처리하여 조직 표준을 준수하는 분산 거버넌스를 가능하게 할 수 있습니다.", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "Azure OpenAI", "severity": "보통", - "text": "특정 범위에서 기본 제공 Resource Policy Contributor 역할을 할당하여 응용 프로그램 수준 거버넌스를 사용하도록 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "데이터 민감도 수준이 다양하다면 각 수준에 대해 별도의 인덱스를 만드는 것이 좋습니다. 예를 들어, 일반 데이터에 대한 인덱스와 민감한 데이터에 대한 인덱스가 있을 수 있으며, 각각 다른 액세스 프로토콜에 의해 제어됩니다", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "Azure OpenAI", "severity": "보통", - "text": "상속된 범위에서 제외를 통해 관리하지 않도록 루트 관리 그룹 범위에서 수행된 Azure Policy 할당 수를 제한합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "한 단계 더 나아가 중요한 데이터 세트를 서비스의 다른 인스턴스에 배치합니다. 각 인스턴스는 고유한 특정 RBAC 정책 집합으로 제어할 수 있습니다", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", - "severity": "보통", - "text": "데이터 주권 요구 사항이 있는 경우 이를 적용하기 위해 Azure 정책을 배포해야 합니다.", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "Azure OpenAI", + "severity": "높다", + "text": "민감한 정보에서 생성된 임베딩과 벡터는 그 자체로 민감하다는 점을 인식해야 합니다. 이 데이터에는 원본 자료와 동일한 보호 조치가 제공되어야 합니다", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", - "severity": "보통", - "text": "Sovereign Landing Zone의 경우 주권 정책 기준을 배포하고 올바른 관리 그룹 수준에서 할당합니다.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "높다", + "text": "임베딩 및 벡터가 있는 데이터 저장소에 RBAC를 적용하고 역할의 액세스 요구 사항에 따라 액세스 범위를 지정합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", - "severity": "보통", - "text": "Sovereign Landing Zone의 경우 정책 매핑에 대한 Sovereign Control 목표를 문서화합니다.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "Azure OpenAI", + "severity": "높다", + "text": "AI 서비스에 대한 프라이빗 엔드포인트를 구성하여 네트워크 내 서비스 액세스를 제한합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", - "severity": "보통", - "text": "Sovereign Landing Zone의 경우 'Sovereign Control 목표를 정책 매핑에 적용'을 관리하기 위한 프로세스가 마련되어 있는지 확인합니다.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "Azure OpenAI", + "severity": "높다", + "text": "Azure Firewall 및 UDR을 사용하여 엄격한 인바운드 및 아웃바운드 트래픽 제어를 적용하고 외부 통합 지점을 제한합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", - "severity": "보통", - "text": "Azure RBAC(Azure 역할 기반 액세스 제어), 데이터 주권 요구 사항 또는 데이터 보존 정책에 따라 별도의 작업 영역이 필요한 경우를 제외하고 단일 모니터 로그 작업 영역을 사용하여 플랫폼을 중앙에서 관리합니다.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "작업" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "Azure OpenAI", + "severity": "높다", + "text": "네트워크 세분화 및 액세스 제어를 구현하여 LLM 애플리케이션에 대한 액세스를 인증된 사용자 및 시스템으로만 제한하고 측면 이동을 방지합니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "Azure OpenAI", "severity": "보통", - "text": "모든 지역에 대해 단일 Azure Monitor 로그 작업 영역을 사용할지 또는 다양한 지리적 지역을 포괄하는 여러 작업 영역을 만들지 여부를 결정합니다. 각 접근 방식에는 잠재적인 지역 간 네트워킹 요금을 포함하여 장점과 단점이 있습니다", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "신뢰도" + "text": "LLMLingua 또는 gprtrim과 같은 프롬프트 압축 도구 사용", + "waf": "비용 최적화" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", "severity": "높다", - "text": "로그 보존 요구 사항이 12년을 초과하는 경우 로그를 Azure Storage로 내보냅니다. Write-Once, Read-Many 정책과 함께 변경할 수 없는 스토리지를 사용하여 사용자가 지정한 간격 동안 데이터를 지우거나 수정할 수 없도록 합니다.", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "작업" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", - "severity": "보통", - "text": "Azure Policy를 사용하여 OS 수준 VM(가상 머신) 구성 드리프트를 모니터링합니다. 정책을 통해 Azure Automanage Machine Configuration 감사 기능을 사용하도록 설정하면 애플리케이션 팀 워크로드가 적은 노력으로 기능 기능을 즉시 사용할 수 있습니다.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "작업" + "text": "LLM 애플리케이션에서 사용하는 API 및 엔드포인트가 관리 ID, API 키 또는 OAuth와 같은 인증 및 권한 부여 메커니즘으로 적절하게 보호되어 무단 액세스를 방지해야 합니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "Azure OpenAI", "severity": "보통", - "text": "Azure에서 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure 업데이트 관리자를 사용합니다.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "작업" + "text": "다단계 인증(multi-factor authentication)과 같은 강력한 최종 사용자 인증 메커니즘을 적용하여 LLM 애플리케이션 및 관련 네트워크 리소스에 대한 무단 액세스를 방지합니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "Azure OpenAI", "severity": "보통", - "text": "Azure Arc를 사용하여 Azure 외부의 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure 업데이트 관리자를 사용합니다.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "작업" + "text": "네트워크 모니터링 도구를 구현하여 의심스럽거나 악의적인 활동에 대한 네트워크 트래픽을 탐지하고 분석합니다. 로깅을 활성화하여 네트워크 이벤트를 캡처하고 보안 사고 발생 시 포렌식 분석을 용이하게 합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/networkWatchers", - "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "Azure OpenAI", "severity": "보통", - "text": "Network Watcher를 사용하여 트래픽 흐름을 사전에 모니터링합니다.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "작업" + "text": "보안 감사 및 침투 테스트를 수행하여 LLM 애플리케이션의 네트워크 인프라에서 네트워크 보안 약점 또는 취약성을 식별하고 해결합니다.", + "waf": "안전" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", - "severity": "보통", - "text": "인사이트 및 보고를 위해 Azure Monitor 로그를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "작업" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "Azure OpenAI", + "severity": "낮다", + "text": "Azure AI 서비스는 더 나은 관리를 위해 적절하게 태그가 지정됩니다.", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", - "severity": "보통", - "text": "Azure Monitor 경고를 사용하여 운영 경고를 생성합니다.", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "작업" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "Azure OpenAI", + "severity": "낮다", + "text": "Azure AI Service 계정은 조직의 명명 규칙을 따릅니다.", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", - "severity": "보통", - "text": "Azure Automation 계정을 통해 변경 및 인벤토리 추적을 사용하는 경우 Log Analytics 작업 영역과 자동화 계정을 함께 연결하는 데 지원되는 지역을 선택했는지 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", - "waf": "작업" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "Azure OpenAI", + "severity": "높다", + "text": "Azure AI Services 리소스의 진단 로그를 사용하도록 설정해야 함", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", - "severity": "낮다", - "text": "Azure Backup을 사용하는 경우 기본 설정은 GRS이므로 백업에 올바른 백업 유형(GRS, ZRS & LRS)을 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "신뢰도" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "Azure OpenAI", + "severity": "높다", + "text": "키 액세스(로컬 인증)는 보안을 위해 사용하지 않도록 설정하는 것이 좋습니다. 키 기반 액세스를 사용하지 않도록 설정하면 Microsoft Entra ID가 유일한 액세스 방법이 되어 최소 권한 원칙과 세분화된 제어를 유지할 수 있습니다. ", + "waf": "안전" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", - "severity": "보통", - "text": "Azure 게스트 정책을 사용하여 VM 확장을 통해 소프트웨어 구성을 자동으로 배포하고 규격 기준 VM 구성을 적용합니다.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", + "severity": "높다", + "text": "Azure Key Vault를 사용하여 키를 안전하게 저장하고 관리하세요. LLM 애플리케이션의 코드 내에 중요한 키를 하드 코딩하거나 포함하지 않도록 하고 관리 ID를 사용하여 Azure Key Vault에서 안전하게 검색합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "description": "Azure Policy의 게스트 구성 기능을 사용하여 컴퓨터 설정(예: OS, 애플리케이션, 환경)을 감사하고 수정하여 리소스가 예상 구성에 맞는지 확인하고, 업데이트 관리는 VM에 대한 패치 관리를 적용할 수 있습니다.", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", - "severity": "보통", - "text": "Azure Policy를 통해 VM 보안 구성 드리프트를 모니터링합니다.", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", + "severity": "높다", + "text": "Azure Key Vault에 저장된 키를 정기적으로 회전하고 만료하여 무단 액세스의 위험을 최소화합니다.", "waf": "안전" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", - "severity": "보통", - "text": "Azure-to-Azure Virtual Machines 재해 복구 시나리오에는 Azure Site Recovery를 사용합니다. 이렇게 하면 지역 간에 워크로드를 복제할 수 있습니다.", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", - "waf": "작업" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "Azure OpenAI", + "severity": "높다", + "text": "tiktoken을 사용하여 대화 모드에서 토큰 최적화를 위한 토큰 크기 이해", + "waf": "비용 최적화" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", - "severity": "보통", - "text": "Azure 네이티브 백업 기능 또는 Azure 호환 타사 백업 솔루션을 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "작업" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "Azure OpenAI", + "severity": "높다", + "text": "보안 코딩 관행에 따라 주입 공격, XSS(교차 사이트 스크립팅) 또는 보안 구성 오류와 같은 일반적인 취약성을 방지합니다", + "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "Azure OpenAI", "severity": "높다", - "text": "진단 설정을 추가하여 Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 WAF 로그를 저장합니다. 로그를 정기적으로 검토하여 공격 및 가양성 탐지를 확인합니다.", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", - "waf": "작업" + "text": "LLM 라이브러리와 다른 시스템 컴포넌트를 정기적으로 업데이트하고 패치하는 프로세스를 설정합니다.", + "waf": "안전" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "Azure OpenAI", + "severity": "높다", + "text": "Azure OpenAI 또는 기타 LLM 사용 약관, 정책 및 지침, 허용되는 사용 사례 준수", + "waf": "운영 우수성" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "Azure OpenAI", "severity": "보통", - "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 Microsoft Sentinel로 WAF 로그를 보냅니다. 공격을 탐지하고 WAF 텔레메트리를 전체 Azure 환경에 통합합니다.", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", - "waf": "작업" + "text": "기본 모델과 미세 조정된 모델 및 토큰 단계 크기의 비용 차이를 이해합니다.", + "waf": "비용 최적화" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "severity": "높다", - "text": "Azure Key Vault를 사용하여 비밀과 자격 증명을 저장합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "안전" + "text": "가능한 경우 호출당 오버헤드를 최소화하여 전체 비용을 줄일 수 있는 일괄 처리 요청. 배치 크기를 최적화해야 합니다.", + "waf": "비용 최적화" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "severity": "보통", - "text": "서로 다른 애플리케이션 및 지역에 대해 서로 다른 Azure Key Vault를 사용하여 트랜잭션 규모 제한을 방지하고 비밀에 대한 액세스를 제한합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "안전" + "text": "모델 사용을 모니터링하는 비용 추적 시스템을 설정하고 해당 정보를 사용하여 모델 선택 및 프롬프트 크기를 알립니다", + "waf": "비용 최적화" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "Azure OpenAI", "severity": "보통", - "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "안전" + "text": "모델 응답당 토큰 수에 대한 최대 제한을 설정합니다. 유효한 응답에 사용할 수 있을 만큼 충분히 큰지 확인하기 위해 크기를 최적화합니다", + "waf": "비용 최적화" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "Azure OpenAI", "severity": "보통", - "text": "키, 비밀 및 인증서를 영구적으로 삭제할 수 있는 권한 부여를 특수 사용자 지정 Microsoft Entra ID 역할로 제한하여 최소 권한 모델을 따릅니다.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "안전" + "text": "안정성을 위한 AI 검색 설정에 대해 제공된 지침을 검토합니다.", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "Azure OpenAI", "severity": "보통", - "text": "공용 인증 기관을 통해 인증서 관리 및 갱신 프로세스를 자동화하여 관리를 용이하게 합니다.", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", - "waf": "안전" + "text": "AI Search Vector 스토리지 계획 및 관리", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "Azure OpenAI", "severity": "보통", - "text": "키 및 인증서 교체를 위한 자동화된 프로세스를 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "안전" + "text": "LLMOps 사례를 적용하여 GenAI 애플리케이션의 라이프사이클 관리를 자동화합니다.", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "보통", - "text": "자격 증명 모음에서 방화벽 및 가상 네트워크 서비스 엔드포인트 또는 프라이빗 엔드포인트를 사용하도록 설정하여 키 자격 증명 모음에 대한 액세스를 제어합니다.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", - "waf": "안전" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "Azure OpenAI", + "severity": "높다", + "text": "청구 모델 사용 평가 - PAYG 대 PTU", + "waf": "비용 최적화" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "Azure OpenAI", "severity": "보통", - "text": "플랫폼 중앙 Azure Monitor Log Analytics 작업 영역을 사용하여 Key Vault의 각 인스턴스 내에서 키, 인증서 및 비밀 사용을 감사합니다.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "안전" + "text": "모델 버전 간에 전환할 때 프롬프트와 응용 프로그램의 품질을 평가합니다.", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "Azure OpenAI", "severity": "보통", - "text": "Key Vault 인스턴스화 및 권한 있는 액세스를 위임하고 Azure Policy를 사용하여 일관된 규정 준수 구성을 적용합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", - "waf": "안전" + "text": "GenAI 앱을 평가, 모니터링 및 개선하여 근거, 관련성, 정확성, 일관성, 유창성 등의 기능을 제공합니다.", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "Azure OpenAI", "severity": "보통", - "text": "애플리케이션당 환경, 지역별 Azure Key Vault를 사용합니다.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "안전" + "text": "다양한 검색 매개 변수를 기반으로 Azure AI Search 결과를 평가합니다", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "Azure OpenAI", "severity": "보통", - "text": "사용자 고유의 키를 가져오려는 경우 고려되는 모든 서비스에서 지원되지 않을 수 있습니다. 불일치가 원하는 결과를 방해하지 않도록 관련 완화를 구현합니다. 대기 시간을 최소화하는 적절한 지역 쌍 및 재해 복구 지역을 선택합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "안전" + "text": "데이터를 사용하여 프롬프트 엔지니어링 및 RAG와 같은 다른 기본 접근 방식을 시도한 경우에만 모델을 미세 조정하여 정확도를 높이는 방법으로 살펴보십시오", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Azure OpenAI", "severity": "보통", - "text": "Sovereign Landing Zone의 경우 Azure Key Vault 관리형 HSM을 사용하여 비밀과 자격 증명을 저장합니다.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "안전" + "text": "프롬프트 엔지니어링 기법을 사용하여 LLM 응답의 정확도 향상", + "waf": "운영 우수성" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "Azure OpenAI", "severity": "보통", - "text": "Microsoft Entra ID 보고 기능을 사용하여 액세스 제어 감사 보고서를 생성합니다.", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "text": "GenAI 애플리케이션을 위한 레드 팀", "waf": "안전" }, { - "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", - "severity": "높다", - "text": "모든 구독에 대해 Defender 클라우드 보안 태세 관리를 사용하도록 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", - "waf": "안전" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "Azure OpenAI", + "severity": "보통", + "text": "최종 사용자에게 LLM 응답에 대한 점수 매기기 옵션을 제공하고 이러한 점수를 추적합니다. ", + "waf": "운영 우수성" }, { - "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "높다", - "text": "모든 구독의 서버에 대해 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "안전" + "text": "할당량 관리 방법 고려", + "waf": "비용 최적화" }, { - "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", - "severity": "높다", - "text": "모든 구독에서 Azure 리소스에 대한 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "안전" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "Azure OpenAI", + "severity": "보통", + "text": "APIM 기반 게이트웨이와 같은 Load Balancer 솔루션을 사용하여 서비스 및 지역 간에 부하와 용량을 분산합니다", + "waf": "운영 우수성" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", - "severity": "높다", - "text": "IaaS 서버에서 Endpoint Protection을 사용하도록 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", - "waf": "안전" + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", + "severity": "보통", + "text": "장기 취소 가능 토큰을 사용하고, 토큰을 캐시하고, Microsoft ID 라이브러리를 사용하여 자동으로 획득합니다.", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", - "service": "VM", + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", "severity": "보통", - "text": "Azure Monitor 로그 및 클라우드용 Defender를 통해 기본 운영 체제 패치 드리프트를 모니터링합니다.", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", - "waf": "안전" + "text": "로그인 사용자 흐름이 백업되고 복원력이 있는지 확인합니다. 사용자를 로그인하는 데 사용하는 코드가 백업되고 복구 가능한지 확인합니다. 외부 프로세스와의 복원력 있는 인터페이스", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", "severity": "보통", - "text": "기본 리소스 구성을 중앙 집중식 Azure Monitor Log Analytics 작업 영역에 연결합니다.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "안전" + "text": "사용자 지정 브랜드 자산은 CDN에서 호스팅되어야 합니다.", + "waf": "공연" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", - "severity": "높다", - "text": "상관 관계가 있는 로그를 통한 중앙 집중식 위협 탐지 - SIEM(보안 정보 및 이벤트 관리)을 통해 다양한 서비스 간에 상관 관계를 파악할 수 있는 중앙 위치에 보안 데이터를 통합합니다.", - "waf": "안전" + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", + "severity": "낮다", + "text": "여러 ID 공급자가 있어야 합니다(예: Microsoft, Google, Facebook 계정으로 로그인).", + "waf": "신뢰도" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "보통", - "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 투명 로그를 사용하도록 설정합니다.", - "waf": "안전" + "text": "VM 수준에서 고가용성을 위한 VM 규칙(프리미엄 디스크, 서로 다른 가용성 영역에 있는 지역에 두 개 이상)을 따릅니다.", + "waf": "신뢰도" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "보통", - "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 고객 Lockbox를 사용하도록 설정합니다.", - "waf": "안전" + "text": "복제하지 마세요! 복제로 인해 디렉터리 동기화에 문제가 발생할 수 있습니다", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", - "severity": "높다", - "text": "스토리지 계정에 대한 보안 전송을 사용하도록 설정합니다.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", - "waf": "안전" + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "보통", + "text": "다중 지역에 대해 활성-활성 상태 보유", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", - "severity": "높다", - "text": "스토리지 계정에 대해 컨테이너 일시 삭제를 사용하도록 설정하여 삭제된 컨테이너와 해당 콘텐츠를 복구합니다.", - "waf": "안전" + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", + "severity": "보통", + "text": "추가 지역 및 위치에 Azure AD 도메인 서비스 스탬프 추가Add Azure AD Domain service stamps to additional regions and locations", + "waf": "신뢰도" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", - "severity": "높다", - "text": "Key Vault 비밀을 사용하여 자격 증명(가상 머신 사용자 암호), 인증서 또는 키와 같은 중요한 정보를 하드 코딩하지 않도록 합니다.", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", - "waf": "작업" + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", + "severity": "보통", + "text": "DR에 복제본 세트 사용", + "waf": "신뢰도" } ], "metadata": { "name": "WAF checklist", - "timestamp": "October 02, 2024" + "timestamp": "October 21, 2024" }, "severities": [ { @@ -10007,7 +10595,7 @@ "name": "성취" }, { - "description": "권장 사항을 이해하지만 현재 요구 사항에 필요하지 않음", + "description": "권장 사항은 이해되었지만 현재 요구 사항에 필요하지 않음", "name": "필요 없음" }, { diff --git a/checklists/waf_checklist.pt.json b/checklists/waf_checklist.pt.json index c3a7d671e..b9ee7f3de 100644 --- a/checklists/waf_checklist.pt.json +++ b/checklists/waf_checklist.pt.json @@ -1,8211 +1,9078 @@ { "items": [ { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", "severity": "Alto", - "text": "Habilite a redundância de zona para o Cache do Azure para Redis. O Cache do Azure para Redis dá suporte a configurações redundantes de zona nas camadas Premium e Enterprise. Um cache redundante de zona pode colocar seus nós em diferentes zonas de disponibilidade do Azure na mesma região. Ele elimina a interrupção do data center ou AZ como um único ponto de falha e aumenta a disponibilidade geral do cache.", - "waf": "Fiabilidade" + "text": "Verifique se os controladores de domínio ADDS estão implantados na assinatura de identidade no Azure nativo", + "waf": "Segurança" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", "severity": "Média", - "text": "Configure a persistência de dados para uma instância do Cache do Azure para Redis. Como os dados do cache são armazenados na memória, uma falha rara e não planejada de vários nós pode fazer com que todos os dados sejam descartados. Para evitar a perda completa de dados, a persistência do Redis permite que você tire instantâneos periódicos de dados na memória e os armazene em sua conta de armazenamento.", - "waf": "Fiabilidade" + "text": "Verifique se os sites e serviços do ADDS estão configurados para manter as solicitações de autenticação de recursos baseados no Azure (incluindo a Solução VMware do Azure) locais para o Azure", + "waf": "Segurança" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", - "severity": "Média", - "text": "Use a conta de armazenamento com redundância geográfica para persistir o Cache do Azure para dados Redis ou zonalmente redundante onde a redundância geográfica não está disponível", - "waf": "Fiabilidade" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", + "severity": "Alto", + "text": "Verifique se o vCenter está conectado ao ADDS para habilitar a autenticação com base em 'contas de usuário nomeadas'", + "waf": "Segurança" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", "severity": "Média", - "text": "Configure a replicação geográfica passiva para instâncias do Cache Premium do Azure para Redis. A replicação geográfica é um mecanismo para vincular duas ou mais instâncias do Cache do Azure para Redis, normalmente abrangendo duas regiões do Azure. A replicação geográfica foi projetada principalmente para recuperação de desastres entre regiões. Duas instâncias de cache de camada Premium são conectadas por meio de replicação geográfica de uma forma que fornece leituras e gravações no cache primário e que os dados são replicados para o cache secundário.", - "waf": "Fiabilidade" + "text": "Verifique se a conexão do vCenter com o ADDS está usando um protocolo seguro (LDAPS)", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", "severity": "Média", - "text": "Verifique se você está usando o SKU do Gateway de Aplicativo v2", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "A conta do CloudAdmin no vCenter IdP é usada apenas como uma conta de emergência (break-glass)", "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", - "severity": "Média", - "text": "Verifique se você está usando o SKU Standard para seus Azure Load Balancers", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", + "severity": "Alto", + "text": "Certifique-se de que o NSX-Manager esteja integrado a um provedor de identidade externo (LDAPS)", "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", "severity": "Média", - "text": "Verifique se os endereços IP de front-end dos Load Balancers têm redundância de zona (a menos que você precise de front-ends zonais).", + "text": "Foi criado um modelo RBAC para uso no VMware vSphere", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", "severity": "Média", - "text": "Seus Gateways de Aplicativo v2 devem ser implantados em sub-redes com prefixos IP iguais ou maiores que /24", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "As permissões RBAC devem ser concedidas em grupos ADDS e não em usuários específicos", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "description": "A administração de proxies reversos em geral e WAF em particular está mais próxima do aplicativo do que da rede, portanto, eles pertencem à mesma assinatura que o aplicativo. Centralizar o Gateway de Aplicativo e o WAF na assinatura de conectividade pode ser OK se ele for gerenciado por uma única equipe.", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", - "severity": "Média", - "text": "Implante o Gateway de Aplicativo do Azure v2 ou NVAs de parceiros usados para proxy de conexões HTTP(S) de entrada na rede virtual da zona de destino e com os aplicativos que eles estão protegendo.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", + "severity": "Alto", + "text": "As permissões RBAC no recurso Solução VMware do Azure no Azure são 'bloqueadas' apenas para um conjunto limitado de proprietários", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", - "severity": "Média", - "text": "Use uma rede DDoS ou planos de proteção de IP para todos os endereços IP públicos em zonas de destino do aplicativo.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", + "severity": "Alto", + "text": "Certifique-se de que todas as funções personalizadas tenham escopo com autorizações permitidas do CloudAdmin", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", - "service": "App Gateway", - "severity": "Média", - "text": "Configure o dimensionamento automático com uma quantidade mínima de instâncias de duas.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Fiabilidade" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", + "severity": "Alto", + "text": "O modelo de conectividade correto da Solução VMware do Azure está selecionado para o caso de uso do cliente em mãos?", + "waf": "Desempenho" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", + "severity": "Alto", + "text": "Garantir que as conexões de Rota Expressa ou VPN do local para o Azure sejam monitoradas usando o 'monitor de conexão'", + "waf": "Operações" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", "severity": "Média", - "text": "Implantar o Gateway de Aplicativo em Zonas de Disponibilidade", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Fiabilidade" + "text": "Verifique se um monitor de conexão foi criado a partir de um recurso nativo do Azure para uma máquina virtual da Solução VMware do Azure para monitorar a conexão de Rota Expressa de back-end da Solução VMware do Azure", + "waf": "Operações" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", "severity": "Média", - "text": "Ao usar o Front Door e o Gateway de Aplicativo para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Front Door. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Segurança" + "text": "Verifique se um monitor de conexão é criado a partir de um recurso local para uma máquina virtual da Solução VMware do Azure para monitorar a conectividade de ponta 2", + "waf": "Operações" }, { - "ammp": true, - "arm-service": "microsoft.network/trafficManagerProfiles", - "checklist": "Azure Application Delivery Networking", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", "severity": "Alto", - "text": "Use o Gerenciador de Tráfego para fornecer aplicativos globais que abrangem protocolos diferentes de HTTP/S.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Fiabilidade" + "text": "Quando o servidor de rotas for usado, certifique-se de que não mais de 1000 rotas sejam propagadas do servidor de rotas para o gateway ExR para o local (limite ARS).", + "waf": "Operações" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", - "severity": "Baixo", - "text": "Se os usuários precisarem apenas de acesso a aplicativos internos, o Proxy de Aplicativo de ID do Microsoft Entra foi considerado como uma alternativa à AVD (Área de Trabalho Virtual) do Azure?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", + "severity": "Alto", + "text": "O Gerenciamento de Identidades Privilegiadas é implementado para funções que gerenciam o recurso da Solução VMware do Azure no Portal do Azure (não são permitidas permissões permanentes)", "waf": "Segurança" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", + "severity": "Alto", + "text": "Os relatórios de auditoria do Gerenciamento de Identidades Privilegiadas devem ser implementados para as funções PIM da Solução VMware do Azure", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", "severity": "Média", - "text": "Para reduzir o número de portas de firewall abertas para conexões de entrada em sua rede, considere usar o Proxy de Aplicativo de ID do Microsoft Entra para fornecer aos usuários remotos acesso seguro e autenticado a aplicativos internos.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "text": "Se o uso do Gerenciamento de Identidades Privilegiadas estiver sendo usado, certifique-se de que uma conta válida habilitada para ID do Entra seja criada com um registro SMTP válido para notificações de substituição automática do Host da Solução VMware do Azure. (permissões permanentes necessárias)", "waf": "Segurança" }, { - "ammp": true, - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", "severity": "Alto", - "text": "Usar o Gateway NAT do Azure em vez das regras de saída do Load Balancer para melhorar a escalabilidade SNAT", - "waf": "Fiabilidade" + "text": "Limitar o uso da conta do CloudAdmin apenas ao acesso de emergência", + "waf": "Segurança" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "App Gateway", - "severity": "Alto", - "text": "Habilite o conjunto de regras de proteção contra bot do WAF do Gateway de Aplicativo do Azure. As regras de bot detectam bots bons e ruins.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", + "severity": "Média", + "text": "Criar funções RBAC personalizadas no vCenter para implementar um modelo de privilégios mínimos dentro do vCenter", "waf": "Segurança" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "App Gateway", - "severity": "Alto", - "text": "Verifique se o recurso de inspeção do corpo da solicitação está habilitado na política WAF do Gateway de Aplicativo do Azure.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", + "severity": "Média", + "text": "É um processo definido para alternar regularmente as credenciais cloudadmin (vCenter) e admin (NSX)", "waf": "Segurança" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", "severity": "Alto", - "text": "Ajuste o WAF do Gateway de Aplicativo do Azure no modo de detecção para sua carga de trabalho. Reduza as detecções de falsos positivos.", + "text": "Usar um provedor de identidade centralizado a ser usado para cargas de trabalho (VMs) em execução na Solução VMware do Azure", "waf": "Segurança" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "App Gateway", - "severity": "Alto", - "text": "Implante sua política de WAF para Gateway de Aplicativo no modo 'Prevenção'.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", + "severity": "Média", + "text": "A filtragem de tráfego Leste-Oeste é implementada no NSX-T", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "App Gateway", - "severity": "Média", - "text": "Adicione a limitação de taxa ao WAF do Gateway de Aplicativo do Azure. A limitação de taxa bloqueia os clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", + "severity": "Alto", + "text": "As cargas de trabalho na Solução VMware do Azure não são diretamente expostas à Internet. O tráfego é filtrado e inspecionado pelo Gateway de Aplicativo do Azure, pelo Firewall do Azure ou por soluções de terceiros", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "App Gateway", - "severity": "Média", - "text": "Use um limite alto para os limites de taxa do WAF do Gateway de Aplicativo do Azure. Os limites de limite de taxa altos evitam o bloqueio do tráfego legítimo, ao mesmo tempo em que fornecem proteção contra números extremamente altos de solicitações que podem sobrecarregar sua infraestrutura. ", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", + "severity": "Alto", + "text": "A auditoria e o registro em log são implementados para solicitações de entrada da Internet para cargas de trabalho baseadas na Solução VMware do Azure e na Solução VMware do Azure", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "App Gateway", - "severity": "Baixo", - "text": "Se você não estiver esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", + "severity": "Média", + "text": "O monitoramento de sessão é implementado para conexões de saída da Internet a partir da Solução VMware do Azure ou cargas de trabalho baseadas na Solução VMware do Azure para identificar atividades suspeitas/mal-intencionadas", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", "severity": "Média", - "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Gateway de Aplicativo do Azure. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.", + "text": "A proteção padrão contra DDoS está habilitada na sub-rede do Gateway ExR/VPN no Azure", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", "severity": "Média", - "text": "Use a versão mais recente do conjunto de regras do WAF do Gateway de Aplicativo do Azure. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário de ameaças atual.", + "text": "Usar uma estação de trabalho de acesso privilegiado (PAW) dedicada para gerenciar a Solução VMware do Azure, o vCenter, o gerenciador NSX e o gerenciador HCX", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", "severity": "Média", - "text": "Adicione configurações de diagnóstico para salvar os logs do WAF do Gateway de Aplicativo do Azure.", - "waf": "Operações" + "text": "Habilitar a Detecção Avançada de Ameaças (Microsoft Defender for Cloud, também conhecido como ASC) para cargas de trabalho em execução na Solução VMware do Azure", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", "severity": "Média", - "text": "Envie logs do WAF do Gateway de Aplicativo do Azure para o Microsoft Sentinel.", - "waf": "Operações" + "text": "Usar o Azure ARC for Servers para controlar corretamente as cargas de trabalho em execução na Solução VMware do Azure usando tecnologias nativas do Azure (o Azure ARC for Azure VMware Solution ainda não está disponível)", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "App Gateway", - "severity": "Média", - "text": "Defina a configuração do WAF do Gateway de Aplicativo do Azure como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.", - "waf": "Operações" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", + "severity": "Baixo", + "text": "Garanta que as cargas de trabalho na Solução VMware do Azure usem criptografia de dados suficiente durante o tempo de execução (como criptografia de disco convidado e SQL TDE). (a criptografia vSAN em repouso é padrão)", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "App Gateway", - "severity": "Média", - "text": "Use as Políticas do WAF em vez da configuração herdada do WAF.", - "waf": "Operações" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", + "severity": "Baixo", + "text": "Quando a criptografia no convidado é usada, armazene chaves de criptografia no cofre de chaves do Azure quando possível", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", "severity": "Média", - "text": "Filtre o tráfego de entrada nos back-ends para que eles aceitem apenas conexões da sub-rede do Gateway de Aplicativo, por exemplo, com NSGs.", + "text": "Considere usar o suporte estendido de atualização de segurança para cargas de trabalho em execução na Solução VMware do Azure (a Solução VMware do Azure é qualificada para ESU)", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", "severity": "Alto", - "text": "Você deve criptografar o tráfego para os servidores de back-end.", - "waf": "Segurança" + "text": "Certifique-se de que o método de redundância de dados vSAN apropriado seja usado (especificação RAID)", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", "severity": "Alto", - "text": "Você deve usar um Web Application Firewall.", - "waf": "Segurança" + "text": "Certifique-se de que a política de falha na tolerância esteja em vigor para atender às suas necessidades de armazenamento vSAN", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "App Gateway", - "severity": "Média", - "text": "Redirecionar HTTP para HTTPS", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", + "severity": "Alto", + "text": "Certifique-se de ter solicitado cota suficiente, garantindo que você tenha considerado o crescimento e o requisito de recuperação de desastres", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", "severity": "Média", - "text": "Use cookies gerenciados por gateway para direcionar o tráfego de uma sessão de usuário para o mesmo servidor para processamento", + "text": "Certifique-se de que as restrições de acesso ao ESXi sejam compreendidas, há limites de acesso que podem afetar as soluções de terceiros 3rd.", "waf": "Operações" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "App Gateway", - "severity": "Alto", - "text": "Habilitar a drenagem de conexão durante atualizações de serviço planejadas para evitar a perda de conexão para membros existentes do pool de back-end", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "App Gateway", - "severity": "Baixo", - "text": "Crie páginas de erro personalizadas para exibir uma experiência de usuário personalizada", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", + "severity": "Média", + "text": "Certifique-se de ter uma política em torno da densidade e eficiência do host ESXi, tendo em mente o prazo de espera para solicitar novos nós", "waf": "Operações" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", "severity": "Média", - "text": "Edite solicitações HTTP e cabeçalhos de resposta para facilitar o roteamento e a troca de informações entre o cliente e o servidor", - "waf": "Segurança" + "text": "Garantir que um bom processo de gerenciamento de custos esteja em vigor para a Solução VMware do Azure - o Gerenciamento de Custos do Azure pode ser usado", + "waf": "Custar" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "App Gateway", - "severity": "Média", - "text": "Configure o Front Door para otimizar o roteamento de tráfego da Web global e o desempenho e a confiabilidade do usuário final de nível superior por meio de failover global rápido", - "waf": "Desempenho" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", + "severity": "Baixo", + "text": "As instâncias reservadas do Azure são usadas para otimizar o custo de uso da Solução VMware do Azure", + "waf": "Custar" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", "severity": "Média", - "text": "Usar o balanceamento de carga da camada de transporte", - "waf": "Desempenho" + "text": "Considere o uso do Azure Private-Link ao usar outros Serviços Nativos do Azure", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", - "severity": "Média", - "text": "Configurar o roteamento com base no host ou no nome de domínio para vários aplicativos Web em um único gateway", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", + "severity": "Alto", + "text": "Verifique se todos os recursos necessários residem na(s) mesma(s) zona(s) de disponibilidade do Azure", + "waf": "Desempenho" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "service": "AVS", "severity": "Média", - "text": "Centralize o gerenciamento de certificados SSL para reduzir a sobrecarga de criptografia e descriptografia de um farm de servidores de back-end", + "text": "Habilitar cargas de trabalho de VM convidada do Microsoft Defender for Cloud for Azure VMware Solution", "waf": "Segurança" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", - "severity": "Baixo", - "text": "Usar o Gateway de Aplicativo para obter suporte nativo para protocolos WebSocket e HTTP/2", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "service": "AVS", + "severity": "Média", + "text": "Usar servidores habilitados para Arc do Azure para gerenciar suas cargas de trabalho de VM convidada da Solução VMware do Azure", "waf": "Segurança" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", - "severity": "Média", - "text": "Os Aplicativos Spring do Azure permitem duas implantações para cada aplicativo, apenas um dos quais recebe tráfego de produção. Você pode obter tempo de inatividade zero com estratégias de implantação em verde azul. A implantação verde azul só está disponível nas camadas Standard e Enterprise. Você pode automatizar a implantação usando CI/CD com ações do ADO/GitHub", - "waf": "Fiabilidade" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "service": "AVS", + "severity": "Alto", + "text": "Habilitar o log de diagnóstico e de métrica na solução VMware do Azure", + "waf": "Operações" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "service": "AVS", "severity": "Média", - "text": "As instâncias do Azure Spring Apps podem ser criadas em várias regiões para seus aplicativos e o tráfego pode ser roteado pelo Gerenciador de Tráfego/Front Door.", - "waf": "Fiabilidade" + "text": "Implantar os agentes do Log Analytics nas cargas de trabalho da VM convidada da Solução VMware do Azure", + "waf": "Operações" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "service": "AVS", "severity": "Média", - "text": "Na região com suporte, os Aplicativos Spring do Azure podem ser implantados como zona redundante, o que significa que as instâncias são distribuídas automaticamente entre zonas de disponibilidade. Esse recurso só está disponível nas camadas Standard e Enterprise.", - "waf": "Fiabilidade" + "text": "Verifique se você tem uma política e uma solução de backup documentadas e implementadas para cargas de trabalho de VM da Solução VMware do Azure", + "waf": "Operações" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "service": "AVS", "severity": "Média", - "text": "Usar mais de 1 instância de aplicativo para seus aplicativos", - "waf": "Fiabilidade" + "text": "Usar o Microsoft Defender for Cloud para monitoramento de conformidade de cargas de trabalho em execução no Azure VMware Solution", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "service": "AVS", "severity": "Média", - "text": "Monitore os Aplicativos Spring do Azure com logs, métricas e rastreamento. Integre o ASA com insights de aplicativos e rastreie falhas e crie pastas de trabalho.", - "waf": "Fiabilidade" + "text": "São as linhas de base de conformidade aplicáveis adicionadas ao Microsoft Defender for Cloud", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", - "severity": "Média", - "text": "Configurar o dimensionamento automático no Spring Cloud Gateway", - "waf": "Fiabilidade" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "service": "AVS", + "severity": "Alto", + "text": "A residência de dados foi avaliada ao selecionar regiões do Azure a serem usadas para a implantação da Solução VMware do Azure", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", - "severity": "Baixo", - "text": "Habilite o dimensionamento automático para os aplicativos com o plano de consumo padrão e dedicado.", - "waf": "Fiabilidade" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "service": "AVS", + "severity": "Alto", + "text": "As implicações do processamento de dados (modelo de prestador de serviços / consumidor de serviços) são claras e documentadas", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "service": "AVS", "severity": "Média", - "text": "Use o plano Enterprise para suporte comercial de inicialização spring para aplicativos de missão crítica. Com outras camadas, você obtém suporte a OSS.", - "waf": "Fiabilidade" + "text": "Considere o uso de CMK (Customer Managed Key) para vSAN somente se necessário por motivo(s) de conformidade.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "service": "AVS", "severity": "Alto", - "text": "Siga as proteções do Metaprompting para uma IA razoável", - "waf": "Excelência Operacional" + "text": "Criar painéis para habilitar os principais insights de monitoramento da Solução VMware do Azure", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "service": "AVS", "severity": "Alto", - "text": "Considere padrões de gateway com APIM ou soluções como AI central para melhor limitação de taxa, balanceamento de carga, autenticação e registro", - "waf": "Excelência Operacional" + "text": "Criar alertas de aviso para limites críticos para alertas automáticos sobre o desempenho da solução VMware do Azure (CPU >80%, memória média >80%, vSAN >70%)", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "service": "AVS", "severity": "Alto", - "text": "Habilitar o monitoramento para suas instâncias AOAI", - "waf": "Excelência Operacional" + "text": "Certifique-se de que o alerta crítico seja criado para monitorar se o consumo de vSAN está abaixo de 75%, pois esse é um limite de suporte do VMware", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "service": "AVS", "severity": "Alto", - "text": "Crie alertas para notificar as equipes sobre eventos, como uma entrada no log de atividades criada por uma ação executada no recurso, como regenerar suas chaves de assinatura ou um limite de métrica, como o número de erros que excedem 10 em uma hora", - "waf": "Excelência Operacional" + "text": "Verifique se os alertas estão configurados para alertas e notificações de Integridade do Serviço do Azure", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Monitore o uso do token para evitar interrupções de serviço devido à capacidade", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "service": "AVS", + "severity": "Média", + "text": "Configurar o log da Solução VMware do Azure para ser enviado a uma conta de Armazenamento do Azure ou ao Azure EventHub para processamento", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Observe métricas como tokens de inferência processados, monitoramento de tokens de conclusão gerados para limite de taxa", - "waf": "Excelência Operacional" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", "severity": "Baixo", - "text": "Se o diagnóstico não for suficiente para você, considere usar um gateway como o Gerenciamento de API do Azure na frente do Azure OpenAI para registrar prompts de entrada e respostas de saída, quando permitido", - "waf": "Excelência Operacional" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Usar a infraestrutura como código para implantar o serviço OpenAI do Azure, implantações de modelo e todos os recursos relacionados", - "waf": "Excelência Operacional" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Usar a autenticação do Microsoft Entra com identidade gerenciada em vez de chave de API", - "waf": "Segurança" + "text": "Se for necessário um insight profundo no VMware vSphere: o vRealize Operations e/ou o vRealize Network Insights são usados na solução?", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", "severity": "Alto", - "text": "Avalie o desempenho/precisão do sistema com um conjunto de dados dourado conhecido que tenha as entradas e as respostas corretas. Aproveite os recursos do PromptFlow para avaliação.", - "waf": "Excelência Operacional" + "text": "Verifique se a política de armazenamento vSAN para VMs NÃO é a política de armazenamento padrão, pois essa política aplica provisionamento espesso", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Avaliar o uso do modelo de taxa de transferência provisionada ", - "waf": "Desempenho" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", + "severity": "Média", + "text": "Verifique se as bibliotecas de conteúdo do vSphere não são colocadas no vSAN, pois o vSAN é um recurso finito", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Examinar e implementar a segurança de conteúdo do Azure AI", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", + "severity": "Média", + "text": "Certifique-se de que os repositórios de dados da solução de backup sejam armazenados fora do armazenamento vSAN. No nativo do Azure ou em um armazenamento de dados com backup de pool de discos", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Defina e avalie a taxa de transferência do sistema com base em tokens e resposta por minuto e alinhe-se aos requisitos", - "waf": "Desempenho" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", + "severity": "Média", + "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam gerenciadas de forma híbrida usando o Azure Arc for Servers (a Solução VMware do Arc for Azure está em visualização)", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", "severity": "Média", - "text": "Melhore a latência do sistema limitando os tamanhos dos tokens, as opções de streaming", - "waf": "Desempenho" + "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam monitoradas usando o Azure Log Analytics e o Azure Monitor", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", "severity": "Média", - "text": "Estime as demandas de elasticidade para determinar a segregação de solicitações síncronas e em lote com base na prioridade. Para alta prioridade, use a abordagem síncrona e, para baixa prioridade, o processamento em lote assíncrono com fila é preferível", - "waf": "Desempenho" + "text": "Incluir cargas de trabalho em execução na Solução VMware do Azure nas ferramentas de gerenciamento de atualizações existentes ou no Gerenciamento de Atualizações do Azure", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Compare os requisitos de consumo de token com base nas demandas estimadas dos consumidores. Considere usar a ferramenta de benchmarking OpenAI do Azure para ajudá-lo a validar a taxa de transferência se você estiver usando implantações de Unidade de Produtividade Provisionada", - "waf": "Desempenho" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", + "severity": "Média", + "text": "Usar a Política do Azure para integrar cargas de trabalho da Solução VMware do Azure nas soluções de Gerenciamento, Monitoramento e Segurança do Azure", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", "severity": "Média", - "text": "Se você estiver usando PTUs (Unidades de Produtividade Provisionadas), considere implantar uma implantação de token por minuto (TPM) para solicitações de estouro. Use um gateway para rotear solicitações para a implantação do TPM quando os limites de PTU forem atingidos.", - "waf": "Desempenho" + "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam integradas ao Microsoft Defender for Cloud", + "waf": "Segurança" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Escolha o modelo certo para a tarefa certa. Escolha modelos com a compensação certa entre velocidade, qualidade de resposta e complexidade de saída", - "waf": "Desempenho" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", + "severity": "Média", + "text": "Certifique-se de que os backups não sejam armazenados no vSAN, pois o vSAN é um recurso finito", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", "severity": "Média", - "text": "Tenha uma linha de base para o desempenho sem ajuste fino para saber se o ajuste fino melhorou ou não o desempenho do modelo", - "waf": "Desempenho" + "text": "Todas as soluções de DR foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [SRM/JetStream/Zerto/Veeam/...]", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", - "severity": "Baixo", - "text": "Implantar várias instâncias de OAI em regiões", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", + "severity": "Média", + "text": "Usar o Azure Site Recovery quando a tecnologia de Recuperação de Desastres for IaaS nativa do Azure", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", "severity": "Alto", - "text": "Implemente novas tentativas e verificações de integridade com o padrão de Gateway como APIM", + "text": "Use planos de recuperação automatizados com qualquer uma das soluções de desastre, evite ao máximo tarefas manuais", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", "severity": "Média", - "text": "Garantir que tenha cotas adequadas de TPM e RPM para a carga de trabalho", + "text": "Usar o par de regiões geopolíticas como o ambiente secundário de recuperação de desastres", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Revise as considerações nas diretrizes do kit de ferramentas HAI e aplique essas práticas de interação para a análise", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "service": "AVS", + "severity": "Alto", + "text": "Use 2 espaços de endereço diferentes entre as regiões, por exemplo: 10.0.0.0/16 e 192.168.0.0/16 para as diferentes regiões", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "service": "AVS", "severity": "Média", - "text": "Implantar modelos ajustados separados entre regiões se o ajuste fino for empregado", + "text": "O ExpressRoute Global Reach será usado para conectividade entre as Nuvens Privadas da Solução VMware do Azure primária e secundária ou o roteamento é feito por meio de dispositivos virtuais de rede?", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "service": "AVS", "severity": "Média", - "text": "Faça backup e replique regularmente dados críticos para garantir a disponibilidade e a capacidade de recuperação dos dados em caso de perda de dados ou falhas do sistema. Aproveite os serviços de backup e recuperação de desastre do Azure para proteger seus dados.", + "text": "Todas as soluções de backup foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [ MABS/CommVault/Metallic.io/Veeam/ . ]", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "As camadas de serviço de pesquisa de IA do Azure devem ser escolhidas para ter um SLA ", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "service": "AVS", + "severity": "Média", + "text": "Implante sua solução de backup na mesma região que sua nuvem privada da Solução VMware do Azure", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "service": "AVS", + "severity": "Média", + "text": "Implante sua solução de backup fora do vSan, em componentes nativos do Azure", + "waf": "Fiabilidade" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "service": "AVS", "severity": "Baixo", - "text": "Classifique os dados e a confidencialidade, rotulando com o Microsoft Purview antes de gerar as inserções e certifique-se de tratar as inserções geradas com a mesma confidencialidade e classificação", - "waf": "Segurança" + "text": "Existe um processo para solicitar uma restauração dos componentes VMware gerenciados pela Plataforma Azure?", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Criptografar dados usados para RAG com criptografia SSE/Disco com BYOK opcional", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "service": "AVS", + "severity": "Baixo", + "text": "Para implantações manuais, todas as configurações e implantações devem ser documentadas", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Certifique-se de que o TLS seja aplicado para dados em trânsito entre fontes de dados, pesquisa de IA usada para RG (Geração Aumentada por Recuperação) e comunicação LLM", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "service": "AVS", + "severity": "Baixo", + "text": "Para implantações manuais, considere implementar bloqueios de recursos para evitar ações acidentais em sua nuvem privada de solução VMware do Azure", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Use o RBAC para gerenciar o acesso aos serviços do OpenAI do Azure. Atribua permissões apropriadas aos usuários e restrinja o acesso com base em suas funções e responsabilidades", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "service": "AVS", + "severity": "Baixo", + "text": "Para implantações automatizadas, implante uma nuvem privada mínima e dimensione conforme necessário", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Implemente técnicas de criptografia, mascaramento ou redação de dados para ocultar dados confidenciais ou substituí-los por valores ofuscados em ambientes de não produção ou ao compartilhar dados para fins de teste ou solução de problemas", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "service": "AVS", + "severity": "Baixo", + "text": "Para implantações automatizadas, solicite ou reserve cota antes de iniciar a implantação", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Utilize o Azure Defender para detectar e responder a ameaças de segurança e configurar mecanismos de monitoramento e alerta para identificar atividades suspeitas ou violações. Aproveite o Azure Sentinel para detecção e resposta avançadas a ameaças", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "service": "AVS", + "severity": "Baixo", + "text": "Para implantação automatizada, verifique se os bloqueios de recursos relevantes são criados por meio da automação ou da Política do Azure para uma governança adequada", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Estabeleça políticas de retenção e descarte de dados para cumprir os regulamentos de conformidade. Implemente métodos de exclusão segura para dados que não são mais necessários e mantenha uma trilha de auditoria das atividades de retenção e descarte de dados", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "service": "AVS", + "severity": "Baixo", + "text": "Implemente nomes humanos compreensíveis para chaves de autorização ExR para permitir a fácil identificação da finalidade/uso das chaves", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Implementar proteções imediatas e detecção de aterramento usando a Segurança de conteúdo ", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "service": "AVS", + "severity": "Baixo", + "text": "Usar o Cofre de chaves para armazenar segredos e chaves de autorização quando Princípios de Serviço separados são usados para implantar a Solução VMware do Azure e a Rota Expressa", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Garanta a conformidade com os regulamentos de proteção de dados relevantes, como GDPR ou HIPAA, implementando controles de privacidade e obtendo os consentimentos ou permissões necessários para atividades de processamento de dados.", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "service": "AVS", + "severity": "Baixo", + "text": "Defina dependências de recursos para serializar ações no IaC quando muitos recursos precisarem ser implantados no/na Solução VMware do Azure, pois a Solução VMware do Azure oferece suporte apenas a um número limitado de operações paralelas.", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Eduque seus funcionários sobre as melhores práticas de segurança de dados, a importância de lidar com dados com segurança e os possíveis riscos associados a violações de dados. Incentive-os a seguir os protocolos de segurança de dados diligentemente.", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "service": "AVS", + "severity": "Baixo", + "text": "Ao executar a configuração automatizada de segmentos NSX-T com um único gateway de Camada 1, use as APIs do Portal do Azure em vez das APIs do NSX-Manager", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Mantenha os dados de produção separados dos dados de desenvolvimento e teste. Use apenas dados confidenciais reais na produção e utilize dados anônimos ou sintéticos em ambientes de desenvolvimento e teste.", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "service": "AVS", + "severity": "Média", + "text": "Ao pretender usar a expansão automatizada, certifique-se de aplicar cota suficiente da Solução VMware do Azure para as assinaturas que executam a Solução VMware do Azure", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "service": "AVS", "severity": "Média", - "text": "Se você tiver níveis variados de confidencialidade de dados, considere criar índices separados para cada nível. Por exemplo, você pode ter um índice para dados gerais e outro para dados confidenciais, cada um regido por diferentes protocolos de acesso", - "waf": "Segurança" + "text": "Ao pretender usar o scale-in automatizado, certifique-se de levar em consideração os requisitos da política de armazenamento antes de executar essa ação", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "service": "AVS", "severity": "Média", - "text": "Leve a segregação um passo adiante, colocando conjuntos de dados confidenciais em diferentes instâncias do serviço. Cada instância pode ser controlada com seu próprio conjunto específico de políticas RBAC", - "waf": "Segurança" + "text": "As operações de dimensionamento sempre precisam ser serializadas em um único SDDC, pois apenas uma operação de escala pode ser executada por vez (mesmo quando vários clusters são usados)", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Reconheça que incorporações e vetores gerados a partir de informações confidenciais são eles próprios sensíveis. Esses dados devem receber as mesmas medidas de proteção que o material de origem", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "service": "AVS", + "severity": "Média", + "text": "Considerar e validar operações de dimensionamento em soluções de terceiros 3rd usadas na arquitetura (suportadas ou não)", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Aplique o RBAC aos armazenamentos de dados com incorporações e vetores e acesso ao escopo com base nos requisitos de acesso da função", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "service": "AVS", + "severity": "Média", + "text": "Definir e impor limites máximos de entrada/saída de escala para seu ambiente nas automações", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Configurar o ponto de extremidade privado para serviços de IA para restringir o acesso ao serviço em sua rede", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "service": "AVS", + "severity": "Média", + "text": "Implementar regras de monitoramento para monitorar operações de dimensionamento automatizadas e monitorar o sucesso e a falha para habilitar respostas apropriadas (automatizadas)", + "waf": "Operações" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Imponha um controle estrito de tráfego de entrada e saída com o Firewall do Azure e UDRs e limite os pontos de integração externos", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", + "severity": "Alto", + "text": "Ao usar o MON, esteja ciente dos limites de VMs configuradas simulataneamente (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "severity": "Alto", - "text": "Implemente segmentação de rede e controles de acesso para restringir o acesso ao aplicativo LLM apenas a usuários e sistemas autorizados e evitar movimentos laterais", - "waf": "Segurança" + "text": "Ao usar o MON, você não pode habilitar o MON em mais de 100 extensões de rede", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", + "service": "AVS", "severity": "Média", - "text": "Use ferramentas de compactação imediatas como LLMLingua ou gprtrim", - "waf": "Otimização de custos" + "text": "Se estiver usando uma conexão VPN para migrações, ajuste o tamanho da MTU de acordo.", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Certifique-se de que as APIs e os endpoints usados pelo aplicativo LLM estejam devidamente protegidos com mecanismos de autenticação e autorização, como identidades gerenciadas, chaves de API ou OAuth, para impedir o acesso não autorizado.", - "waf": "Segurança" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", + "service": "AVS", + "severity": "Média", + "text": "Para regiões de baixa conectividade conectadas ao Azure (500Mbps ou menos), considere implantar o dispositivo de otimização de WAN HCX", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", + "service": "AVS", "severity": "Média", - "text": "Aplique mecanismos fortes de autenticação do usuário final, como autenticação multifator, para impedir o acesso não autorizado ao aplicativo LLM e aos recursos de rede associados", - "waf": "Segurança" + "text": "Certifique-se de que as migrações sejam iniciadas a partir do dispositivo local e NÃO do dispositivo em nuvem (NÃO execute uma migração reversa)", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "AVS", "severity": "Média", - "text": "Implemente ferramentas de monitoramento de rede para detectar e analisar o tráfego de rede em busca de atividades suspeitas ou maliciosas. Habilite o registro para capturar eventos de rede e facilitar a análise forense em caso de incidentes de segurança", - "waf": "Segurança" + "text": "Quando o Azure Netapp Files for usado para estender o armazenamento para a Solução VMware do Azure, considere usá-lo como um armazenamento de dados VMware em vez de anexá-lo diretamente a uma VM.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "AVS", "severity": "Média", - "text": "Realize auditorias de segurança e testes de penetração para identificar e resolver quaisquer pontos fracos ou vulnerabilidades de segurança de rede na infraestrutura de rede do aplicativo LLM", - "waf": "Segurança" + "text": "Verifique se um ExpressRoute Gateway dedicado está sendo usado para soluções de armazenamento de dados externos", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "Azure OpenAI", - "severity": "Baixo", - "text": "Os Serviços de IA do Azure são marcados corretamente para melhor gerenciamento", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "AVS", + "severity": "Média", + "text": "Verifique se o FastPath está habilitado no ExpressRoute Gateway que está sendo usado para soluções de armazenamento de dados externos", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "Azure OpenAI", - "severity": "Baixo", - "text": "As contas do Serviço de IA do Azure seguem as convenções de nomenclatura organizacional", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "AVS", + "severity": "Alto", + "text": "Se estiver usando cluster estendido, verifique se a solução de recuperação de desastres selecionada é suportada pelo fornecedor", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "AVS", "severity": "Alto", - "text": "Os logs de diagnóstico nos recursos de serviços de IA do Azure devem ser habilitados", - "waf": "Excelência Operacional" + "text": "Se estiver usando cluster estendido, verifique se o SLA fornecido atenderá aos seus requisitos", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "AVS", "severity": "Alto", - "text": "Recomenda-se que o acesso à chave (autenticação local) seja desabilitado por segurança. Depois de desabilitar o acesso baseado em chave, o Microsoft Entra ID se torna o único método de acesso, o que permite manter o princípio de privilégio mínimo e o controle granular. ", - "waf": "Segurança" + "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa estão conectados ao hub de conectividade.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "AVS", "severity": "Alto", - "text": "Armazene e gerencie chaves com segurança usando o Azure Key Vault. Evite codificar ou inserir chaves confidenciais no código do aplicativo LLM e recuperá-las com segurança do Azure Key Vault usando identidades gerenciadas", - "waf": "Segurança" + "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa têm o GlobalReach habilitado.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "AVS", "severity": "Alto", - "text": "Gire e expire regularmente as chaves armazenadas no Azure Key Vault para minimizar o risco de acesso não autorizado.", - "waf": "Segurança" + "text": "Faça com que as configurações de tolerância a desastres do site tenham sido devidamente consideradas e alteradas para sua empresa, se necessário.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "Azure OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Alto", - "text": "Use tiktoken para entender os tamanhos de token para otimizações de token no modo de conversação", - "waf": "Otimização de custos" + "text": "Familiarize-se com as práticas recomendadas do Key Vault, como recomendações de isolamento, controle de acesso, proteção de dados, backup e registro em log.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Siga práticas de codificação segura para evitar vulnerabilidades comuns, como ataques de injeção, cross-site scripting (XSS) ou configurações incorretas de segurança", - "waf": "Segurança" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", + "severity": "Média", + "text": "O Key Vault é um serviço gerenciado e a Microsoft lidará com o failover dentro e entre regiões. Familiarize-se com a disponibilidade e a redundância do Key Vault.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Configure um processo para atualizar e corrigir regularmente as bibliotecas LLM e outros componentes do sistema", - "waf": "Segurança" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", + "severity": "Média", + "text": "O conteúdo do cofre de chaves é replicado dentro da região e para uma região secundária a pelo menos 150 milhas de distância, mas dentro da mesma geografia para manter a alta durabilidade de suas chaves e segredos. Familiarize-se com a replicação de dados do Key Vault.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "Azure OpenAI", - "severity": "Alto", - "text": "Aderir aos termos de uso, políticas e diretrizes do Azure OpenAI ou de outros LLMs e casos de uso permitidos", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", + "severity": "Média", + "text": "Durante o failover, as configurações e configurações de política de acesso ou firewall não podem ser alteradas. O cofre de chaves estará no modo somente leitura durante o failover. Familiarize-se com as diretrizes de failover do Key Vault.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "Azure OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", "severity": "Média", - "text": "Entender a diferença no custo de modelos básicos e modelos ajustados e tamanhos de etapa de token", - "waf": "Otimização de custos" + "text": "Quando você faz backup de um objeto do cofre de chaves, como um segredo, uma chave ou um certificado, a operação de backup baixa o objeto como um blob criptografado. Esse blob não pode ser descriptografado fora do Azure. Para obter dados utilizáveis desse blob, você deve restaurar o blob em um cofre de chaves dentro da mesma assinatura do Azure e da mesma geografia do Azure. Familiarize-se com as diretrizes de backup e restauração do Key Vault.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", "severity": "Alto", - "text": "Solicitações em lote, sempre que possível, para minimizar a sobrecarga por chamada, o que pode reduzir os custos gerais. Certifique-se de otimizar o tamanho do lote", - "waf": "Otimização de custos" + "text": "Se você quiser proteção contra exclusão acidental ou mal-intencionada de seus segredos, configure recursos de proteção de exclusão reversível e limpeza em seu cofre de chaves.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Configure um sistema de rastreamento de custos que monitore o uso do modelo e use essas informações para ajudar a informar as escolhas do modelo e solicitar tamanhos", - "waf": "Otimização de custos" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "Baixo", + "text": "Os recursos excluídos temporariamente do Key Vault são retidos por um período definido de 90 dias corridos. Familiarize-se com as diretrizes de exclusão reversível do Key Vault.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Defina um limite máximo para o número de tokens por resposta do modelo. Otimize o tamanho para garantir que seja grande o suficiente para uma resposta válida", - "waf": "Otimização de custos" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Baixo", + "text": "Entenda as limitações de backup do Key Vault. O Key Vault não dá suporte à capacidade de fazer backup de mais de 500 versões anteriores de um objeto de chave, segredo ou certificado. A tentativa de fazer backup de uma chave, segredo ou objeto de certificado pode resultar em um erro. Não é possível excluir versões anteriores de uma chave, segredo ou certificado.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Examine as diretrizes fornecidas sobre como configurar a pesquisa de IA para confiabilidade", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "Baixo", + "text": "Atualmente, o Key Vault não fornece uma maneira de fazer backup de um cofre de chaves inteiro em uma única operação e chaves, segredos e certificados devem ser copiados individualmente. Familiarize-se com as diretrizes de backup e restauração do Key Vault.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "Azure OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", "severity": "Média", - "text": "Planejar e gerenciar o armazenamento de vetores do AI Search", - "waf": "Excelência Operacional" + "text": "A proteção contra limpeza é recomendada ao usar chaves para criptografia para evitar a perda de dados. A proteção contra limpeza é um comportamento opcional do Key Vault e não está habilitada por padrão. A proteção contra limpeza só pode ser habilitada depois que a exclusão reversível estiver habilitada. Ele pode ser ativado via CLI, PowerShell ou Portal.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", + "guid": "d0642c1c-312b-4116-94ab-439e1c836819", + "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", + "service": "Key Vault", "severity": "Média", - "text": "Aplique as práticas do LLMOps para automatizar o gerenciamento do ciclo de vida de seus aplicativos GenAI", - "waf": "Excelência Operacional" + "text": "O RBAC é recomendado para controlar o acesso ao cofre de chaves. Familiarize-se com as diretrizes de controle de acesso do Key Vault.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "Alto", - "text": "Avalie o uso de modelos de faturamento - PAYG vs PTU", - "waf": "Otimização de custos" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Avaliar a qualidade de prompts e aplicativos ao alternar entre versões de modelo", - "waf": "Excelência Operacional" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Avalie, monitore e refine seus aplicativos GenAI para recursos como fundamentação, relevância, precisão, coerência, fluência,", - "waf": "Excelência Operacional" + "text": "Permitir que 2 réplicas tenham 99,9% de disponibilidade para operações de leitura", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "Média", - "text": "Avaliar os resultados do Azure AI Search com base em diferentes parâmetros de pesquisa", - "waf": "Excelência Operacional" + "text": "Permitir que 3 réplicas tenham 99,9% de disponibilidade para operações de leitura/gravação", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Olhe para os modelos de ajuste fino como forma de aumentar a precisão somente quando você tiver tentado outras abordagens básicas, como engenharia rápida e RAG com seus dados", - "waf": "Excelência Operacional" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", + "severity": "Alto", + "text": "Aproveite as zonas de disponibilidade habilitando réplicas de leitura e/ou gravação", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "severity": "Média", - "text": "Use técnicas de engenharia rápida para melhorar a precisão das respostas do LLM", - "waf": "Excelência Operacional" + "text": "Para redução regional, crie manualmente serviços em 2 ou mais regiões para a Pesquisa, pois não fornece um método automatizado de replicação de índices de pesquisa entre regiões geográficas", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", "severity": "Média", - "text": "Equipe vermelha de seus aplicativos GenAI", - "waf": "Segurança" + "text": "Para sincronizar dados em vários serviços: Use indexadores para atualizar conteúdo em vários serviços ou Use APIs REST para enviar atualizações de conteúdo em vários serviços", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", "severity": "Média", - "text": "Forneça aos usuários finais opções de pontuação para respostas LLM e acompanhe essas pontuações. ", - "waf": "Excelência Operacional" + "text": "Usar o Gerenciador de Tráfego do Azure para coordenar solicitações", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", "severity": "Alto", - "text": "Considere as práticas de gerenciamento de cotas", - "waf": "Otimização de custos" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "Azure OpenAI", - "severity": "Média", - "text": "Use soluções de balanceador de carga, como gateway baseado em APIM, para balancear carga e capacidade entre serviços e regiões", - "waf": "Excelência Operacional" + "text": "Backup e restauração de um índice de pesquisa cognitiva do Azure. Use este código de exemplo para fazer backup da definição de índice e instantâneo em uma série de arquivos Json", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", "severity": "Média", - "text": "Aproveite o servidor flexível", + "text": "Aproveite o Manual de Resiliência de FTA para o Azure Data Factory", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "Alto", - "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente", + "text": "Usar pipelines redundantes de zona em regiões que oferecem suporte a zonas de disponibilidade", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", "severity": "Média", - "text": "Aproveite a replicação de dados para cenários de DR entre regiões", + "text": "Usar DevOps para fazer backup dos modelos ARM com a integração Github/Azure DevOps ", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", - "service": "AVS", - "severity": "Alto", - "text": "Verifique se os controladores de domínio ADDS estão implantados na assinatura de identidade no Azure nativo", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "75089c20-990d-4927-b105-885576f76fc2", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "Média", - "text": "Verifique se os sites e serviços do ADDS estão configurados para manter as solicitações de autenticação de recursos baseados no Azure (incluindo a Solução VMware do Azure) locais para o Azure", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", - "service": "AVS", - "severity": "Alto", - "text": "Verifique se o vCenter está conectado ao ADDS para habilitar a autenticação com base em 'contas de usuário nomeadas'", - "waf": "Segurança" + "text": "Certifique-se de replicar as VMs do Self-Hosted Integration Runtime em outra região ", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "Média", - "text": "Verifique se a conexão do vCenter com o ADDS está usando um protocolo seguro (LDAPS)", - "waf": "Segurança" + "text": "Certifique-se de replicar ou duplicar sua rede na região irmã. Você tem que fazer uma cópia do seu Vnet em outra região", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", - "service": "AVS", - "severity": "Média", - "text": "A conta do CloudAdmin no vCenter IdP é usada apenas como uma conta de emergência (break-glass)", - "waf": "Segurança" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "description": "Se seus pipelines do ADF usarem o Cofre de Chaves, você não precisará fazer nada para replicar o Cofre de Chaves. O Cofre de Chaves é um serviço gerenciado e a Microsoft cuida dele para você", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", + "severity": "Baixo", + "text": "Se estiver usando a integração do Keyvault, use o SLA do Keyvault para entender sua disponibilidade", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", "severity": "Alto", - "text": "Certifique-se de que o NSX-Manager esteja integrado a um provedor de identidade externo (LDAPS)", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", - "service": "AVS", - "severity": "Média", - "text": "Foi criado um modelo RBAC para uso no VMware vSphere", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", - "service": "AVS", - "severity": "Média", - "text": "As permissões RBAC devem ser concedidas em grupos ADDS e não em usuários específicos", - "waf": "Segurança" + "text": "Selecione o plano de hospedagem de função certo com base em seus requisitos de negócios e SLO", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", "severity": "Alto", - "text": "As permissões RBAC no recurso Solução VMware do Azure no Azure são 'bloqueadas' apenas para um conjunto limitado de proprietários", - "waf": "Segurança" + "text": "Aproveitar zonas de disponibilidade quando aplicável regionalmente (não disponível para a camada de consumo)", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", - "service": "AVS", - "severity": "Alto", - "text": "Certifique-se de que todas as funções personalizadas tenham escopo com autorizações permitidas do CloudAdmin", - "waf": "Segurança" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", + "severity": "Média", + "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", "severity": "Alto", - "text": "O modelo de conectividade correto da Solução VMware do Azure está selecionado para o caso de uso do cliente em mãos?", - "waf": "Desempenho" + "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "Azure Functions", "severity": "Alto", - "text": "Garantir que as conexões de Rota Expressa ou VPN do local para o Azure sejam monitoradas usando o 'monitor de conexão'", - "waf": "Operações" + "text": "Verifique se 'Sempre Ativado' está habilitado para todos os Aplicativos de Função em execução no Plano do Serviço de Aplicativo", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", "severity": "Média", - "text": "Verifique se um monitor de conexão foi criado a partir de um recurso nativo do Azure para uma máquina virtual da Solução VMware do Azure para monitorar a conexão de Rota Expressa de back-end da Solução VMware do Azure", - "waf": "Operações" + "text": "Emparelhe um aplicativo de função com sua própria conta de armazenamento. Tente não reutilizar contas de armazenamento para aplicativos de função, a menos que eles estejam firmemente acoplados", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", "severity": "Média", - "text": "Verifique se um monitor de conexão é criado a partir de um recurso local para uma máquina virtual da Solução VMware do Azure para monitorar a conectividade de ponta 2", + "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código do Aplicativo de Função", "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", - "service": "AVS", - "severity": "Alto", - "text": "Quando o servidor de rotas for usado, certifique-se de que não mais de 1000 rotas sejam propagadas do servidor de rotas para o gateway ExR para o local (limite ARS).", - "waf": "Operações" + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "O Hub de Eventos do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", + "severity": "Baixo", + "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", - "service": "AVS", - "severity": "Alto", - "text": "O Gerenciamento de Identidades Privilegiadas é implementado para funções que gerenciam o recurso da Solução VMware do Azure no Portal do Azure (não são permitidas permissões permanentes)", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Os namespaces dos Hubs de Eventos do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace dos Hubs de Eventos para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS. Se um namespace de Hubs de Eventos exigir uma versão mínima do TLS, todas as solicitações feitas com uma versão mais antiga falharão. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", + "severity": "Média", + "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", - "service": "AVS", - "severity": "Alto", - "text": "Os relatórios de auditoria do Gerenciamento de Identidades Privilegiadas devem ser implementados para as funções PIM da Solução VMware do Azure", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Quando você cria um namespace de Hubs de Eventos, uma regra de política chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. Recomenda-se o uso do AAD como um provedor de autenticação com RBAC. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", + "severity": "Média", + "text": "Evite usar conta root quando não for necessário", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "As identidades gerenciadas para recursos do Azure podem autorizar o acesso a recursos dos Hubs de Eventos usando credenciais do Azure AD de aplicativos em execução em VMs (Máquinas Virtuais) do Azure, aplicativos de Função, Conjuntos de Dimensionamento de Máquina Virtual e outros serviços. Usando identidades gerenciadas para recursos do Azure junto com a autenticação do Azure AD, você pode evitar o armazenamento de credenciais com seus aplicativos executados na nuvem. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", "severity": "Média", - "text": "Se o uso do Gerenciamento de Identidades Privilegiadas estiver sendo usado, certifique-se de que uma conta válida habilitada para ID do Entra seja criada com um registro SMTP válido para notificações de substituição automática do Host da Solução VMware do Azure. (permissões permanentes necessárias)", + "text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Hub de Eventos do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre de Chaves do Azure ou em um serviço equivalente", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Hub de Eventos do Azure. As permissões no Hub de Eventos do Azure podem e devem ter o escopo definido para o nível de recurso individual, por exemplo, grupo de consumidores, entidade de hub de eventos, namespaces de hub de eventos, etc.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", "severity": "Alto", - "text": "Limitar o uso da conta do CloudAdmin apenas ao acesso de emergência", + "text": "Usar RBAC do plano de dados de privilégios mínimos", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Os logs de recursos do Hub de Eventos do Azure incluem logs operacionais, logs de rede virtual e logs de Kafka. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para todas as operações de acesso ao plano de dados (como eventos de envio ou recebimento) nos Hubs de Eventos.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", "severity": "Média", - "text": "Criar funções RBAC personalizadas no vCenter para implementar um modelo de privilégios mínimos dentro do vCenter", + "text": "Habilite o registro em log para investigação de segurança. Use o Azure Monitor para capturar métricas e logs como logs de recursos, logs de auditoria de tempo de execução e logs Kafka", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Por padrão, o Hub de Eventos do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Hub de Eventos do Azure percorra a rede de backbone da Microsoft. Além disso, você deve desabilitar os pontos de extremidade públicos se eles não forem usados. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", "severity": "Média", - "text": "É um processo definido para alternar regularmente as credenciais cloudadmin (vCenter) e admin (NSX)", + "text": "Considere o uso de pontos de extremidade privados para acessar o Hub de Eventos do Azure e desabilitar o acesso à rede pública quando aplicável.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", - "service": "AVS", - "severity": "Alto", - "text": "Usar um provedor de identidade centralizado a ser usado para cargas de trabalho (VMs) em execução na Solução VMware do Azure", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Com o firewall IP, você pode restringir ainda mais o ponto de extremidade público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Roteamento entre Domínios Sem Classe). ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", + "severity": "Média", + "text": "Considere permitir apenas o acesso ao namespace do Hub de Eventos do Azure a partir de endereços IP ou intervalos específicos", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", "severity": "Média", - "text": "A filtragem de tráfego Leste-Oeste é implementada no NSX-T", - "waf": "Segurança" + "text": "Aproveite o Manual de Resilência do FTA", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": " Isso será ativado automaticamente para um novo namespace de EH criado a partir do portal com SKUs Premium, Dedicado ou Standard em uma região habilitada para região. Os metadados do EH e os próprios dados do evento são replicados entre zonas", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", "severity": "Alto", - "text": "As cargas de trabalho na Solução VMware do Azure não são diretamente expostas à Internet. O tráfego é filtrado e inspecionado pelo Gateway de Aplicativo do Azure, pelo Firewall do Azure ou por soluções de terceiros", - "waf": "Segurança" + "text": "Aproveite as zonas de disponibilidade, se aplicável regionalmente", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", + "severity": "Média", + "text": "Use os SKUs Premium ou Dedicado para desempenho previsível", + "waf": "Fiabilidade" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "O recurso interno de recuperação de desastres geográficos, quando habilitado, garante que toda a configuração de um namespace (Hubs de Eventos, Grupos de Consumidores e configurações) seja replicada continuamente de um namespace primário para um namespace secundário e permite uma movimentação de failover única do primário para o secundário a qualquer momento. O recurso Ativo/Passivo foi projetado para facilitar a recuperação e o abandono de uma região do Azure com falha sem precisar alterar as configurações do aplicativo", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", "severity": "Alto", - "text": "A auditoria e o registro em log são implementados para solicitações de entrada da Internet para cargas de trabalho baseadas na Solução VMware do Azure e na Solução VMware do Azure", - "waf": "Segurança" + "text": "Planejar a recuperação de desastres geográficos usando a configuração passiva ativa", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Deve ser usado para configurações de DR em que uma interrupção ou perda de dados de eventos na região derrubada não pode ser tolerada. Para esses casos, siga as diretrizes de replicação e não use o recurso interno de recuperação de desastres geográficos (ativo/passivo). Com Ativo/Ativo, mantenha vários Hubs de Eventos em diferentes regiões e namespaces, e os eventos serão replicados entre os hubs", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", "severity": "Média", - "text": "O monitoramento de sessão é implementado para conexões de saída da Internet a partir da Solução VMware do Azure ou cargas de trabalho baseadas na Solução VMware do Azure para identificar atividades suspeitas/mal-intencionadas", - "waf": "Segurança" + "text": "Para aplicativos críticos para os negócios, use a configuração ativa", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "334fdf91-c234-4182-a652-75269440b4be", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", "severity": "Média", - "text": "A proteção padrão contra DDoS está habilitada na sub-rede do Gateway ExR/VPN no Azure", - "waf": "Segurança" + "text": "Projetar Hubs de Eventos Resilientes", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", "severity": "Média", - "text": "Usar uma estação de trabalho de acesso privilegiado (PAW) dedicada para gerenciar a Solução VMware do Azure, o vCenter, o gerenciador NSX e o gerenciador HCX", - "waf": "Segurança" + "text": "Implementar uma política de tratamento de erros em nível global", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", "severity": "Média", - "text": "Habilitar a Detecção Avançada de Ameaças (Microsoft Defender for Cloud, também conhecido como ASC) para cargas de trabalho em execução na Solução VMware do Azure", - "waf": "Segurança" + "text": "Certifique-se de que todas as políticas de APIs incluam um elemento .", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", "severity": "Média", - "text": "Usar o Azure ARC for Servers para controlar corretamente as cargas de trabalho em execução na Solução VMware do Azure usando tecnologias nativas do Azure (o Azure ARC for Azure VMware Solution ainda não está disponível)", - "waf": "Segurança" + "text": "Usar fragmentos de política para evitar a repetição das mesmas definições de políticas em várias APIs", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", - "service": "AVS", - "severity": "Baixo", - "text": "Garanta que as cargas de trabalho na Solução VMware do Azure usem criptografia de dados suficiente durante o tempo de execução (como criptografia de disco convidado e SQL TDE). (a criptografia vSAN em repouso é padrão)", - "waf": "Segurança" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", + "severity": "Média", + "text": "Se você estiver planejando monetizar suas APIs, consulte o artigo 'suporte à monetização' para obter as práticas recomendadas", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", - "service": "AVS", - "severity": "Baixo", - "text": "Quando a criptografia no convidado é usada, armazene chaves de criptografia no cofre de chaves do Azure quando possível", - "waf": "Segurança" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", + "severity": "Alto", + "text": "Habilitar Configurações de Diagnóstico para exportar logs para o Azure Monitor", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5ac94222-3e13-4810-9230-81a941741583", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "severity": "Média", - "text": "Considere usar o suporte estendido de atualização de segurança para cargas de trabalho em execução na Solução VMware do Azure (a Solução VMware do Azure é qualificada para ESU)", - "waf": "Segurança" + "text": "Habilite o Application Insights para telemetria mais detalhada", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", "severity": "Alto", - "text": "Certifique-se de que o método de redundância de dados vSAN apropriado seja usado (especificação RAID)", - "waf": "Fiabilidade" + "text": "Configurar alertas sobre as métricas mais críticas", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", "severity": "Alto", - "text": "Certifique-se de que a política de falha na tolerância esteja em vigor para atender às suas necessidades de armazenamento vSAN", - "waf": "Fiabilidade" + "text": "Certifique-se de que os certificados SSL personalizados sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", "severity": "Alto", - "text": "Certifique-se de ter solicitado cota suficiente, garantindo que você tenha considerado o crescimento e o requisito de recuperação de desastres", - "waf": "Fiabilidade" + "text": "Proteger solicitações de entrada para APIs (plano de dados) com o Azure AD", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", "severity": "Média", - "text": "Certifique-se de que as restrições de acesso ao ESXi sejam compreendidas, há limites de acesso que podem afetar as soluções de terceiros 3rd.", - "waf": "Operações" + "text": "Usar o Microsoft Entra ID para autenticar usuários no Portal do Desenvolvedor", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", "severity": "Média", - "text": "Certifique-se de ter uma política em torno da densidade e eficiência do host ESXi, tendo em mente o prazo de espera para solicitar novos nós", - "waf": "Operações" + "text": "Criar grupos apropriados para controlar a visibilidade dos produtos", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", "severity": "Média", - "text": "Garantir que um bom processo de gerenciamento de custos esteja em vigor para a Solução VMware do Azure - o Gerenciamento de Custos do Azure pode ser usado", - "waf": "Custar" + "text": "Use o recurso Back-ends para eliminar configurações redundantes de back-end de API", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "service": "AVS", - "severity": "Baixo", - "text": "As instâncias reservadas do Azure são usadas para otimizar o custo de uso da Solução VMware do Azure", - "waf": "Custar" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", + "severity": "Média", + "text": "Usar Valores Nomeados para armazenar valores comuns que podem ser usados em políticas", + "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", "severity": "Média", - "text": "Considere o uso do Azure Private-Link ao usar outros Serviços Nativos do Azure", - "waf": "Segurança" + "text": "Para DR, aproveite o nível premium com implantações dimensionadas em duas ou mais regiões para um SLA de 99,99%", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", - "service": "AVS", - "severity": "Alto", - "text": "Verifique se todos os recursos necessários residem na(s) mesma(s) zona(s) de disponibilidade do Azure", - "waf": "Desempenho" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", + "severity": "Média", + "text": "Implante pelo menos uma unidade em duas ou mais zonas de disponibilidade para um SLA aumentado de 99,99%", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "service": "AVS", - "severity": "Média", - "text": "Habilitar cargas de trabalho de VM convidada do Microsoft Defender for Cloud for Azure VMware Solution", - "waf": "Segurança" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", + "severity": "Alto", + "text": "Verifique se há uma rotina de backup automatizada", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", "severity": "Média", - "text": "Usar servidores habilitados para Arc do Azure para gerenciar suas cargas de trabalho de VM convidada da Solução VMware do Azure", - "waf": "Segurança" + "text": "Use Políticas para adicionar uma URL de back-end de failover e cache para reduzir chamadas com falha.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", - "service": "AVS", - "severity": "Alto", - "text": "Habilitar o log de diagnóstico e de métrica na solução VMware do Azure", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", + "severity": "Baixo", + "text": "Se você precisar registrar em níveis de alto desempenho, considere a política de Hubs de Eventos", "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", "severity": "Média", - "text": "Implantar os agentes do Log Analytics nas cargas de trabalho da VM convidada da Solução VMware do Azure", - "waf": "Operações" + "text": "Aplicar políticas de limitação para controlar o número de solicitações por segundo", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", "severity": "Média", - "text": "Verifique se você tem uma política e uma solução de backup documentadas e implementadas para cargas de trabalho de VM da Solução VMware do Azure", - "waf": "Operações" + "text": "Configurar o dimensionamento automático para dimensionar o número de instâncias quando a carga aumenta", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", "severity": "Média", - "text": "Usar o Microsoft Defender for Cloud para monitoramento de conformidade de cargas de trabalho em execução no Azure VMware Solution", - "waf": "Segurança" + "text": "Implante gateways auto-hospedados onde o Azure não tem uma região próxima às APIs de back-end.", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", "severity": "Média", - "text": "São as linhas de base de conformidade aplicáveis adicionadas ao Microsoft Defender for Cloud", - "waf": "Segurança" + "text": "Use a camada premium para cargas de trabalho de produção.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", + "severity": "Média", + "text": "No modelo de várias regiões, use Políticas para rotear as solicitações para back-ends regionais com base na disponibilidade ou latência.", + "waf": "Fiabilidade" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", "severity": "Alto", - "text": "A residência de dados foi avaliada ao selecionar regiões do Azure a serem usadas para a implantação da Solução VMware do Azure", - "waf": "Segurança" + "text": "Esteja atento aos limites da APIM", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", "severity": "Alto", - "text": "As implicações do processamento de dados (modelo de prestador de serviços / consumidor de serviços) são claras e documentadas", + "text": "Certifique-se de que as implantações de gateway auto-hospedado sejam resilientes.", + "waf": "Fiabilidade" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", + "service": "APIM", + "severity": "Média", + "text": "Usar o Azure Front Door na frente do APIM para implantação em várias regiões", + "waf": "Desempenho" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", + "service": "APIM", + "severity": "Média", + "text": "Implantar o serviço em uma rede virtual (VNet)", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", + "service": "APIM", "severity": "Média", - "text": "Considere o uso de CMK (Customer Managed Key) para vSAN somente se necessário por motivo(s) de conformidade.", + "text": "Implante NSG (grupos de segurança de rede) em suas sub-redes para restringir ou monitorar o tráfego de/para APIM.", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", - "service": "AVS", - "severity": "Alto", - "text": "Criar painéis para habilitar os principais insights de monitoramento da Solução VMware do Azure", - "waf": "Operações" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", + "service": "APIM", + "severity": "Média", + "text": "Implante pontos de extremidade privados para filtrar o tráfego de entrada quando o APIM não for implantado em uma rede virtual.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", + "service": "APIM", "severity": "Alto", - "text": "Criar alertas de aviso para limites críticos para alertas automáticos sobre o desempenho da solução VMware do Azure (CPU >80%, memória média >80%, vSAN >70%)", - "waf": "Operações" + "text": "Desabilitar o acesso à rede pública", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", - "service": "AVS", - "severity": "Alto", - "text": "Certifique-se de que o alerta crítico seja criado para monitorar se o consumo de vSAN está abaixo de 75%, pois esse é um limite de suporte do VMware", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", + "severity": "Média", + "text": "Simplifique o gerenciamento com scripts de automação do PowerShell", "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", - "service": "AVS", - "severity": "Alto", - "text": "Verifique se os alertas estão configurados para alertas e notificações de Integridade do Serviço do Azure", - "waf": "Operações" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", + "service": "APIM", "severity": "Média", - "text": "Configurar o log da Solução VMware do Azure para ser enviado a uma conta de Armazenamento do Azure ou ao Azure EventHub para processamento", - "waf": "Operações" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", - "severity": "Baixo", - "text": "Se for necessário um insight profundo no VMware vSphere: o vRealize Operations e/ou o vRealize Network Insights são usados na solução?", - "waf": "Operações" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", - "severity": "Alto", - "text": "Verifique se a política de armazenamento vSAN para VMs NÃO é a política de armazenamento padrão, pois essa política aplica provisionamento espesso", + "text": "Configure APIM via Infrastructure-as-code. Analise as práticas recomendadas de DevOps do Cloud Adaption Framework APIM Landing Zone Accelerator", "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", + "service": "APIM", "severity": "Média", - "text": "Verifique se as bibliotecas de conteúdo do vSphere não são colocadas no vSAN, pois o vSAN é um recurso finito", + "text": "Promover o uso da extensão API do Visual Studio Code para um desenvolvimento de API mais rápido", "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", + "service": "APIM", "severity": "Média", - "text": "Certifique-se de que os repositórios de dados da solução de backup sejam armazenados fora do armazenamento vSAN. No nativo do Azure ou em um armazenamento de dados com backup de pool de discos", + "text": "Implemente DevOps e CI/CD em seu fluxo de trabalho", "waf": "Operações" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", + "service": "APIM", "severity": "Média", - "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam gerenciadas de forma híbrida usando o Azure Arc for Servers (a Solução VMware do Arc for Azure está em visualização)", - "waf": "Operações" + "text": "APIs seguras usando autenticação de certificado de cliente", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", + "service": "APIM", "severity": "Média", - "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam monitoradas usando o Azure Log Analytics e o Azure Monitor", - "waf": "Operações" + "text": "Serviços de back-end seguros usando autenticação de certificado de cliente", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", + "service": "APIM", "severity": "Média", - "text": "Incluir cargas de trabalho em execução na Solução VMware do Azure nas ferramentas de gerenciamento de atualizações existentes ou no Gerenciamento de Atualizações do Azure", - "waf": "Operações" + "text": "Consulte o artigo \"Recomendações para mitigar as 10 principais ameaças da segurança da API OWASP\" e verifique o que é aplicável às suas APIs", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", + "service": "APIM", "severity": "Média", - "text": "Usar a Política do Azure para integrar cargas de trabalho da Solução VMware do Azure nas soluções de Gerenciamento, Monitoramento e Segurança do Azure", - "waf": "Operações" + "text": "Usar o recurso Autorizações para simplificar o gerenciamento do token OAuth 2.0 para suas APIs de back-end", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", - "service": "AVS", - "severity": "Média", - "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam integradas ao Microsoft Defender for Cloud", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", + "severity": "Alto", + "text": "Use a versão mais recente do TLS ao criptografar informações em trânsito. Desative protocolos e cifras desatualizados e desnecessários quando possível.", "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", - "service": "AVS", - "severity": "Média", - "text": "Certifique-se de que os backups não sejam armazenados no vSAN, pois o vSAN é um recurso finito", - "waf": "Fiabilidade" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", + "severity": "Alto", + "text": "Certifique-se de que os segredos (valores nomeados) sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", - "service": "AVS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", "severity": "Média", - "text": "Todas as soluções de DR foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [SRM/JetStream/Zerto/Veeam/...]", - "waf": "Fiabilidade" + "text": "Use identidades gerenciadas para autenticar em outros recursos do Azure sempre que possível", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", - "service": "AVS", - "severity": "Média", - "text": "Usar o Azure Site Recovery quando a tecnologia de Recuperação de Desastres for IaaS nativa do Azure", - "waf": "Fiabilidade" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", + "severity": "Alto", + "text": "Usar o WAF (Web Application Firewall) implantando o Application Gateway na frente do APIM", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrinja o uso de métodos de autenticação local para acesso ao plano de dados. Em vez disso, use a ID do Microsoft Entra como o método de autenticação padrão para controlar o acesso ao plano de dados.", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "service": "Azure Synapse Analytics", "severity": "Alto", - "text": "Use planos de recuperação automatizados com qualquer uma das soluções de desastre, evite ao máximo tarefas manuais", - "waf": "Fiabilidade" + "text": "Restringir o uso de usuários locais em cargas de trabalho sql no Synapse", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use a ID do Microsoft Entra como o método de autenticação padrão para controlar o acesso ao plano de dados.", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "severity": "Média", - "text": "Usar o par de regiões geopolíticas como o ambiente secundário de recuperação de desastres", - "waf": "Fiabilidade" + "text": "Usar identidade gerenciada para autenticar nos serviços", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Se não for necessário para operações administrativas de rotina, desabilite ou restrinja todas as contas de administrador local apenas para uso emergencial.", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "service": "Azure Synapse Analytics", "severity": "Alto", - "text": "Use 2 espaços de endereço diferentes entre as regiões, por exemplo: 10.0.0.0/16 e 192.168.0.0/16 para as diferentes regiões", - "waf": "Fiabilidade" + "text": "Separe e limite usuários altamente privilegiados/administrativos e habilite políticas condicionais e de MFA", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "O Azure Synapse também inclui funções RBAC (controle de acesso baseado em função) do Synapse para gerenciar diferentes aspectos do Synapse Studio. Aproveite essas funções internas para atribuir permissões a usuários, grupos ou outras entidades de segurança para gerenciar quem pode Publicar artefatos de código e listar ou acessar artefatos de código publicados,Executar código em pools do Apache Spark e runtimes de integração,Acessar serviços vinculados (dados) protegidos por credenciais,Monitorar ou cancelar execuções de trabalho, revisar a saída do trabalho e os logs de execução.", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", "severity": "Média", - "text": "O ExpressRoute Global Reach será usado para conectividade entre as Nuvens Privadas da Solução VMware do Azure primária e secundária ou o roteamento é feito por meio de dispositivos virtuais de rede?", - "waf": "Fiabilidade" + "text": "Use o RBAC do Azure para controlar o acesso no armazenamento e o RBAC do Synapse para controlar o acesso no nível do workspace, dependendo das personas da equipe, para granular o acesso aos dados e à computação", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "severity": "Média", - "text": "Todas as soluções de backup foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [ MABS/CommVault/Metallic.io/Veeam/ . ]", - "waf": "Fiabilidade" + "text": "Implemente RLS, CLS e mascaramento de dados em cargas de trabalho SQL em pool sql dedicado para adicionar camada adicional de segurança", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Ao criar seu workspace do Azure Synapse, você pode optar por associá-lo a uma Rede Virtual do Microsoft Azure. A Rede Virtual associada ao seu workspace é gerenciada pelo Azure Synapse. Essa Rede Virtual é chamada de Rede Virtual de workspace gerenciado. Isso pode ser selecionado ao implantar um workspace", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "Média", - "text": "Implante sua solução de backup na mesma região que sua nuvem privada da Solução VMware do Azure", - "waf": "Fiabilidade" + "text": "Usar o espaço de trabalho vnet gerenciado para restringir o acesso pela Internet pública", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "service": "AVS", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Para proteger dados confidenciais, é recomendável desabilitar totalmente o acesso público aos pontos de extremidade do workspace. Ao fazer isso, ele garante que todos os pontos de extremidade do workspace só possam ser acessados usando pontos de extremidade privados.", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "Média", - "text": "Implante sua solução de backup fora do vSan, em componentes nativos do Azure", - "waf": "Fiabilidade" + "text": "Configure pontos de extremidade privados para se conectar aos serviços externos e desabilitar o acesso público", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", - "severity": "Baixo", - "text": "Existe um processo para solicitar uma restauração dos componentes VMware gerenciados pela Plataforma Azure?", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Se o acesso público precisar ser habilitado, é altamente recomendável configurar as regras de firewall IP para permitir conexões de entrada somente da lista especificada de endereços IP públicos.", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "text": "Se habilitar o acesso público, é altamente recomendável configurar regras de firewall IP", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "service": "AVS", - "severity": "Baixo", - "text": "Para implantações manuais, todas as configurações e implantações devem ser documentadas", - "waf": "Operações" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", + "severity": "Média", + "text": "Implante VMs SHIR em sua rede virtual se você estiver trabalhando com dados confidenciais que não devem sair da rede corporativa", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "service": "AVS", - "severity": "Baixo", - "text": "Para implantações manuais, considere implementar bloqueios de recursos para evitar ações acidentais em sua nuvem privada de solução VMware do Azure", - "waf": "Operações" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Isso só pode ser feito ao implantar o workspace, mas não há suporte para bibliotecas Python instaladas de repositórios públicos como o PyPI. (Pense na limitação antes de habilitá-la)", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", + "severity": "Média", + "text": "Habilitar DEP (Proteção contra Exfiltração de Dados)", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "service": "AVS", - "severity": "Baixo", - "text": "Para implantações automatizadas, implante uma nuvem privada mínima e dimensione conforme necessário", - "waf": "Operações" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "service": "AVS", - "severity": "Baixo", - "text": "Para implantações automatizadas, solicite ou reserve cota antes de iniciar a implantação", - "waf": "Operações" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "A primeira camada de criptografia é feita por chaves gerenciadas pela Microsoft, você pode adicionar uma segunda camada de criptografia usando chaves gerenciadas pelo cliente", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "Média", + "text": "Criptografia de dados em repouso usando chaves gerenciadas pelo cliente para workspace", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "service": "AVS", - "severity": "Baixo", - "text": "Para implantação automatizada, verifique se os bloqueios de recursos relevantes são criados por meio da automação ou da Política do Azure para uma governança adequada", - "waf": "Operações" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "O Azure Synapse aproveita o TLS para garantir que os dados sejam criptografados em movimento. Os pools dedicados do SQL dão suporte às versões TLS 1.0, TLS 1.1 e TLS 1.2 para criptografia em que os drivers fornecidos pela Microsoft usam o TLS 1.2 por padrão. O pool de SQL sem servidor e o pool do Apache Spark usam o TLS 1.2 para todas as conexões de saída.", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", + "severity": "Média", + "text": "Criptografia de dados em trânsito ", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "service": "AVS", - "severity": "Baixo", - "text": "Implemente nomes humanos compreensíveis para chaves de autorização ExR para permitir a fácil identificação da finalidade/uso das chaves", - "waf": "Operações" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Usar Keyvaults para armazenar seus segredos e credenciais", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "service": "Azure Synapse Analytics", + "severity": "Alto", + "text": "Armazenar senhas, certificados e chaves no cofre de chaves do Azure", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "service": "AVS", - "severity": "Baixo", - "text": "Usar o Cofre de chaves para armazenar segredos e chaves de autorização quando Princípios de Serviço separados são usados para implantar a Solução VMware do Azure e a Rota Expressa", - "waf": "Operações" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Restrinja o uso de métodos de autenticação local para acesso ao plano de dados. Em vez disso, use a ID do Microsoft Entra como o método de autenticação padrão para controlar o acesso ao plano de dados.", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "service": "Azure Data Factory", + "severity": "Alto", + "text": "Restrinja o uso de usuários locais sempre que necessário", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "service": "AVS", - "severity": "Baixo", - "text": "Defina dependências de recursos para serializar ações no IaC quando muitos recursos precisarem ser implantados no/na Solução VMware do Azure, pois a Solução VMware do Azure oferece suporte apenas a um número limitado de operações paralelas.", - "waf": "Operações" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "As identidades gerenciadas eliminam a necessidade de gerenciar credenciais. As identidades gerenciadas fornecem uma identidade para a instância de serviço ao se conectar a recursos que dão suporte à autenticação do Microsoft Entra.", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", + "service": "Azure Data Factory", + "severity": "Média", + "text": "Usar identidade gerenciada para autenticar nos serviços", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "service": "AVS", - "severity": "Baixo", - "text": "Ao executar a configuração automatizada de segmentos NSX-T com um único gateway de Camada 1, use as APIs do Portal do Azure em vez das APIs do NSX-Manager", - "waf": "Operações" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Se não for necessário para operações administrativas de rotina, desabilite ou restrinja todas as contas de administrador local apenas para uso emergencial.", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "service": "Azure Data Factory", + "severity": "Alto", + "text": "Separe e limite usuários altamente privilegiados/administrativos e habilite políticas condicionais e de MFA", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "service": "Azure Data Factory", "severity": "Média", - "text": "Ao pretender usar a expansão automatizada, certifique-se de aplicar cota suficiente da Solução VMware do Azure para as assinaturas que executam a Solução VMware do Azure", - "waf": "Desempenho" + "text": "Implante VMs SHIR em sua rede virtual se você estiver trabalhando com dados confidenciais que não devem sair da rede corporativa", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Quando você cria um runtime de integração do Azure em uma rede virtual gerenciada do Data Factory, o runtime de integração é provisionado com a rede virtual gerenciada. Ele usa pontos de extremidade privados para se conectar com segurança a armazenamentos de dados com suporte.", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "service": "Azure Data Factory", "severity": "Média", - "text": "Ao pretender usar o scale-in automatizado, certifique-se de levar em consideração os requisitos da política de armazenamento antes de executar essa ação", - "waf": "Desempenho" + "text": "Usar o IR de vnet gerenciado para restringir o acesso pela Internet pública para o Azure Integration Runtime", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Os pontos de extremidade privados gerenciados são pontos de extremidade privados criados na rede virtual gerenciada do Data Factory que estabelece um link privado para os recursos do Azure. O Data Factory gerencia esses pontos de extremidade privados em seu nome.", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", + "service": "Azure Data Factory", "severity": "Média", - "text": "As operações de dimensionamento sempre precisam ser serializadas em um único SDDC, pois apenas uma operação de escala pode ser executada por vez (mesmo quando vários clusters são usados)", - "waf": "Desempenho" + "text": "Configurar pontos de extremidade privados gerenciados para se conectar a recursos usando o Azure IR gerenciado", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Esta é uma configuração padrão", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "service": "Azure Data Factory", "severity": "Média", - "text": "Considerar e validar operações de dimensionamento em soluções de terceiros 3rd usadas na arquitetura (suportadas ou não)", - "waf": "Desempenho" + "text": "Criptografia de dados em repouso por chaves gerenciadas da Microsoft", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Esta é uma configuração padrão", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "service": "Azure Data Factory", "severity": "Média", - "text": "Definir e impor limites máximos de entrada/saída de escala para seu ambiente nas automações", - "waf": "Desempenho" + "text": "Criptografia de dados em trânsito por chaves gerenciadas pela Microsoft", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Quando você especifica uma chave gerenciada pelo cliente, o Data Factory usa a chave do sistema de fábrica e a CMK para criptografar os dados do cliente. A falta de qualquer um resultaria em Negação de acesso aos dados e à fábrica.", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", "severity": "Média", - "text": "Implementar regras de monitoramento para monitorar operações de dimensionamento automatizadas e monitorar o sucesso e a falha para habilitar respostas apropriadas (automatizadas)", - "waf": "Operações" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", - "severity": "Alto", - "text": "Ao usar o MON, esteja ciente dos limites de VMs configuradas simulataneamente (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "Fiabilidade" + "text": "Criptografia de dados em trânsito por BYOK (chaves gerenciadas pelo cliente)", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", "severity": "Alto", - "text": "Ao usar o MON, você não pode habilitar o MON em mais de 100 extensões de rede", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Fiabilidade" + "text": "Armazenar senhas e segredos no Azure Key Vault", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "service": "Microsoft Purview", "severity": "Média", - "text": "Se estiver usando uma conexão VPN para migrações, ajuste o tamanho da MTU de acordo.", - "waf": "Desempenho" + "text": "Definir funções e responsabilidades para gerenciar o Microsoft Purview no painel de controle e no plano de dados", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use RBACs do Azure para isso", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "severity": "Média", - "text": "Para regiões de baixa conectividade conectadas ao Azure (500Mbps ou menos), considere implantar o dispositivo de otimização de WAN HCX", - "waf": "Desempenho" + "text": "Definir funções e tarefas necessárias para implantar e gerenciar o Microsoft Purview dentro de uma assinatura do Azure (painel de controle)", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Use funções do Microsoft Purview para isso.", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "severity": "Média", - "text": "Certifique-se de que as migrações sejam iniciadas a partir do dispositivo local e NÃO do dispositivo em nuvem (NÃO execute uma migração reversa)", - "waf": "Fiabilidade" + "text": "Defina as funções e tarefas necessárias para executar o gerenciamento e a governança de dados usando o Microsoft Purview. (Plano de dados para Mapa de Dados e Catálogo de Dados.)", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "service": "Microsoft Purview", "severity": "Média", - "text": "Quando o Azure Netapp Files for usado para estender o armazenamento para a Solução VMware do Azure, considere usá-lo como um armazenamento de dados VMware em vez de anexá-lo diretamente a uma VM.", - "waf": "Fiabilidade" + "text": "Atribua funções a grupos do Microsoft Entra em vez de atribuir funções a usuários individuais.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", "severity": "Média", - "text": "Verifique se um ExpressRoute Gateway dedicado está sendo usado para soluções de armazenamento de dados externos", - "waf": "Fiabilidade" + "text": "Use o Gerenciamento de Direitos do Azure Active Directory para mapear o acesso do usuário a grupos do Microsoft Entra usando Pacotes de Acesso.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "AVS", - "severity": "Média", - "text": "Verifique se o FastPath está habilitado no ExpressRoute Gateway que está sendo usado para soluções de armazenamento de dados externos", - "waf": "Fiabilidade" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "service": "Microsoft Purview", + "severity": "Alto", + "text": "Imponha a autenticação multifator para usuários do Microsoft Purview, especialmente para usuários com funções privilegiadas, como administradores de coleção, administradores de fonte de dados ou curadores de dados.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "service": "Microsoft Purview", "severity": "Alto", - "text": "Se estiver usando cluster estendido, verifique se a solução de recuperação de desastres selecionada é suportada pelo fornecedor", - "waf": "Fiabilidade" + "text": "Use a ID do Microsoft Entra para fornecer autenticação e autorização a todos os usuários, grupos de segurança registrados no Entra, entidade de serviço e identidades gerenciadas dentro de coleções no Microsoft Purview", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "AVS", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "service": "Microsoft Purview", "severity": "Alto", - "text": "Se estiver usando cluster estendido, verifique se o SLA fornecido atenderá aos seus requisitos", - "waf": "Fiabilidade" + "text": "Definir o modelo de privilégios mínimos e menor exposição de contas privilegiadas", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "AVS", - "severity": "Alto", - "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa estão conectados ao hub de conectividade.", - "waf": "Fiabilidade" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", + "severity": "Média", + "text": "Habilite o isolamento de rede de ponta a ponta usando o Serviço de Link Privado. (Mapa de Dados do Microsoft Purview)", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "AVS", - "severity": "Alto", - "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa têm o GlobalReach habilitado.", - "waf": "Fiabilidade" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "Média", + "text": "Use o Firewall do Microsoft Purview para desabilitar o acesso público. (Mapa de Dados do Microsoft Purview)", + "waf": "Segurança" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "AVS", - "severity": "Alto", - "text": "Faça com que as configurações de tolerância a desastres do site tenham sido devidamente consideradas e alteradas para sua empresa, se necessário.", - "waf": "Fiabilidade" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "Média", + "text": "Implante regras de NSG (Grupo de Segurança de Rede) para sub-redes em que os pontos de extremidade privados das fontes de dados do Azure, os pontos de extremidade privados do Microsoft Purview e as VMs de runtime auto-hospedadas são implantados. (Mapa de Dados do Microsoft Purview)", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", "severity": "Média", - "text": "Implante seus recursos de conectividade de zona de destino do Azure em várias regiões, para que você possa dar suporte rapidamente a zonas de destino de aplicativos de várias regiões e cenários de recuperação de desastre.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Fiabilidade" + "text": "Implemente o Microsoft Purview com pontos de extremidade privados gerenciados por uma Solução de Virtualização de Rede, como o Firewall do Azure para inspeção de rede e filtragem de rede. (Mapa de Dados do Microsoft Purview)", + "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Esse ponto de extremidade privado também é um pré-requisito para o ponto de extremidade privado do portal. O ponto de extremidade privado do portal do Microsoft Purview é necessário para habilitar a conectividade com o portal de governança do Microsoft Purview usando uma rede privada. O Microsoft Purview pode verificar fontes de dados no Azure ou em um ambiente local usando pontos de extremidade privados de ingestão. Limitações no uso de pontos de extremidade privados https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", "severity": "Média", - "text": "Use um locatário do Entra para gerenciar seus recursos do Azure, a menos que você tenha um requisito regulatório ou comercial claro para multilocatários.", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", - "waf": "Operações" + "text": "Implante pontos de extremidade privados para contas do Microsoft Purview para adicionar outra camada de segurança, portanto, somente as chamadas de cliente originadas de dentro da rede virtual têm permissão para acessar a conta do Microsoft Purview", + "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", - "severity": "Baixo", - "text": "Use a abordagem de Automação Multilocatário para gerenciar seus locatários de ID do Microsoft Entra.", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", - "waf": "Operações" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitação a ser revisada: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "service": "Microsoft Purview", + "severity": "Média", + "text": "Bloquear o acesso público usando o firewall do Microsoft Purview", + "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", - "severity": "Alto", - "text": "Use o Azure Lighthouse para gerenciamento de vários locatários com as mesmas IDs.", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", - "waf": "Operações" + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", + "severity": "Média", + "text": "Usar Grupos de Segurança de Rede para filtrar o tráfego de rede de e para recursos do Azure em uma rede virtual do Azure", + "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "service": "Microsoft Purview", "severity": "Alto", - "text": "Se você conceder a um parceiro acesso para administrar seu locatário, use o Azure Lighthouse.", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "Custar" + "text": "Se você tiver dados confidenciais que não podem sair do limite da sua rede virtual local, é altamente recomendável usar VMs SHIR dentro da rede virtual para extrair seus metadados ", + "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", - "severity": "Alto", - "text": "Aplique um modelo RBAC que se alinhe ao seu modelo operacional de nuvem. Escopo e Atribuição entre Grupos de Gerenciamento e Assinaturas.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Os metadados são extraídos e armazenados no Mapa de Dados do Microsoft Purview, se você não estiver usando uma conta de armazenamento gerenciada para sua conta do Purview, eles estarão abertos para serem acessados por todos, portanto, implemente RBACs adequados e restrinja o acesso aos Dados apenas para os usuários pretendidos. Aplicável a contas implantadas após 15 de dezembro de 2023 (ou implantadas usando a versão 2023-05-01-preview da API em diante", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "service": "Microsoft Purview", + "severity": "Média", + "text": "Use RBACs do Azure para restringir o acesso de sua conta de armazenamento (não gerenciada pela MS) apenas aos usuários pretendidos.", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "service": "Microsoft Purview", "severity": "Média", - "text": "Use apenas o tipo de autenticação Conta corporativa ou de estudante para todos os tipos de conta. Evite usar a conta da Microsoft", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Os dados em repouso são criptografados por chaves gerenciadas pela Microsoft", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "service": "Microsoft Purview", "severity": "Média", - "text": "Use apenas grupos para atribuir permissões. Adicione grupos locais ao grupo Somente ID do Entra se um sistema de gerenciamento de grupo já estiver em vigor.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "Os dados em trânsito são criptografados pelo TLS 1.3", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "service": "Microsoft Purview", "severity": "Alto", - "text": "Imponha políticas de Acesso Condicional da ID do Microsoft Entra para qualquer usuário com direitos a ambientes do Azure.", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "text": "Sempre use os cofres de chaves do Azure para armazenar todas as credenciais se não estiver usando identidades gerenciadas ou sem métodos de necessidade de senha", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", - "severity": "Alto", - "text": "Imponha a autenticação multifator para qualquer usuário com direitos aos ambientes do Azure.", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "service": "Microsoft Purview", + "severity": "Média", + "text": "Impedir a exclusão acidental de contas do Microsoft Purview aplicando bloqueios de recursos", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", "severity": "Média", - "text": "Imponha o Microsoft Entra ID Privileged Identity Management (PIM) para estabelecer acesso permanente zero e privilégios mínimos.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "Planeje uma estratégia de emergência para seu locatário do Microsoft Entra, assinatura do Azure e contas do Microsoft Purview para evitar o bloqueio de conta em todo o locatário.", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "service": "Microsoft Purview", "severity": "Média", - "text": "Se estiver planejando alternar dos Serviços de Domínio Active Directory para os serviços de domínio Entra, avalie a compatibilidade de todas as cargas de trabalho.", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "text": "Integrar-se ao Microsoft 365 e ao Microsoft Defender para Nuvem", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", - "severity": "Média", - "text": "Ao usar o Microsoft Entra Domain Services, use conjuntos de réplicas. Os conjuntos de réplicas melhorarão a resiliência do domínio gerenciado e permitirão que você implante em regiões adicionais. ", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Separe as contas de administrador das contas de usuário normais.", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "service": "Azure Databricks", + "severity": "Alto", + "text": "Definir o modelo de privilégios mínimos e menor exposição de contas privilegiadas", + "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "O Azure Databricks dá suporte ao acesso condicional da ID do Microsoft Entra, que permite que os administradores controlem onde e quando os usuários têm permissão para entrar no Azure Databricks. As políticas de acesso condicional podem restringir a entrada em sua rede corporativa ou podem exigir MFA (autenticação multifator).", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", + "severity": "Alto", + "text": "Configure o logon único e o login unificado. Ative a autenticação multifator.", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Os clientes podem usar a API de Gerenciamento de Token ou controles de interface do usuário para habilitar ou desabilitar tokens de acesso pessoal (PATs) para autenticação da API REST, limitar os usuários que têm permissão para usar PATs, definir o tempo de vida máximo para novos tokens e gerenciar tokens existentes. Os clientes altamente seguros normalmente provisionam um tempo de vida máximo do token para novos tokens para um workspace. Esse recurso requer o tipo de preço Premium.", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", "severity": "Média", - "text": "Integre os logs de ID do Microsoft Entra com o Azure Monitor central da plataforma. O Azure Monitor permite uma única fonte de verdade sobre dados de log e monitoramento no Azure, oferecendo às organizações opções nativas de nuvem para atender aos requisitos de coleta e retenção de logs.", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "text": "Use o gerenciamento de tokens.", "waf": "Segurança" }, { - "ammp": true, - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Se você tiver administradores do Databricks que também são usuários normais da plataforma Databricks (por exemplo, há um engenheiro de dados líder que administra a plataforma e também faz o trabalho de engenharia de dados), o Databricks recomenda a criação de uma conta separada para tarefas administrativas. É importante observar que, como parte do modelo RBAC do Azure, os usuários que recebem permissões de Colaborador ou superior para o Grupo de Recursos para um workspace do Azure Databricks implantado se tornam automaticamente administradores quando fazem logon nesse workspace. Portanto, as mesmas considerações descritas acima também devem ser aplicadas aos usuários do portal do Azure.", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "service": "Azure Databricks", "severity": "Alto", - "text": "Implemente um acesso de emergência ou contas de emergência para evitar o bloqueio de conta em todo o locatário. A MFA será ativada por padrão para todos os usuários em outubro de 2024. Recomendamos atualizar essas contas para usar a chave de acesso (FIDO2) ou configurar a autenticação baseada em certificado para MFA. ", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "text": "Separar contas de administrador de contas de usuário normais", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "O SCIM (System for Cross-domain Identity Management) permite sincronizar usuários e grupos da ID do Microsoft Entra com o Azure Databricks. Há três benefícios principais dessa abordagem: 1. Quando você remove um usuário, ele é removido automaticamente do Databricks. 2. Os usuários também podem ser desativados temporariamente via SCIM. Os clientes usaram esse recurso para cenários em que acreditam que uma conta pode estar comprometida e precisam investigar 3. Os grupos são sincronizados automaticamente Consulte a documentação para obter instruções detalhadas sobre como configurar o SCIM para Azure Databricks. Esse recurso requer o tipo de preço Premium", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", "severity": "Média", - "text": "Não use contas sincronizadas locais para atribuições de função de ID do Microsoft Entra, a menos que você tenha um cenário que exija isso especificamente.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "text": "Sincronização SCIM de usuários e grupos.", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Usando políticas de cluster ou ACLs de cluster mais antigas, os administradores podem definir quais usuários ou grupos dentro da organização podem criar clusters. As ACLs de cluster permitem que você especifique quais usuários podem anexar um notebook a um determinado cluster. Observe que, se um usuário compartilhar um notebook já anexado a um cluster de modo padrão, o destinatário também poderá executar código nesse cluster. Isso não se aplica a clusters que impõem o isolamento do usuário: SQL Warehouses, alta simultaneidade com clusters de ACLs de tabela e alta simultaneidade com clusters de passagem de credenciais. Os clientes que usam o Catálogo do Unity também podem habilitar clusters de usuário único para impor clusters de isolamento.", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "service": "Azure Databricks", "severity": "Média", - "text": "Ao usar o Proxy de Aplicativo de ID do Microsoft Entra para fornecer acesso de usuários remotos a aplicativos, gerencie-o como um recurso da plataforma, pois você só pode ter uma instância por locatário.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "text": "Limite os direitos de criação de cluster.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "É importante observar que, mesmo que os clientes usem o Azure Key Vault para armazenar seus segredos, os controles de acesso ainda precisam ser definidos no Azure Databricks. Isso ocorre porque a mesma identidade de serviço é usada para recuperar o segredo de todos os usuários de um workspace do Azure Databricks.", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "service": "Azure Databricks", + "severity": "Alto", + "text": "Armazenar senhas e segredos no Azure Key Vault", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Os clusters com isolamento de usuário incluem imposição de modo que cada usuário seja executado como uma conta de usuário sem privilégios diferente no host do cluster. As linguagens também são limitadas àquelas que podem ser implementadas de maneira isolada (SQL e Python), e as APIs do Spark devem estar em uma lista de permissões daquelas que acreditamos serem seguras para isolamento.", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "service": "Azure Databricks", "severity": "Média", - "text": "Use uma topologia de rede hub-and-spoke para cenários de rede que exigem flexibilidade máxima.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "text": "Use clusters que dão suporte ao isolamento do usuário.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", - "severity": "Alto", - "text": "Implante serviços de rede compartilhados, incluindo gateways do ExpressRoute, gateways de VPN e Firewall do Azure ou NVAs de parceiros na rede virtual do hub central. Se necessário, implante também serviços DNS.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Custar" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "É contra as práticas recomendadas de segurança vincular cargas de trabalho de produção a contas de usuário individuais e, portanto, recomendamos configurar entidades de serviço no Databricks. Os Princípios de Serviço separam as ações do administrador e do usuário da carga de trabalho e evitam que as cargas de trabalho sejam afetadas se um usuário sair de uma organização. Com o Databricks, você pode configurar trabalhos para serem executados como entidades de serviço e gerar tokens de acesso pessoal para entidades de serviço.", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "Média", + "text": "Use entidades de serviço para executar trabalhos de produção. Use o controle de acesso adequado para controles de segurança no nível do workspace (ACLs), no nível da conta (RBACs) e no nível dos dados (catálogo do Unity)", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Por padrão, o DBFS é um sistema de arquivos acessível a todos os usuários do espaço de trabalho fornecido e pode ser acessado via API. Isso não é necessariamente uma grande preocupação de exfiltração de dados, pois você pode limitar o acesso ao acesso a dados por meio da API do DBFS ou da CLI do Databricks usando listas de acesso IP ou acesso à rede privada. No entanto, à medida que o uso do Azure Databricks cresce e mais usuários ingressam em um workspace, esses usuários teriam acesso a todos os dados armazenados no DBFS, criando o potencial para o compartilhamento de informações indesejadas. A Databricks recomenda que nossos clientes não armazenem dados de produção no DBFS.", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "service": "Azure Databricks", "severity": "Alto", - "text": "Use um plano de proteção de IP ou rede DDoS para todos os endereços IP públicos nas zonas de destino do aplicativo.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Evite armazenar dados de produção no DBFS.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Para as contas de armazenamento que você gerencia, é sua responsabilidade garantir que as contas de armazenamento sejam protegidas de acordo com seus requisitos. Os exemplos podem incluir: Criptografia com sua chave gerenciada pelo cliente, Restringir o acesso a redes confiáveis com um firewall de armazenamento, Acesso público anônimo não é permitido", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", "severity": "Média", - "text": "Ao implantar tecnologias de rede de parceiros ou NVAs, siga as diretrizes do fornecedor do parceiro.", - "waf": "Fiabilidade" + "text": "Criptografe o armazenamento e restrinja o acesso.", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", - "severity": "Baixo", - "text": "Se você precisar de trânsito entre o ExpressRoute e os gateways de VPN em cenários hub e spoke, use o Servidor de Rota do Azure.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Adicione uma chave gerenciada pelo cliente para dados selecionados armazenados no painel de controle do Azure Databricks, como notebooks, segredos, consultas SQL do Databricks e histórico de consultas SQL do Databricks e para a conta de armazenamento raiz usada para DBFS. O Azure Databricks requer acesso a essa chave para operações contínuas. Você pode revogar o acesso à chave para impedir que o Azure Databricks acesse dados criptografados no painel de controle (ou em nossos backups). É como uma opção nuclear em que o espaço de trabalho deixa de funcionar, mas fornece um controle de emergência para situações extremas. Esse recurso requer o tipo de preço Premium.", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "Média", + "text": "Adicionar uma chave gerenciada pelo cliente para serviços gerenciados e armazenamento de workspace", "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/virtualHubs", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", - "severity": "Baixo", - "text": "Se estiver usando o Servidor de Roteamento, use um prefixo /27 para a sub-rede do Servidor de Roteamento.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Configure listas de acesso IP que restringem os endereços IP que podem ser autenticados no Databricks no console da conta e no nível do workspace, verificando se o usuário ou o cliente de API é proveniente de um intervalo de endereços IP válido, como uma VPN ou uma rede de escritório. As sessões de usuário estabelecidas não funcionam se o usuário mudar para um endereço IP incorreto, como ao se desconectar da VPN. ", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", + "severity": "Média", + "text": "Ative as listas de acesso IP para restringir o acesso a determinados endereços IP.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "O Link Privado do Azure fornece uma rota de rede privada de um ambiente do Azure para outro. O Link Privado pode ser configurado entre os usuários do Azure Databricks e o painel de controle e também entre o painel de controle e o plano de dados. Entre os usuários do Databricks e o painel de controle, o Link Privado fornece controles fortes que limitam a origem das solicitações de entrada. Se uma empresa já roteia o tráfego por meio de um ambiente do Azure, ela pode usar o Link Privado para que a comunicação entre os usuários e o painel de controle do Azure Databricks não atravesse endereços IP públicos. Esse recurso requer o tipo de preço Premium. Use o Link Privado do Azure para se conectar do Azure Databricks aos recursos do Azure. O Link Privado não apenas garante", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", "severity": "Média", - "text": "Para arquiteturas de rede com várias topologias hub-and-spoke em regiões do Azure, use emparelhamentos de rede virtual global entre as VNets do hub para conectar as regiões entre si.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", - "waf": "Desempenho" + "text": "Configure e use o Link Privado do Azure para acessar os recursos do Azure.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", "severity": "Média", - "text": "Use o Azure Monitor para Redes para monitorar o estado de ponta a ponta das redes no Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Operações" + "text": "Use o token revogável de longa duração, armazene seu token em cache e adquira o token silenciosamente usando a Microsoft Identity Library", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", "severity": "Média", - "text": "Se você tiver mais de 400 redes spoke em uma região, implante um hub adicional para ignorar os limites de emparelhamento VNet (500) e o número máximo de prefixos que podem ser anunciados por meio do ExpressRoute (1000).", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "Certifique-se de que os fluxos de usuário de entrada sejam armazenados em backup e resilientes. Certifique-se de que o código que você usa para entrar em seus usuários é de backup e recuperável. Interfaces resilientes com processos externos", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", "severity": "Média", - "text": "Limite o número de rotas por tabela de rotas a 400.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "Os ativos de marca personalizados devem ser hospedados em uma CDN", + "waf": "Desempenho" + }, + { + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", + "severity": "Baixo", + "text": "Ter vários provedores de identidade (ou seja, fazer login com suas contas da Microsoft, Google, Facebook)", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", - "severity": "Alto", - "text": "Use a configuração 'Permitir tráfego para rede virtual remota' ao configurar emparelhamentos VNet.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Média", + "text": "Siga as regras de VM para alta disponibilidade no nível da VM (discos premium, dois ou mais em uma região, em zonas de disponibilidade diferentes)", "waf": "Fiabilidade" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "severity": "Alto", - "text": "Use o SKU do Standard Load Balancer com uma implantação com redundância de zona, a seleção do SKU Standard Load Balancer aumenta a confiabilidade por meio de zonas de disponibilidade e resiliência de zona, garantindo que as implantações resistam a falhas de zona e região. Ao contrário do Basic, ele oferece suporte ao balanceamento de carga global e oferece um SLA.", + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Média", + "text": "Não replique! A replicação pode criar problemas com a sincronização de diretórios", "waf": "Fiabilidade" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "severity": "Alto", - "text": "Verifique se os pools de back-end do balanceador de carga contêm pelo menos duas instâncias, a implantação de Azure Load Balancers com pelo menos duas instâncias no back-end evita um único ponto de falha e dá suporte à escalabilidade.", + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "Média", + "text": "Ter ativo-ativo para várias regiões", "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "Média", - "text": "Quando você estiver usando o ExpressRoute Direct, configure o MACsec para criptografar o tráfego no nível da camada dois entre os roteadores da organização e o MSEE. O diagrama mostra essa criptografia no fluxo.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Segurança" + "text": "Adicionar carimbos de serviço de Domínio do Azure AD a regiões e locais adicionais", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "Média", - "text": "Para cenários em que o MACsec não é uma opção (por exemplo, não usando o ExpressRoute Direct), use um gateway de VPN para estabelecer túneis IPsec no emparelhamento privado do ExpressRoute.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Segurança" + "text": "Usar conjuntos de réplicas para DR", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", "severity": "Alto", - "text": "Verifique se nenhum espaço de endereço IP sobreposto entre regiões do Azure e locais é usado.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Segurança" + "text": "Habilite a redundância de zona para o Cache do Azure para Redis. O Cache do Azure para Redis dá suporte a configurações redundantes de zona nas camadas Premium e Enterprise. Um cache redundante de zona pode colocar seus nós em diferentes zonas de disponibilidade do Azure na mesma região. Ele elimina a interrupção do data center ou AZ como um único ponto de falha e aumenta a disponibilidade geral do cache.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", "severity": "Média", - "text": "Use endereços IP dos intervalos de alocação de endereços para Internets privadas (RFC 1918).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", - "severity": "Alto", - "text": "Certifique-se de que o espaço de endereço IP não seja desperdiçado, não crie redes virtuais desnecessariamente grandes (por exemplo, /16).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Desempenho" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", - "severity": "Alto", - "text": "Não use intervalos de endereços IP sobrepostos para sites de produção e recuperação de desastres.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Configure a persistência de dados para uma instância do Cache do Azure para Redis. Como os dados do cache são armazenados na memória, uma falha rara e não planejada de vários nós pode fazer com que todos os dados sejam descartados. Para evitar a perda completa de dados, a persistência do Redis permite que você tire instantâneos periódicos de dados na memória e os armazene em sua conta de armazenamento.", "waf": "Fiabilidade" }, { - "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", - "severity": "Alto", - "text": "Use SKU Standard e IPs com redundância de zona quando aplicável, os endereços IP públicos no Azure podem ser de SKU padrão, disponíveis como não zonal, zonal ou com redundância de zona. Os IPs com redundância de zona podem ser acessados em todas as zonas, resistindo a qualquer falha de zona única, fornecendo assim maior resiliência. ", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", + "severity": "Média", + "text": "Use a conta de armazenamento com redundância geográfica para persistir o Cache do Azure para dados Redis ou zonalmente redundante onde a redundância geográfica não está disponível", "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "severity": "Média", - "text": "Para ambientes em que a resolução de nomes no Azure é tudo o que é necessário, use o DNS Privado do Azure para resolução com uma zona delegada para resolução de nomes (como 'azure.contoso.com').", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Operações" + "text": "Configure a replicação geográfica passiva para instâncias do Cache Premium do Azure para Redis. A replicação geográfica é um mecanismo para vincular duas ou mais instâncias do Cache do Azure para Redis, normalmente abrangendo duas regiões do Azure. A replicação geográfica foi projetada principalmente para recuperação de desastres entre regiões. Duas instâncias de cache de camada Premium são conectadas por meio de replicação geográfica de uma forma que fornece leituras e gravações no cache primário e que os dados são replicados para o cache secundário.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", "severity": "Média", - "text": "Para ambientes em que a resolução de nomes no Azure e no local é necessária e não há nenhum serviço DNS corporativo existente, como o Active Directory, use o Resolvedor Privado de DNS do Azure para rotear solicitações de DNS para o Azure ou para servidores DNS locais.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", - "severity": "Baixo", - "text": "Cargas de trabalho especiais que exigem e implantam seu próprio DNS (como o Red Hat OpenShift) devem usar sua solução de DNS preferida.", - "training": "https://learn.microsoft.com/training/courses/az-700t00", - "waf": "Operações" + "text": "Os Aplicativos Spring do Azure permitem duas implantações para cada aplicativo, apenas um dos quais recebe tráfego de produção. Você pode obter tempo de inatividade zero com estratégias de implantação em verde azul. A implantação verde azul só está disponível nas camadas Standard e Enterprise. Você pode automatizar a implantação usando CI/CD com ações do ADO/GitHub", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", - "severity": "Alto", - "text": "Habilite o registro automático para o DNS do Azure para gerenciar automaticamente o ciclo de vida dos registros DNS para as máquinas virtuais implantadas em uma rede virtual.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Operações" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", + "severity": "Média", + "text": "As instâncias do Azure Spring Apps podem ser criadas em várias regiões para seus aplicativos e o tráfego pode ser roteado pelo Gerenciador de Tráfego/Front Door.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", "severity": "Média", - "text": "Implementar um plano para gerenciar a resolução de DNS entre várias regiões do Azure e quando os serviços fazem failover para outra região", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Na região com suporte, os Aplicativos Spring do Azure podem ser implantados como zona redundante, o que significa que as instâncias são distribuídas automaticamente entre zonas de disponibilidade. Esse recurso só está disponível nas camadas Standard e Enterprise.", "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", "severity": "Média", - "text": "Use o Azure Bastion para se conectar com segurança à sua rede.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Segurança" + "text": "Usar mais de 1 instância de aplicativo para seus aplicativos", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", "severity": "Média", - "text": "Use o Azure Bastion em uma sub-rede /26 ou maior.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Segurança" + "text": "Monitore os Aplicativos Spring do Azure com logs, métricas e rastreamento. Integre o ASA com insights de aplicativos e rastreie falhas e crie pastas de trabalho.", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", "severity": "Média", - "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre regiões do Azure para conexões HTTP/S de entrada para uma zona de destino.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Segurança" + "text": "Configurar o dimensionamento automático no Spring Cloud Gateway", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", "severity": "Baixo", - "text": "Ao usar o Azure Front Door e o Gateway de Aplicativo do Azure para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Azure Front Door. Bloqueie o Gateway de Aplicativo do Azure para receber tráfego somente do Azure Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Segurança" + "text": "Habilite o dimensionamento automático para os aplicativos com o plano de consumo padrão e dedicado.", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "Alto", - "text": "Quando WAFs e outros proxies reversos forem necessários para conexões HTTP/S de entrada, implante-os em uma rede virtual de zona de destino e junto com os aplicativos que eles estão protegendo e expondo à Internet.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "Alto", - "text": "Use os planos de Rede ou Proteção de IP do Azure contra DDoS para ajudar a proteger os pontos de extremidade de endereços IP públicos nas redes virtuais.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Segurança" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", + "severity": "Média", + "text": "Use o plano Enterprise para suporte comercial de inicialização spring para aplicativos de missão crítica. Com outras camadas, você obtém suporte a OSS.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", - "severity": "Alto", - "text": "Planeje como gerenciar a configuração e a estratégia de tráfego de saída da rede antes da próxima alteração significativa. Em 30 de setembro de 2025, o acesso de saída padrão para novas implantações será desativado e somente configurações de acesso explícito serão permitidas.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", + "text": "Regras de coleta de dados no Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Custar" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "Alto", - "text": "Adicione configurações de diagnóstico para salvar logs relacionados a DDoS para todos os endereços IP públicos protegidos (IP DDoS ou Proteção de Rede).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Segurança" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", + "text": "Verificar instâncias de backup com a fonte de dados subjacente não encontrada", + "waf": "Custar" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", - "severity": "Alto", - "text": "Verifique se há uma atribuição de política para negar endereços IP públicos diretamente vinculados a máquinas virtuais. Use exclusões se IPs públicos forem necessários em VMs específicas.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Segurança" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", + "text": "Excluir ou arquivar serviços não associados (discos, nics, endereços IP etc.)", + "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", - "severity": "Média", - "text": "Use o ExpressRoute como a conexão principal com o Azure. Use VPNs como fonte de conectividade de backup.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Desempenho" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", + "text": "Considere um bom equilíbrio entre recuperação de local, armazenamento e backup para aplicativos não essenciais", + "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "description": "Você pode usar o prefixo AS-path e pesos de conexão para influenciar o tráfego do Azure para o local e toda a gama de atributos BGP em seus próprios roteadores para influenciar o tráfego do local para o Azure.", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", - "severity": "Média", - "text": "Ao usar vários circuitos do ExpressRoute ou vários locais locais, use atributos BGP para otimizar o roteamento.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", + "text": "Verifique os gastos e as oportunidades de economia entre os 40 diferentes espaços de trabalho de análise de log - use retenção e coleta de dados diferentes para espaços de trabalho não prod - crie limite diário para reconhecimento e dimensionamento de camadas - Se você definir um limite diário, além de criar um alerta quando o limite for atingido, certifique-se de também criar uma regra de alerta para ser notificado quando alguma porcentagem for atingida (90%, por exemplo). - considerar a transformação do espaço de trabalho, se possível - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", - "severity": "Média", - "text": "Selecione o SKU correto para os gateways ExpressRoute/VPN com base nos requisitos de largura de banda e desempenho.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Desempenho" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", + "text": "Impor uma política de log de limpeza e automação (se necessário, os logs podem ser movidos para armazenamento frio)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", - "severity": "Alto", - "text": "Verifique se você está usando circuitos do ExpressRoute de dados ilimitados somente se atingir a largura de banda que justifica seu custo.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", + "text": "Verifique se os discos são realmente necessários, se não: excluir. Se forem necessários, encontre níveis de armazenamento mais baixos ou use backup -", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", - "severity": "Alto", - "text": "Aproveite o SKU local do ExpressRoute para reduzir o custo de seus circuitos, se o local de emparelhamento de circuito der suporte às regiões do Azure para o SKU Local.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", + "text": "Considere mover o armazenamento não utilizado para o nível inferior, com regra personalizada - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", - "severity": "Média", - "text": "Implante um gateway do ExpressRoute com redundância de zona nas regiões do Azure com suporte.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", + "text": "Verifique se o Advisor está configurado para o dimensionamento correto da VM ", + "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", - "severity": "Média", - "text": "Para cenários que exigem largura de banda superior a 10 Gbps ou portas dedicadas de 10/100 Gbps, use o ExpressRoute Direct.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Desempenho" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "description": "verifique pesquisando as Licenças de Categoria de Medidor na Análise de Custos", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", + "text": "executar o script em todas as VMs do Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- considere implementar uma diretiva se as VMs do Windows forem criadas com frequência", + "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", - "severity": "Média", - "text": "Quando a baixa latência for necessária ou a taxa de transferência do local para o Azure precisar ser maior que 10 Gbps, habilite o FastPath para ignorar o gateway do ExpressRoute do caminho de dados.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Desempenho" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", + "text": " isso também pode ser colocado no AHUB se você já tiver licenças https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "Custar" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", - "severity": "Média", - "text": "Use gateways de VPN com redundância de zona para conectar branches ou locais remotos ao Azure (quando disponível).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", + "text": "Consolidar famílias de VM reservadas com opção de flexibilidade (não mais do que 4-5 famílias)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "Custar" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", - "severity": "Média", - "text": "Use dispositivos VPN redundantes locais (ativo/ativo ou ativo/passivo).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", + "text": "Utilize instâncias reservadas do Azure: esse recurso permite reservar VMs por um período de 1 ou 3 anos, proporcionando uma economia significativa em comparação com os preços do PAYG.", + "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", - "severity": "Alto", - "text": "Se estiver usando o ExpressRoute Direct, considere usar circuitos locais do ExpressRoute para as regiões locais do Azure para economizar custos.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", + "text": "Somente discos maiores podem ser reservados => 1 TiB -", "waf": "Custar" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", + "text": "Após a otimização do dimensionamento correto", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", + "text": "Verifique se aplicável e aplique a política/alteração https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", + "text": "O desconto da peça de licença VM + (ahub + 3YRI) é de cerca de 70% de desconto", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", + "text": "Considere o uso de um VMSS para corresponder à demanda em vez de dimensionamento simples", + "waf": "Custar" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", + "text": "Use o autoscaler AKS para corresponder ao uso de clusters (verifique se os requisitos dos pods correspondem ao dimensionador)", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", + "text": "Mover pontos de recuperação para o vault-archive, quando aplicável (Validar)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", + "text": "Considere o uso de VMs spot com fallback sempre que possível. Considere o autotermination de clusters.", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", + "text": "Funções - Reutilizar conexões", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", + "text": "Funções - Armazenar dados em cache localmente", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", + "text": "Funções - Partidas a frio - Use a funcionalidade 'Executar do pacote'. Dessa forma, o código é baixado como um único arquivo zip. Isso pode, por exemplo, resultar em melhorias significativas com as funções Javascript, que possuem muitos módulos de nó. Use ferramentas específicas de linguagem para reduzir o tamanho do pacote, por exemplo, aplicativos Javascript que agitam árvores.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", + "text": "Funções - Mantenha suas funções aquecidas", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", + "text": "Ao usar o dimensionamento automático com funções diferentes, pode haver um que conduza todo o dimensionamento automático para todos os recursos - considere movê-lo para um plano de consumo separado (e considere um plano mais alto para a CPU)", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", + "text": "Os aplicativos de função em um determinado plano são todos dimensionados juntos, portanto, quaisquer problemas com o dimensionamento podem afetar todos os aplicativos no plano.", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", + "text": "Sou cobrado por 'tempo de espera'? Essa pergunta geralmente é feita no contexto de uma função C# que faz uma operação assíncrona e aguarda o resultado, por exemplo, aguardar Task.Delay(1000) ou aguardar cliente. GetAsync('http://google.com'). A resposta é sim - o segundo cálculo de GB é baseado na hora de início e término da função e no uso de memória durante esse período. O que realmente acontece ao longo desse tempo em termos de atividade da CPU não é levado em consideração no cálculo. Uma exceção a essa regra é se você estiver usando funções duráveis. Você não é cobrado pelo tempo gasto em espera em funções de orquestrador.aplique técnicas de modelagem de demanda sempre que possível (ambientes de desenvolvimento?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "Custar" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", + "text": "Frontdoor - Desativar a página inicial padrãoNas configurações do aplicativo do seu aplicativo, defina AzureWebJobsDisableHomepage como true. Isso retornará um 204 (Sem Conteúdo) para o PoP para que apenas os dados de cabeçalho sejam retornados.", + "waf": "Custar" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", + "text": "Frontdoor - Rota para algo que não retorna nada. Configure uma Função, Proxy de Função ou adicione uma rota em seu WebApp que retorne 200 (OK) e envie conteúdo nulo ou mínimo. A vantagem disso é que você poderá fazer logout quando for chamado.", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", + "text": "Considere níveis de arquivamento para dados menos usados", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", + "text": "Verifique os tamanhos de disco em que o tamanho não corresponde à camada (ou seja, um disco de 513 GiB pagará um P30 (1TiB) e considere o redimensionamento", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", + "text": "Considere usar SSD padrão em vez de Premium ou Ultra sempre que possível", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", + "text": "Para contas de armazenamento, verifique se a camada escolhida não está somando encargos de transação (pode ser mais barato passar para a próxima camada)", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", + "text": "Para ASR, considere o uso de discos SSD padrão se o RPO/RTO e a taxa de transferência de replicação permitirem", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", + "text": "Contas de armazenamento: verifique o hot tier e/ou o GRS necessário", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", + "text": "Discos - valide o uso de discos SSD Premium em todos os lugares: por exemplo, não-prod pode trocar para SSD padrão ou SSD Premium sob demanda ", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", + "text": "Crie orçamentos para gerenciar custos e crie alertas que notifiquem automaticamente as partes interessadas sobre anomalias de gastos e riscos de gastos excessivos.", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", + "text": "Exporte dados de custo para uma conta de armazenamento para análise de dados adicionais.", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", + "text": "Controle os custos de um pool SQL dedicado pausando o recurso quando ele não estiver em uso.", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", + "text": "Habilite o recurso de pausa automática do Apache Spark sem servidor e defina seu valor de tempo limite de acordo.", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", + "text": "Crie várias definições de pool do Apache Spark de vários tamanhos.", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", + "text": "Adquira unidades de confirmação (SCU) do Azure Synapse por um ano com um plano de pré-compra para economizar nos custos do Azure Synapse Analytics.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", + "text": "Usar VMs spot para trabalhos interruptíveis: são VMs que podem ser licitadas e compradas a um preço com desconto, fornecendo uma solução econômica para cargas de trabalho não críticas.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", + "text": "Dimensionamento correto de todas as VMs", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", + "text": "Trocar VM dimensionada com tamanhos normalizados e mais recentes", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "VMs de dimensionamento correto - comece com o monitoramento do uso abaixo de 5% e, em seguida, trabalhe até 40%", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "A conteinerização de um aplicativo pode melhorar a densidade da VM e economizar dinheiro no dimensionamento", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Custar" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "O Barramento de Serviço Premium do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", + "severity": "Baixo", + "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "A comunicação entre um aplicativo cliente e um namespace do Barramento de Serviço do Azure é criptografada usando TLS (Transport Layer Security). Os namespaces do Barramento de Serviço do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace do Barramento de Serviço para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", + "severity": "Média", + "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Quando você cria um namespace do Barramento de Serviço, uma regra SAS chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. É recomendável usar o AAD como um provedor de autenticação com RBAC. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", + "severity": "Média", + "text": "Evite usar a conta root quando não for necessário", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Um aplicativo cliente do Barramento de Serviço em execução dentro de um aplicativo do Serviço de Aplicativo do Azure ou em uma máquina virtual com entidades gerenciadas habilitadas para suporte a recursos do Azure não precisa lidar com regras e chaves SAS ou quaisquer outros tokens de acesso. O aplicativo cliente só precisa do endereço do ponto de extremidade do namespace do Sistema de Mensagens do Barramento de Serviço. ", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", + "service": "Service Bus", + "severity": "Média", + "text": "Quando possível, seu aplicativo deve usar uma identidade gerenciada para se autenticar no Barramento de Serviço do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial de entidade de serviço) no Azure Key Vault ou em um serviço equivalente", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Barramento de Serviço do Azure. As permissões no Barramento de Serviço do Azure podem e devem ter como escopo o nível de recurso individual, por exemplo, fila, tópico ou assinatura. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", + "severity": "Alto", + "text": "Usar o RBAC do plano de dados com privilégios mínimos", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Os logs de recursos do Barramento de Serviço do Azure incluem logs operacionais, logs de rede virtual e filtragem de IP. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para várias operações de acesso ao plano de dados (como enviar ou receber mensagens) no Barramento de Serviço.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", + "severity": "Média", + "text": "Habilite o registro em log para investigação de segurança. Usar o Azure Monitor para rastrear logs de recursos e logs de auditoria de runtime (atualmente disponível apenas na camada premium)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Por padrão, o Barramento de Serviço do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Barramento de Serviço do Azure atravesse a rede de backbone da Microsoft. Além disso, você deve desabilitar os endpoints públicos se eles não forem usados. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", + "severity": "Média", + "text": "Considere usar pontos de extremidade privados para acessar o Barramento de Serviço do Azure e desabilitar o acesso à rede pública quando aplicável.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Com o firewall IP, você pode restringir ainda mais o endpoint público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Classless Inter-Domain Routing). ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", + "severity": "Média", + "text": "Considere permitir apenas o acesso ao namespace do Barramento de Serviço do Azure de endereços IP ou intervalos específicos", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", + "severity": "Média", + "text": "Siga as recomendações de suporte de confiabilidade no Serviço de Bot do Azure", + "waf": "Fiabilidade" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", + "severity": "Média", + "text": "Implantando bots com residência de dados local e conformidade regional", + "waf": "Fiabilidade" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", + "severity": "Média", + "text": "O Serviço de Bot do Azure é executado no modo ativo-ativo para serviços globais e regionais. Quando ocorre uma paralisação, você não precisa detectar erros ou gerenciar o serviço. O Serviço de Bot do Azure executa automaticamente o failover automático e a recuperação automática em uma arquitetura geográfica de várias regiões. Para o serviço regional de bot da UE, o Serviço de Bot do Azure fornece duas regiões completas dentro da Europa com replicação ativa/ativa para garantir redundância. Para o serviço de bot global, todas as regiões/geografias disponíveis podem ser servidas como a presença global.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", + "severity": "Média", + "text": "O ACSS (Centro de Soluções SAP) do Azure é uma oferta do Azure que torna o SAP uma carga de trabalho de nível superior no Azure. O ACSS é uma solução de ponta a ponta que permite criar e executar sistemas SAP como uma carga de trabalho unificada no Azure e fornece uma base mais perfeita para a inovação. Você pode aproveitar os recursos de gerenciamento para sistemas SAP novos e existentes baseados no Azure.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "Operações" + }, + { + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", + "severity": "Média", + "text": "O Azure dá suporte à automação de implantações do SAP no Linux e no Windows. O SAP Deployment Automation Framework é uma ferramenta de orquestração de software livre que pode implementar, instalar e manter ambientes SAP.", + "training": "https://github.com/Azure/sap-automation", + "waf": "Operações" + }, + { + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", + "severity": "Média", + "text": "Execute uma recuperação pontual para seus bancos de dados de produção a qualquer momento e em um período de tempo que atenda ao seu RTO; a recuperação point-in-time normalmente inclui erros do operador que excluem dados na camada DBMS ou por meio do SAP, incidentalmente", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", + "severity": "Média", + "text": "Teste os tempos de backup e recuperação para verificar se eles atendem aos requisitos de RTO para restaurar todos os sistemas simultaneamente após um desastre.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", + "severity": "Alto", + "text": "Você pode replicar o armazenamento padrão entre regiões emparelhadas, mas não pode usar o armazenamento padrão para armazenar seus bancos de dados ou discos rígidos virtuais. Você pode replicar backups somente entre regiões emparelhadas que você usa. Para todos os outros dados, execute a replicação usando recursos nativos do DBMS, como SQL Server Always On ou Replicação do Sistema SAP HANA. Use uma combinação de Site Recovery, rsync ou robocopy e outros softwares de terceiros para a camada de aplicativo SAP.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "Média", + "text": "Ao usar as Zonas de Disponibilidade do Azure para obter alta disponibilidade, você deve considerar a latência entre os servidores de aplicativos SAP e os servidores de banco de dados. Para zonas com altas latências, os procedimentos operacionais precisam estar em vigor para garantir que os servidores de aplicativos SAP e os servidores de banco de dados estejam em execução na mesma zona o tempo todo.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", + "severity": "Alto", + "text": "Configure conexões do ExpressRoute do local para as regiões de recuperação de desastre primárias e secundárias do Azure. Além disso, como alternativa ao uso do ExpressRoute, considere configurar conexões VPN do local para as regiões primárias e secundárias de recuperação de desastre do Azure.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", + "severity": "Baixo", + "text": "Replique o conteúdo do cofre de chaves, como certificados, segredos ou chaves entre regiões, para que você possa descriptografar dados na região de recuperação de desastre.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", + "severity": "Média", + "text": "Emparelhe as redes virtuais primárias e de recuperação de desastre. Por exemplo, para a Replicação do Sistema HANA, uma rede virtual de banco de dados do SAP HANA precisa ser emparelhada com a rede virtual de banco de dados do SAP HANA do site de recuperação de desastres.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", + "severity": "Baixo", + "text": "Se você usar o armazenamento do Azure NetApp Files para suas implantações SAP, no mínimo, crie duas contas do Azure NetApp Files na camada Premium, em duas regiões.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "Alto", + "text": "A tecnologia de replicação de banco de dados nativa deve ser usada para sincronizar o banco de dados em um par de HA.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", + "severity": "Alto", + "text": "O CIDR da VNet (rede virtual) primária não deve entrar em conflito ou se sobrepor ao CIDR da VNet do site de recuperação de desastre", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", + "severity": "Alto", + "text": "Use o Site Recovery para replicar um servidor de aplicativos para um site de recuperação de desastre. O Site Recovery também pode ajudar a replicar VMs de cluster de serviços centrais para o site de recuperação de desastre. Ao invocar a DR, você precisará reconfigurar o cluster do Linux Pacemaker no site de DR (por exemplo, substituir o VIP ou SBD, executar corosync.conf e muito mais).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "Alto", + "text": "Considere a disponibilidade do software SAP em relação a pontos únicos de falha. Isso inclui pontos únicos de falha em aplicativos, como SGBDs utilizados nas arquiteturas SAP NetWeaver e SAP S/4HANA, SAP AP e ASCS + SCS. Além disso, outras ferramentas, como o SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", + "severity": "Alto", + "text": "Para bancos de dados SAP e SAP, considere implementar clusters de failover automáticos. No Windows, o Clustering de Failover do Windows Server dá suporte ao failover. No Linux, o Linux Pacemaker ou ferramentas de terceiros, como o SIOS Protection Suite e o Veritas InfoScale, oferecem suporte ao failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "Alto", + "text": "O Azure não dá suporte a arquiteturas nas quais as VMs primárias e secundárias compartilham armazenamento para dados do DBMS. Para a camada DBMS, o padrão de arquitetura comum é replicar bancos de dados ao mesmo tempo e com pilhas de armazenamento diferentes daquelas que as VMs primárias e secundárias usam.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", + "severity": "Alto", + "text": "Os dados do DBMS e os arquivos de log de transação/redo são armazenados no armazenamento em blocos com suporte do Azure ou no Azure NetApp Files. Não há suporte para Arquivos do Azure ou Arquivos Premium do Azure como armazenamento para dados do DBMS e/ou arquivos de log de restauração com carga de trabalho do SAP.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", + "severity": "Alto", + "text": "Você pode usar discos compartilhados do Azure no Windows para componentes ASCS + SCS e cenários específicos de alta disponibilidade. Configure seus clusters de failover separadamente para os componentes da camada de aplicativo SAP e a camada DBMS. Atualmente, o Azure não dá suporte a arquiteturas de alta disponibilidade que combinam componentes da camada de aplicativo SAP e a camada DBMS em um cluster de failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", + "severity": "Alto", + "text": "A maioria dos clusters de failover para componentes da camada de aplicativo SAP (ASCS) e a camada DBMS exigem um endereço IP virtual para um cluster de failover. O Azure Load Balancer deve lidar com o endereço IP virtual para todos os outros casos. Um princípio de design é usar um balanceador de carga por configuração de cluster. Recomendamos que você use a versão padrão do balanceador de carga (SKU do Balanceador de Carga Padrão).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", + "severity": "Alto", + "text": "Certifique-se de que o IP flutuante esteja habilitado no balanceador de carga", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", + "severity": "Alto", + "text": "Antes de implantar sua infraestrutura de alta disponibilidade e dependendo da região escolhida, determine se deseja implantar com um conjunto de disponibilidade do Azure ou uma zona de disponibilidade.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", + "severity": "Alto", + "text": "Se você quiser atender aos SLAs de infraestrutura para seus aplicativos para componentes SAP (serviços centrais, servidores de aplicativos e bancos de dados), deverá escolher as mesmas opções de alta disponibilidade (VMs, conjuntos de disponibilidade, zonas de disponibilidade) para todos os componentes.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "Alto", + "text": "Não misture servidores de funções diferentes no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados e VMs de aplicativos em seus próprios conjuntos de disponibilidade", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", + "severity": "Média", + "text": "Você não pode implantar conjuntos de disponibilidade do Azure em uma zona de disponibilidade do Azure, a menos que use grupos de posicionamento por proximidade.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "Alto", + "text": "Ao criar conjuntos de disponibilidade, use o número máximo de domínios de falha e atualize os domínios disponíveis. Por exemplo, se você implantar mais de duas VMs em um conjunto de disponibilidade, use o número máximo de domínios de falha (três) e domínios de atualização suficientes para limitar o efeito de possíveis falhas de hardware físico, interrupções de rede ou interrupções de energia, além da manutenção planejada do Azure. O número padrão de domínios de falha é dois e você não pode alterá-lo online posteriormente.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "Alto", + "text": "Quando você usa grupos de posicionamento por proximidade do Azure em uma implantação de conjunto de disponibilidade, todos os três componentes SAP (serviços centrais, servidor de aplicativos e banco de dados) devem estar no mesmo grupo de posicionamento por proximidade.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "Alto", + "text": "Use um grupo de posicionamento por proximidade por SID SAP. Os grupos não se estendem por Zonas de Disponibilidade ou regiões do Azure", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "Alto", + "text": "Use um dos serviços a seguir para executar clusters de serviços centrais do SAP, dependendo do sistema operacional.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", + "severity": "Média", + "text": "Atualmente, o Azure não dá suporte à combinação de ASCS e DB HA no mesmo cluster do Linux Pacemaker; separe-os em clusters individuais. No entanto, você pode combinar até cinco vários clusters de serviços centrais em um par de VMs.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "Média", + "text": "Implante ambas as VMs no par de alta disponibilidade em um conjunto de disponibilidade ou em zonas de disponibilidade. Essas VMs devem ter o mesmo tamanho e a mesma configuração de armazenamento.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", + "severity": "Média", + "text": "O Azure dá suporte à instalação e configuração de instâncias do SAP HANA e ASCS/SCS e ERS no mesmo cluster de alta disponibilidade em execução no RHEL (Red Hat Enterprise Linux).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "Alto", + "text": "Execute todos os sistemas de produção em SSDs gerenciados Premium e use o Azure NetApp Files ou o Armazenamento em Disco Ultra. Pelo menos o disco do sistema operacional deve estar na camada Premium para que você possa obter melhor desempenho e o melhor SLA.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", + "severity": "Alto", + "text": "Você deve executar o SAP HANA no Azure somente nos tipos de armazenamento certificados pelo SAP. Observe que determinados volumes devem ser executados em determinadas configurações de disco, quando aplicável. Essas configurações incluem habilitar o Acelerador de Gravação e usar o armazenamento Premium. Você também precisa garantir que o sistema de arquivos executado no armazenamento seja compatível com o DBMS executado na máquina.", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", + "severity": "Alto", + "text": "Considere configurar a alta disponibilidade dependendo do tipo de armazenamento que você usa para suas cargas de trabalho SAP. Alguns serviços de armazenamento disponíveis no Azure não têm suporte no Azure Site Recovery, portanto, sua configuração de alta disponibilidade pode ser diferente.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "Alto", + "text": "Diferentes serviços de armazenamento nativos do Azure (como Arquivos do Azure, Azure NetApp Files, Disco Compartilhado do Azure) podem não estar disponíveis em todas as regiões. Portanto, para ter uma configuração SAP semelhante na região de recuperação de desastre após o failover, verifique se o respectivo serviço de armazenamento é oferecido no site de recuperação de desastre.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", + "severity": "Média", + "text": "Automatize o sistema SAP Start-Stop para gerenciar custos.", + "waf": "Custar" + }, + { + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Baixo", + "text": "No caso de usar o Armazenamento Premium do Azure com o SAP HANA, o armazenamento SSD Standard do Azure pode ser usado para selecionar uma solução de armazenamento econômica. No entanto, observe que escolher o armazenamento SSD Standard ou HDD Standard do Azure afetará o SLA das VMs individuais. Além disso, para sistemas com menor taxa de transferência de E/S e baixa latência, como ambientes de não produção, as VMs de série inferior podem ser usadas.", + "waf": "Custar" + }, + { + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Baixo", + "text": "Como uma configuração alternativa de baixo custo (multiuso), você pode escolher um SKU de baixo desempenho para suas VMs de servidor de banco de dados HANA que não são de produção. No entanto, é importante observar que alguns tipos de VM, como a série E, não são certificados pelo HANA (Diretório de Hardware do SAP HANA) ou não podem atingir uma latência de armazenamento inferior a 1 ms.", + "waf": "Custar" + }, + { + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", + "severity": "Alto", + "text": "Impor um modelo RBAC para grupos de gerenciamento, assinaturas, grupos de recursos e recursos", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", + "severity": "Média", + "text": "Impor a propagação da entidade de segurança para encaminhar a identidade do aplicativo de nuvem SAP para o SAP local (incluindo IaaS) por meio do conector de nuvem", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "severity": "Média", - "text": "Quando o isolamento de tráfego ou a largura de banda dedicada for necessária, como para separar ambientes de produção e não produção, use circuitos diferentes do ExpressRoute. Ele ajudará você a garantir domínios de roteamento isolados e aliviar os riscos de vizinhos barulhentos.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Implemente SSO para aplicativos SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics e SAP C4C com Azure AD usando SAML.", "waf": "Segurança" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "severity": "Média", - "text": "Monitore a disponibilidade e a utilização do ExpressRoute usando o Express Route Insights interno.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operações" + "text": "Implemente o SSO para aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", "severity": "Média", - "text": "Use o Monitor da Conexão para monitoramento de conectividade em toda a rede, especialmente entre o local e o Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operações" + "text": "Implemente o SSO para aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", "severity": "Média", - "text": "Use circuitos do ExpressRoute de diferentes locais de emparelhamento para redundância.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidade" + "text": "Você pode implementar o SSO no SAP GUI usando o SAP NetWeaver SSO ou uma solução de parceiro.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", "severity": "Média", - "text": "Use a VPN site a site como failover do ExpressRoute, se estiver usando apenas um único circuito do ExpressRoute.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidade" + "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos/SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido à sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", + "severity": "Média", + "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos/SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido à sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", + "severity": "Média", + "text": "Implemente o SSO usando o OAuth para SAP NetWeaver para permitir que aplicativos personalizados ou de terceiros acessem os serviços OData do SAP NetWeaver.", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", + "severity": "Média", + "text": "Implementar SSO no SAP HANA", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", + "severity": "Média", + "text": "Considere o Azure AD um provedor de identidade para sistemas SAP hospedados no RISE. Para obter mais informações, consulte Integrando o serviço ao Azure AD.", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", + "severity": "Média", + "text": "Para aplicativos que acessam o SAP, talvez você queira usar a propagação principal para estabelecer o SSO.", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", + "severity": "Média", + "text": "Se você estiver usando serviços SAP BTP ou soluções SaaS que exigem o SAP Identity Authentication Service (IAS), considere implementar o SSO entre o SAP Cloud Identity Authentication Services e o Azure AD para acessar esses serviços SAP. Essa integração permite que o SAP IAS atue como um provedor de identidade proxy e encaminhe solicitações de autenticação para o Azure AD como o repositório central de usuários e o provedor de identidade.", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", + "severity": "Média", + "text": "Implementar SSO para SAP BTP", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", + "severity": "Média", + "text": "Se você estiver usando o SAP SuccessFactors, considere usar o provisionamento automatizado de usuários do Azure AD. Com essa integração, à medida que você adiciona novos funcionários ao SAP SuccessFactors, você pode criar automaticamente suas contas de usuário no Azure AD. Opcionalmente, você pode criar contas de usuário no Microsoft 365 ou em outros aplicativos SaaS compatíveis com o Azure AD. Use o write-back do endereço de email para o SAP SuccessFactors.", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "description": "Mantenha a hierarquia do grupo de gerenciamento razoavelmente plana, não mais do que quatro.", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", + "severity": "Média", + "text": "impor políticas existentes do Grupo de Gerenciamento às Assinaturas SAP", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "Operações" + }, + { + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "severity": "Alto", - "text": "Se você estiver usando uma tabela de rotas no GatewaySubnet, certifique-se de que as rotas de gateway sejam propagadas.", - "waf": "Fiabilidade" + "text": "Integre aplicativos fortemente acoplados na mesma assinatura SAP para evitar complexidade adicional de roteamento e gerenciamento", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "waf": "Operações" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "severity": "Alto", - "text": "Se estiver usando o ExpressRoute, o roteamento local deverá ser dinâmico: no caso de uma falha de conexão, ele deverá convergir para a conexão restante do circuito. A carga deve ser compartilhada entre ambas as conexões, idealmente como ativa/ativa, embora ativa/passiva também seja suportada.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidade" + "text": "Aproveite a assinatura como unidade de escala e dimensione nossos recursos, considere implantar a assinatura por ambiente, por exemplo. Caixa de areia, não-prod, prod ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "Operações" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", - "severity": "Média", - "text": "Verifique se os dois links físicos do circuito do ExpressRoute estão conectados a dois dispositivos de borda distintos em sua rede.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidade" + "checklist": "SAP Checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", + "severity": "Alto", + "text": "Garantir o aumento da cota como parte do provisionamento da assinatura (por exemplo, total de núcleos de VM disponíveis em uma assinatura)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "Operações" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", + "severity": "Baixo", + "text": "A API de Cota é uma API REST que você pode usar para exibir e gerenciar cotas para serviços do Azure. Considere usá-lo, se necessário.", + "waf": "Operações" + }, + { + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", + "severity": "Alto", + "text": "Se estiver implantando em uma zona de disponibilidade, verifique se a implantação da zona da VM está disponível depois que a cota for aprovada. Envie uma solicitação de suporte com a assinatura, a série de VMs, o número de CPUs e a zona de disponibilidade necessárias.", + "waf": "Operações" + }, + { + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "Alto", + "text": "Certifique-se de que os serviços e recursos necessários estejam disponíveis nas regiões de implantação escolhidas, por exemplo. ANF, Zona etc.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "waf": "Operações" + }, + { + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", "severity": "Média", - "text": "Certifique-se de que a Detecção de Encaminhamento Bidirecional (BFD) esteja habilitada e configurada em dispositivos de roteamento de borda do cliente ou provedor.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Fiabilidade" + "text": "Aproveite a marca de recurso do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Camada (Camada da Web, Camada de Aplicativo), Proprietário do Aplicativo, ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Operações" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", "severity": "Alto", - "text": "Conecte o Gateway do ExpressRoute a dois ou mais circuitos de diferentes locais de emparelhamento para maior resiliência.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Ajude a proteger seu banco de dados HANA usando o serviço de Backup do Azure.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", "severity": "Média", - "text": "Configure logs de diagnóstico e alertas para o gateway de rede virtual do ExpressRoute.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Se você implantar o Azure NetApp Files para seu banco de dados HANA, Oracle ou DB2, use a ferramenta AzAcSnap (Instantâneo Consistente com o Aplicativo do Azure) para tirar instantâneos consistentes com o aplicativo. O AzAcSnap também oferece suporte a bancos de dados Oracle. Considere usar o AzAcSnap em uma VM central em vez de em VMs individuais.", + "waf": "Fiabilidade" + }, + { + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "Alto", + "text": "Garanta correspondências de fuso horário entre o sistema operacional e o sistema SAP.", "waf": "Operações" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", "severity": "Média", - "text": "Não use circuitos do ExpressRoute para comunicação VNet para VNet.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Desempenho" + "text": "Não agrupe diferentes serviços de aplicativo no mesmo cluster. Por exemplo, não combine clusters DRBD e de serviços centrais no mesmo cluster. No entanto, você pode usar o mesmo cluster do Pacemaker para gerenciar aproximadamente cinco serviços centrais diferentes (cluster de vários SID).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Fiabilidade" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", "severity": "Baixo", - "text": "Não envie o tráfego do Azure para locais híbridos para inspeção. Em vez disso, siga o princípio \"o tráfego no Azure permanece no Azure\" para que a comunicação entre os recursos no Azure ocorra por meio da rede de backbone da Microsoft.", - "waf": "Desempenho" + "text": "Considere executar sistemas de desenvolvimento/teste em um modelo de adiamento para economizar e otimizar os custos de execução do Azure.", + "waf": "Custar" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", - "severity": "Alto", - "text": "Use o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Segurança" + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", + "severity": "Média", + "text": "Se você fizer parceria com clientes gerenciando suas propriedades SAP, considere o Azure Lighthouse. O Azure Lighthouse permite que os provedores de serviços gerenciados usem serviços de identidade nativos do Azure para se autenticar no ambiente dos clientes. Ele coloca o controle nas mãos dos clientes, pois eles podem revogar o acesso a qualquer momento e auditar as ações dos prestadores de serviços.", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", "severity": "Média", - "text": "Crie uma política global de Firewall do Azure para controlar a postura de segurança em todo o ambiente de rede global e atribua-a a todas as instâncias do Firewall do Azure. Permita que políticas granulares atendam aos requisitos de regiões específicas delegando políticas de firewall incrementais às equipes de segurança locais por meio do controle de acesso baseado em função do Azure.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Segurança" + "text": "Use o Azure Update Manager para verificar o status das atualizações disponíveis para uma única VM ou várias VMs e considere agendar patches regulares.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", "severity": "Baixo", - "text": "Configure provedores de segurança SaaS de parceiros compatíveis no Firewall Manager se a organização quiser usar essas soluções para ajudar a proteger as conexões de saída.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", - "severity": "Alto", - "text": "Use regras de aplicativo para filtrar o tráfego de saída no nome do host de destino para protocolos com suporte. Use regras de rede baseadas em FQDN e Firewall do Azure com proxy DNS para filtrar o tráfego de saída para a Internet em outros protocolos.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", - "severity": "Alto", - "text": "Use o Firewall do Azure Premium para habilitar recursos de segurança adicionais.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Segurança" + "text": "Otimize e gerencie as operações do SAP Basis usando o SAP Landscape Management (LaMa). Use o conector SAP LaMa para Azure para realocar, copiar, clonar e atualizar sistemas SAP.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", - "severity": "Alto", - "text": "Configure o modo de Inteligência contra Ameaças do Firewall do Azure como Alerta e Negação para proteção adicional.", - "waf": "Segurança" + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", + "severity": "Média", + "text": "Use o Azure Monitor para soluções SAP para monitorar suas cargas de trabalho SAP (SAP HANA, clusters SUSE de alta disponibilidade e sistemas SQL) no Azure. Considere complementar o Azure Monitor para soluções SAP com o SAP Solution Manager.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", "severity": "Alto", - "text": "Configure o modo IDPS do Firewall do Azure como Negar para proteção adicional.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Segurança" + "text": "Execute uma extensão de VM para verificação SAP. A Extensão de VM para SAP usa a identidade gerenciada atribuída de uma VM (máquina virtual) para acessar dados de monitoramento e configuração de VM. A verificação garante que todas as métricas de desempenho em seu aplicativo SAP venham da Extensão do Azure para SAP subjacente.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", - "severity": "Alto", - "text": "Para sub-redes em VNets não conectadas à WAN Virtual, anexe uma tabela de rotas para que o tráfego da Internet seja redirecionado para o Firewall do Azure ou uma Solução de Virtualização de Rede.", - "waf": "Segurança" + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", + "severity": "Média", + "text": "Use o Azure Policy para controle de acesso e relatórios de conformidade. O Azure Policy fornece a capacidade de impor configurações em toda a organização para garantir a adesão consistente à política e a detecção rápida de violações. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", "severity": "Média", - "text": "Adicione configurações de diagnóstico para salvar logs, usando a tabela de destino Específico do Recurso, para todas as implantações do Firewall do Azure.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Use o Monitor da Conexão no Observador de Rede do Azure para monitorar métricas de latência para bancos de dados SAP e servidores de aplicativos. Ou colete e exiba medidas de latência de rede usando o Azure Monitor.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", - "severity": "Importante", - "text": "Migre das regras clássicas do Firewall do Azure (se houver) para a Política de Firewall.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", + "severity": "Média", + "text": "Execute uma verificação de qualidade para o SAP HANA na infraestrutura provisionada do Azure para verificar se as VMs provisionadas estão em conformidade com as práticas recomendadas do SAP HANA no Azure.", "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "severity": "Alto", - "text": "Use um prefixo /26 para suas sub-redes do Firewall do Azure.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Segurança" + "text": "Para cada assinatura do Azure, execute um teste de latência nas zonas de disponibilidade do Azure antes da implantação zonal para escolher zonas de baixa latência para implantação do SAP no Azure.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", "severity": "Média", - "text": "Organize as regras dentro da política de firewall em Grupos de Coleção de Regras e Coleções de Regras e com base em sua frequência de uso.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "Desempenho" + "text": "Execute o Relatório de Resiliência para garantir que a configuração de toda a infraestrutura provisionada do Azure (Computação, Banco de Dados, Rede, Armazenamento, Site Recovery) esteja em conformidade com a configuração definida pelo Cloud Adaption Framework for Azure.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", "severity": "Média", - "text": "Use grupos de IP ou prefixos de IP para reduzir o número de regras de tabela de IP.", - "waf": "Desempenho" + "text": "Implemente a proteção contra ameaças usando a solução do Microsoft Sentinel para SAP. Use essa solução para monitorar seus sistemas SAP e detectar ameaças sofisticadas em toda a lógica de negócios e nas camadas de aplicativos.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", + "severity": "Média", + "text": "A marcação do Azure pode ser aproveitada para agrupar e rastrear recursos logicamente, automatizar suas implantações e, o mais importante, fornecer visibilidade sobre os custos incorridos.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", - "severity": "Média", - "text": "Não use curingas como um IP de origem para DNATS, como * ou any, você deve especificar IPs de origem para DNATs de entrada.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", + "severity": "Baixo", + "text": "Use o monitoramento de latência entre VMs para aplicativos sensíveis à latência.", "waf": "Desempenho" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "Média", - "text": "Evite o esgotamento da porta SNAT monitorando o uso da porta SNAT, avaliando as configurações do NAT Gateway e garantindo um failover contínuo. Se a contagem de portas se aproximar do limite, é um sinal de que o esgotamento do SNAT pode ser iminente.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Desempenho" + "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastre para servidores de aplicativos SAP.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", - "severity": "Alto", - "text": "Se você estiver usando o Firewall do Azure Premium, habilite a Inspeção TLS.", + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "Média", + "text": "Exclua todos os sistemas de arquivos de banco de dados e programas executáveis das verificações antivírus. Incluí-los pode levar a problemas de desempenho. Verifique com os fornecedores de banco de dados os detalhes prescritivos na lista de exclusão. Por exemplo, a Oracle recomenda excluir /oracle//sapdata das verificações antivírus.", "waf": "Desempenho" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", "severity": "Baixo", - "text": "Use categorias da Web para permitir ou negar o acesso de saída a tópicos específicos.", + "text": "Considere coletar estatísticas completas do banco de dados para bancos de dados não HANA após a migração. Por exemplo, implemente a nota 1020260 do SAP - Entrega de estatísticas do Oracle.", "waf": "Desempenho" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", "severity": "Média", - "text": "Como parte da inspeção TLS, planeje o recebimento de tráfego dos Gateways de Aplicativo do Azure para inspeção.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "text": "Considere usar o ASM (Gerenciamento Automático de Armazenamento) do Oracle para todas as implantações do Oracle que usam o SAP no Azure.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", "waf": "Desempenho" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", "severity": "Média", - "text": "Habilite a configuração de proxy DNS do Firewall do Azure.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Segurança" + "text": "Para SAP no Azure executando Oracle, uma coleção de scripts SQL pode ajudá-lo a diagnosticar problemas de desempenho. Os relatórios do Automatic Workload Repository (AWR) contêm informações valiosas para diagnosticar problemas no sistema Oracle. Recomendamos que você execute um relatório AWR durante várias sessões e escolha horários de pico para ele, para garantir uma ampla cobertura para a análise.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "Alto", - "text": "Integre o Firewall do Azure ao Azure Monitor e habilite o log de diagnóstico para armazenar e analisar logs e métricas de firewall.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Operações" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", - "severity": "Baixo", - "text": "Implementar backups para suas regras de firewall", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastre para servidores de aplicativos SAP.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", - "severity": "Alto", - "text": "Implante o Firewall do Azure em várias zonas de disponibilidade. O Firewall do Azure oferece SLAs diferentes, dependendo de sua implantação; em uma única zona de disponibilidade ou em várias, melhorando potencialmente a confiabilidade e o desempenho.", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Fiabilidade" - }, - { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", - "severity": "Alto", - "text": "Configure a Proteção contra DDoS na VNet do Firewall do Azure, associe um plano de proteção contra DDoS à rede virtual que hospeda o Firewall do Azure para fornecer mitigação aprimorada contra ataques de DDoS. O Gerenciador de Firewall do Azure integra a criação de infraestrutura de firewall e planos de proteção contra DDoS. ", - "waf": "Fiabilidade" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", - "severity": "Alto", - "text": "Não interrompa a comunicação do painel de controle para serviços de PaaS do Azure injetados em redes virtuais, como com uma rota 0.0.0.0/0 ou uma regra NSG que bloqueia o tráfego do painel de controle.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", + "severity": "Média", + "text": "Para entrega segura de aplicativos HTTP/S, use o Gateway de Aplicativo v2 e verifique se a proteção e as políticas do WAF estão habilitadas.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", "waf": "Segurança" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "severity": "Média", - "text": "Acesse os serviços de PaaS do Azure localmente por meio de pontos de extremidade privados e emparelhamento privado do ExpressRoute. Esse método evita o trânsito pela Internet pública.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Segurança" + "text": "Se o DNS ou o nome virtual da máquina virtual não for alterado durante a migração para o Azure, o DNS em segundo plano e os nomes virtuais conectarão muitas interfaces do sistema no cenário SAP, e os clientes só às vezes estarão cientes das interfaces que os desenvolvedores definem ao longo do tempo. Surgem desafios de conexão entre vários sistemas quando os nomes virtuais ou DNS são alterados após as migrações, e é recomendável manter os aliases DNS para evitar esses tipos de dificuldades.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", - "severity": "Alto", - "text": "Não habilite pontos de extremidade de serviço de rede virtual por padrão em todas as sub-redes.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Segurança" + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", + "severity": "Média", + "text": "Use diferentes zonas DNS para distinguir cada ambiente (sandbox, desenvolvimento, pré-produção e produção) uns dos outros. A exceção é para implantações SAP com sua própria VNet; aqui, as zonas DNS privadas podem não ser necessárias.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", + "checklist": "SAP Checklist", + "description": "Ao configurar o emparelhamento VNet, use a configuração Permitir tráfego para redes virtuais remotas.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", "severity": "Média", - "text": "Filtre o tráfego de saída para os serviços de PaaS do Azure usando FQDNs em vez de endereços IP no Firewall do Azure ou em uma NVA para evitar a exfiltração de dados. Se estiver usando o Link Privado, você poderá bloquear todos os FQDNs, caso contrário, permita apenas os serviços de PaaS necessários.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Segurança" + "text": "O emparelhamento VNet local e global fornece conectividade e é a abordagem preferencial para garantir a conectividade entre zonas de destino para implantações SAP em várias regiões do Azure", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "severity": "Alto", - "text": "Utilize pelo menos um prefixo /27 para as sub-redes do Gateway.", - "waf": "Segurança" + "text": "Não há suporte para implantar qualquer NVA entre o aplicativo SAP e o servidor de banco de dados SAP", + "training": "https://me.sap.com/notes/2731110", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", - "severity": "Alto", - "text": "Não confie nas regras padrão de entrada do NSG usando a marca de serviço VirtualNetwork para limitar a conectividade.", - "waf": "Segurança" + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", + "severity": "Média", + "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais em que você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", "severity": "Média", - "text": "Use NSGs para ajudar a proteger o tráfego entre sub-redes, bem como o tráfego leste/oeste na plataforma (tráfego entre zonas de destino).", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Segurança" + "text": "Considere implantar NVAs (soluções de virtualização de rede) entre regiões somente se NVAs de parceiros forem usadas. NVAs entre regiões ou VNets não serão necessárias se NVAs nativas estiverem presentes. Ao implantar tecnologias de rede de parceiros e NVAs, siga as diretrizes do fornecedor para verificar configurações conflitantes com a rede do Azure.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", "severity": "Média", - "text": "Use NSGs e grupos de segurança de aplicativos para microssegmentar o tráfego dentro da zona de destino e evite usar uma NVA central para filtrar fluxos de tráfego.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Segurança" + "text": "A WAN Virtual gerencia a conectividade entre VNets spoke para topologias baseadas em WAN virtual (não é necessário configurar UDR [roteamento definido pelo usuário] ou NVAs) e a taxa de transferência máxima de rede para tráfego de VNet para VNet no mesmo hub virtual é de 50 gigabits por segundo. Se necessário, as zonas de destino do SAP podem usar o emparelhamento VNet para se conectar a outras zonas de destino e superar essa limitação de largura de banda.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "waf": "Operações" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", - "severity": "Média", - "text": "Habilite os Logs de Fluxo de VNet e alimente-os na Análise de Tráfego para obter insights sobre fluxos de tráfego internos e externos.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "Alto", + "text": "A atribuição de IP público à VM que executa a carga de trabalho SAP não é recomendada.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", - "severity": "Média", - "text": "Não implemente mais de 900 regras de NSG por NSG, devido ao limite de 1000 regras.", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "waf": "Fiabilidade" + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", + "severity": "Alto", + "text": "Considere reservar o endereço IP no lado da recuperação de desastre ao configurar o ASR", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Operações" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", - "severity": "Média", - "text": "Use a WAN Virtual se o cenário estiver explicitamente descrito na lista de designs de roteamento da WAN Virtual.", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", + "severity": "Alto", + "text": "Evite usar intervalos de endereços IP sobrepostos para sites de produção e DR.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "Operações" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", "severity": "Média", - "text": "Use um hub de WAN Virtual por região do Azure para conectar várias zonas de destino entre regiões do Azure por meio de uma WAN Virtual do Azure global comum.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Desempenho" + "text": "Embora o Azure ajude você a criar várias sub-redes delegadas em uma VNet, apenas uma sub-rede delegada pode existir em uma VNet para Azure NetApp Files. As tentativas de criar um novo volume falharão se você usar mais de uma sub-rede delegada para o Azure NetApp Files.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "Operações" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", + "checklist": "SAP Checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", "severity": "Média", - "text": "Para proteção e filtragem de tráfego de saída da Internet, implante o Firewall do Azure em hubs seguros.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Usar o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", "severity": "Média", - "text": "Verifique se a arquitetura de rede da WAN virtual está alinhada a um cenário de arquitetura identificado.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidade" + "text": "O Gateway de Aplicativo e o Firewall de Aplicativo Web têm limitações quando o Gateway de Aplicativo serve como um proxy reverso para aplicativos Web SAP, conforme mostrado na comparação entre o Gateway de Aplicativo, o SAP Web Dispatcher e outros serviços de terceiros.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "severity": "Média", - "text": "Use o Azure Monitor Insights para WAN Virtual para monitorar a topologia de ponta a ponta da WAN Virtual, o status e as principais métricas.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Operações" + "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre regiões do Azure para conexões HTTP/S de entrada para uma zona de destino.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", "severity": "Média", - "text": "Não desabilite o tráfego branch a branch na WAN Virtual, a menos que esses fluxos devam ser bloqueados explicitamente.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidade" + "text": "Aproveite as políticas de Firewall de Aplicativo Web no Azure Front Door quando estiver usando o Azure Front Door e o Gateway de Aplicativo para proteger aplicativos HTTP/S. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Azure Front Door.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "severity": "Média", - "text": "Use AS-Path como preferência de roteamento de hub, pois é mais flexível que ExpressRoute ou VPN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidade" + "text": "Use um firewall de aplicativo Web para verificar seu tráfego quando ele for exposto à Internet. Outra opção é usá-lo com o balanceador de carga ou com recursos que tenham recursos de firewall internos, como Gateway de Aplicativo ou soluções de terceiros.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", "severity": "Média", - "text": "Configure a propagação baseada em rótulos na WAN Virtual, caso contrário, a conectividade entre hubs virtuais será prejudicada.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidade" + "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais em que você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "Desempenho" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", - "severity": "Alto", - "text": "Atribua pelo menos um prefixo /23 a hubs virtuais para garantir que haja espaço IP suficiente disponível.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Fiabilidade" + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", + "severity": "Média", + "text": "Para evitar o vazamento de dados, use o Link Privado do Azure para acessar com segurança os recursos da plataforma como serviço, como Armazenamento de Blobs do Azure, Arquivos do Azure, Azure Data Lake Storage Gen2, Azure Data Factory e muito mais. O Ponto de Extremidade Privado do Azure também pode ajudar a proteger o tráfego entre VNets e serviços como Armazenamento do Azure, Backup do Azure e muito mais. O tráfego entre sua VNet e o serviço habilitado para Ponto de Extremidade Privado viaja pela rede global da Microsoft, o que impede sua exposição à Internet pública.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", "severity": "Alto", - "text": "Aproveite o Azure Policy estrategicamente, defina controles para seu ambiente, usando Iniciativas de Política para agrupar políticas relacionadas.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Segurança" + "text": "Verifique se a rede acelerada do Azure está habilitada nas VMs usadas no aplicativo SAP e nas camadas do DBMS.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", "severity": "Média", - "text": "Mapeie os requisitos regulatórios e de conformidade para definições do Azure Policy e atribuições de função do Azure.", - "training": "https://learn.microsoft.com/training/modules/governance-security/", + "text": "Verifique se as implantações internas do Azure Load Balancer estão configuradas para usar o DSR (Retorno Direto do Servidor). Essa configuração (Habilitando IP Flutuante) reduzirá a latência quando as configurações do balanceador de carga interno forem usadas para configurações de alta disponibilidade na camada DBMS.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", "severity": "Média", - "text": "Estabeleça definições do Azure Policy no grupo de gerenciamento raiz intermediário para que elas possam ser atribuídas em escopos herdados.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "Você pode usar o ASG (grupo de segurança do aplicativo) e as regras do NSG para definir listas de controle de acesso de segurança de rede entre o aplicativo SAP e as camadas do DBMS. Os ASGs agrupam máquinas virtuais para ajudar a gerenciar sua segurança.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "severity": "Alto", - "text": "Gerencie atribuições de política no nível apropriado mais alto com exclusões nos níveis inferiores, se necessário.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Segurança" + "text": "Não há suporte para a colocação da camada de aplicativo SAP e do DBMS SAP em diferentes VNets do Azure que não estão emparelhadas.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", - "severity": "Baixo", - "text": "Use o Azure Policy para controlar quais serviços os usuários podem provisionar no nível da assinatura/grupo de gerenciamento.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Segurança" + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "Média", + "text": "Para obter a latência de rede ideal com aplicativos SAP, considere usar grupos de posicionamento por proximidade do Azure.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "Desempenho" + }, + { + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", + "severity": "Alto", + "text": "NÃO há suporte para executar uma camada do Servidor de Aplicativos SAP e uma camada do DBMS dividida entre o local e o Azure. Ambas as camadas precisam residir completamente no local ou no Azure.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "severity": "Alto", - "text": "Use políticas internas sempre que possível para minimizar a sobrecarga operacional.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Segurança" + "text": "Não é recomendável hospedar o DBMS (sistema de gerenciamento de banco de dados) e as camadas de aplicativo de sistemas SAP em VNets diferentes e conectá-los ao emparelhamento VNet devido aos custos substanciais que o tráfego de rede excessivo entre as camadas pode produzir. Recomendamos o uso de sub-redes na rede virtual do Azure para separar a camada de aplicativo SAP e a camada de DBMS.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Custar" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "description": "Atribuir a função Colaborador de Política de Recursos a escopos específicos permite delegar o gerenciamento de políticas a equipes relevantes. Por exemplo, uma equipe central de TI pode supervisionar as políticas no nível do grupo de gerenciamento, enquanto as equipes de aplicativos lidam com as políticas de suas assinaturas, permitindo a governança distribuída com adesão aos padrões organizacionais.", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", - "severity": "Média", - "text": "Atribua a função interna de Colaborador de Política de Recursos em um escopo específico para habilitar a governança no nível do aplicativo.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Segurança" + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", + "severity": "Alto", + "text": "Se estiver usando o Load Balancer com sistemas operacionais convidados Linux, verifique se o parâmetro de rede Linux net.ipv4.tcp_timestamps está definido como 0.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", "severity": "Média", - "text": "Limite o número de atribuições do Azure Policy feitas no escopo do grupo de gerenciamento raiz para evitar o gerenciamento por meio de exclusões em escopos herdados.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "Para implantações do SAP RISE/ECS, o emparelhamento virtual é a maneira preferencial de estabelecer conectividade com o ambiente existente do Azure do cliente. Tanto a rede virtual SAP quanto a(s) rede virtual(is) do cliente são protegidas com NSG (grupos de segurança de rede), permitindo a comunicação nas portas SAP e de banco de dados por meio do emparelhamento de rede virtual", "waf": "Segurança" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", - "severity": "Média", - "text": "Se houver requisitos de soberania de dados, as Políticas do Azure deverão ser implantadas para aplicá-los.", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", - "waf": "Segurança" + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "Alto", + "text": "Examine os backups de banco de dados do SAP HANA para VMs do Azure.", + "waf": "Custar" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "Média", - "text": "Para a Zona de Destino Soberana, implante a linha de base da política de soberania e atribua no nível correto do grupo de gerenciamento.", - "waf": "Segurança" + "text": "Examine o monitoramento interno do Site Recovery, quando usado para SAP.", + "waf": "Custar" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", - "severity": "Média", - "text": "Para Zona de Aterrissagem Soberana, documente os objetivos de Controle Soberano para mapeamento de políticas.", - "waf": "Segurança" + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", + "severity": "Alto", + "text": "Revise as diretrizes Monitorando o cenário do sistema SAP HANA.", + "waf": "Operações" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", "severity": "Média", - "text": "Para a Zona de Aterrissagem Soberana, certifique-se de que o processo esteja em vigor para o gerenciamento de 'Objetivos de Controle Soberano para mapeamento de políticas'.", - "waf": "Segurança" + "text": "Examine o Oracle Database nas estratégias de backup de VM Linux do Azure.", + "waf": "Operações" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", "severity": "Média", - "text": "Use um workspace de logs de monitor único para gerenciar plataformas centralmente, exceto quando o RBAC (controle de acesso baseado em função) do Azure, os requisitos de soberania de dados ou as políticas de retenção de dados exigirem workspaces separados.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "text": "Examine o uso do Armazenamento de Blobs do Azure com o SQL Server 2016.", "waf": "Operações" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", "severity": "Média", - "text": "Decida se deseja usar um único workspace de Logs do Azure Monitor para todas as regiões ou criar vários workspaces para abranger várias regiões geográficas. Cada abordagem tem vantagens e desvantagens, incluindo possíveis cobranças de rede entre regiões", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Fiabilidade" + "text": "Examine o uso do Backup Automatizado v2 para VMs do Azure.", + "waf": "Operações" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", "severity": "Alto", - "text": "Exporte logs para o Armazenamento do Azure se os requisitos de retenção de log excederem doze anos. Use o armazenamento imutável com uma política de gravação única e leitura múltipla para tornar os dados não apagáveis e não modificáveis por um intervalo especificado pelo usuário.", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "text": "Habilitando o acelerador de gravação para a série M ao usar discos premium (V1)", "waf": "Operações" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", "severity": "Média", - "text": "Monitore o descompasso de configuração da VM (máquina virtual) no nível do sistema operacional usando o Azure Policy. Habilitar os recursos de auditoria da Configuração de Computador do Gerenciamento Automatizado do Azure por meio da política ajuda as cargas de trabalho da equipe de aplicativos a consumir imediatamente os recursos de recursos com pouco esforço.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Operações" + "text": "Teste a latência da zona de disponibilidade.", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", "severity": "Média", - "text": "Use o Azure Update Manager como um mecanismo de aplicação de patch para VMs Windows e Linux no Azure.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operações" + "text": "Ative o SAP EarlyWatch Alert para todos os componentes SAP.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", "severity": "Média", - "text": "Use o Gerenciador de Atualizações do Azure como um mecanismo de aplicação de patch para VMs do Windows e do Linux fora do Azure usando o Azure Arc.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "Operações" + "text": "Revise a latência do servidor de aplicativos SAP para o servidor de banco de dados usando o relatório SAP ABAPMeter /SSA/CAT.", + "training": "https://me.sap.com/notes/0002879613", + "waf": "Desempenho" }, { - "arm-service": "microsoft.network/networkWatchers", - "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", "severity": "Média", - "text": "Use o Observador de Rede para monitorar proativamente os fluxos de tráfego.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Operações" + "text": "Revise o monitoramento de desempenho do SQL Server usando o CCMS.", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", "severity": "Média", - "text": "Use os Logs do Azure Monitor para obter insights e relatórios.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "Operações" + "text": "Teste a latência de rede entre VMs da camada de aplicativo SAP e VMs do DBMS (NIPING).", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", "severity": "Média", - "text": "Use alertas do Azure Monitor para a geração de alertas operacionais.", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "Operações" + "text": "Revise os alertas do SAP HANA Studio.", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", "severity": "Média", - "text": "Ao usar o Acompanhamento de Alterações e Inventário por meio de Contas de Automação do Azure, verifique se você selecionou regiões com suporte para vincular seu workspace do Log Analytics e contas de automação.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", - "waf": "Operações" - }, - { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", - "severity": "Baixo", - "text": "Ao usar o Backup do Azure, use os tipos de backup corretos (GRS, ZRS E LRS) para o backup, pois a configuração padrão é GRS.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Fiabilidade" + "text": "Execute verificações de integridade do SAP HANA usando HANA_Configuration_Minichecks.", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", "severity": "Média", - "text": "Use as políticas de convidado do Azure para implantar automaticamente as configurações de software por meio de extensões de VM e impor uma configuração de VM de linha de base compatível.", + "text": "Se você executar VMs do Windows e do Linux no Azure, localmente ou em outros ambientes de nuvem, poderá usar o Centro de gerenciamento de atualizações na Automação do Azure para gerenciar atualizações do sistema operacional, incluindo patches de segurança.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "description": "Use os recursos de configuração de convidado do Azure Policy para auditar e corrigir as configurações do computador (por exemplo, sistema operacional, aplicativo, ambiente) para garantir que os recursos estejam alinhados com as configurações esperadas e que o Gerenciamento de Atualizações possa impor o gerenciamento de patches para VMs.", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", "severity": "Média", - "text": "Monitore o descompasso de configuração de segurança da VM por meio do Azure Policy.", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "Revise rotineiramente as notas de OSS de segurança do SAP porque o SAP lança patches de segurança altamente críticos, ou hot fixes, que exigem ação imediata para proteger seus sistemas SAP.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", - "severity": "Média", - "text": "Use o Azure Site Recovery para cenários de recuperação de desastre de Máquinas Virtuais do Azure para o Azure. Isso permite replicar cargas de trabalho entre regiões.", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", - "waf": "Operações" + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "Baixo", + "text": "Para SAP no SQL Server, você pode desabilitar a conta de administrador do sistema do SQL Server porque os sistemas SAP no SQL Server não usam a conta. Certifique-se de que outro usuário com direitos de administrador do sistema possa acessar o servidor antes de desabilitar a conta original de administrador do sistema.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", - "severity": "Média", - "text": "Use recursos de backup nativos do Azure ou uma solução de backup de terceiros compatível com o Azure.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "Operações" + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "Alto", + "text": "Desative xp_cmdshell. O recurso SQL Server xp_cmdshell habilita um shell de comando do sistema operacional interno do SQL Server. É um risco potencial em auditorias de segurança.", + "training": "https://me.sap.com/notes/3019299/E", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", "severity": "Alto", - "text": "Adicione configurações de diagnóstico para salvar logs do WAF de serviços de entrega de aplicativos, como o Azure Front Door e o Gateway de Aplicativo do Azure. Revise regularmente os logs para verificar se há ataques e detecções de falsos positivos.", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", - "waf": "Operações" + "text": "A criptografia de servidores de banco de dados SAP HANA no Azure usa a tecnologia de criptografia nativa do SAP HANA. Além disso, se você estiver usando o SQL Server no Azure, use a TDE (Transparent Data Encryption) para proteger seus dados e arquivos de log e garantir que seus backups também sejam criptografados.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "waf": "Segurança" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", "severity": "Média", - "text": "Envie logs do WAF de seus serviços de entrega de aplicativos, como o Azure Front Door e o Gateway de Aplicativo do Azure, para o Microsoft Sentinel. Detecte ataques e integre a telemetria do WAF ao seu ambiente geral do Azure.", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", - "waf": "Operações" + "text": "A criptografia do Armazenamento do Azure está habilitada para todas as contas de armazenamento clássicas e do Azure Resource Manager e não pode ser desabilitada. Como seus dados são criptografados por padrão, você não precisa modificar seu código ou aplicativos para usar a criptografia do Armazenamento do Azure.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", + "service": "SAP", "severity": "Alto", - "text": "Use o Azure Key Vault para armazenar seus segredos e credenciais.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "text": "Usar o Azure Key Vault para armazenar seus segredos e credenciais", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "severity": "Média", - "text": "Use diferentes Azure Key Vaults para diferentes aplicativos e regiões para evitar limites de escala de transação e restringir o acesso a segredos.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "text": "É recomendável BLOQUEAR os Recursos do Azure após a implantação bem-sucedida para proteger contra alterações não autorizadas. Você também pode impor restrições e regras de LOCK por assinatura usando políticas personalizadas do Azure (função personalizada).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", "severity": "Média", "text": "Provisione o Azure Key Vault com as políticas de exclusão reversível e limpeza habilitadas para permitir a proteção de retenção para objetos excluídos.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Média", - "text": "Siga um modelo de privilégios mínimos limitando a autorização para excluir permanentemente chaves, segredos e certificados a funções personalizadas especializadas de ID do Microsoft Entra.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", + "severity": "Alto", + "text": "Com base nos requisitos existentes, controles regulatórios e de conformidade (internos/externos) – determine quais políticas do Azure e a função RBAC do Azure são necessárias", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Média", - "text": "Automatize o processo de gerenciamento e renovação de certificados com autoridades de certificação públicas para facilitar a administração.", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Alto", + "text": "Ao habilitar o Microsoft Defender para Ponto de Extremidade no ambiente SAP, recomendamos excluir dados e arquivos de log em servidores DBMS em vez de direcionar todos os servidores. Siga as recomendações do fornecedor do DBMS ao excluir arquivos de destino.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Média", - "text": "Estabeleça um processo automatizado para rotação de chaves e certificados.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", + "severity": "Alto", + "text": "Delegue uma função personalizada de administrador do SAP com acesso just-in-time do Microsoft Defender para Nuvem.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Média", - "text": "Habilite o firewall e o ponto de extremidade de serviço de rede virtual ou o ponto de extremidade privado no cofre para controlar o acesso ao cofre de chaves.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Baixo", + "text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações de rede seguras (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "severity": "Média", - "text": "Use o workspace do Log Analytics do Azure Monitor central da plataforma para auditar o uso de chave, certificado e segredo em cada instância do Key Vault.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "text": "Padrão para chaves gerenciadas pela Microsoft para funcionalidade de criptografia principal e use chaves gerenciadas pelo cliente quando necessário.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Média", - "text": "Delegue a instanciação e o acesso privilegiado do Key Vault e use o Azure Policy para impor uma configuração consistente e compatível.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", + "severity": "Alto", + "text": "Use um Azure Key Vault por aplicativo por ambiente por região.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", + "severity": "Alto", + "text": "Para controlar e gerenciar chaves e segredos de criptografia de disco para sistemas operacionais Windows e Windows não HANA, use o Azure Key Vault. Não há suporte para o SAP HANA com o Azure Key Vault, portanto, você deve usar métodos alternativos, como chaves SAP ABAP ou SSH.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", + "severity": "Alto", + "text": "Personalizar funções RBAC (controle de acesso baseado em função) para assinaturas SAP on Azure spoke para evitar alterações acidentais relacionadas à rede", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", + "severity": "Alto", + "text": "Isole DMZs e NVAs do restante da propriedade SAP, configure o Link Privado do Azure e gerencie e controle com segurança os recursos do SAP no Azure", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "Segurança" + }, + { + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", + "severity": "Baixo", + "text": "Considere usar o software antimalware da Microsoft no Azure para proteger suas máquinas virtuais contra arquivos mal-intencionados, adware e outras ameaças.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Média", - "text": "Use um Azure Key Vault por aplicativo por ambiente por região.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", + "severity": "Baixo", + "text": "Para obter uma proteção ainda mais poderosa, considere usar Microsoft Defender para Ponto de Extremidade.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Média", - "text": "Se você quiser trazer suas próprias chaves, isso pode não ser compatível com todos os serviços considerados. Implemente mitigação relevante para que as inconsistências não prejudiquem os resultados desejados. Escolha pares de regiões apropriados e regiões de recuperação de desastre que minimizem a latência.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "Alto", + "text": "Isole o aplicativo SAP e os servidores de banco de dados da Internet ou da rede local passando todo o tráfego pela rede virtual do hub, que está conectada à rede spoke por emparelhamento de rede virtual. As redes virtuais emparelhadas garantem que a solução SAP no Azure seja isolada da Internet pública.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", - "severity": "Média", - "text": "Para a Zona de Destino Soberana, use o HSM gerenciado do Azure Key Vault para armazenar seus segredos e credenciais.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Baixo", + "text": "Para aplicativos voltados para a Internet, como o SAP Fiori, certifique-se de distribuir a carga por requisitos do aplicativo, mantendo os níveis de segurança. Para segurança de Camada 7, você pode usar um WAF (Firewall de Aplicativo Web) de terceiros disponível no Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "severity": "Média", - "text": "Use os recursos de relatório de ID do Microsoft Entra para gerar relatórios de auditoria de controle de acesso.", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "text": "Para habilitar a comunicação segura no Azure Monitor para soluções SAP, você pode optar por usar um certificado raiz ou um certificado de servidor. É altamente recomendável que você use certificados raiz.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", - "severity": "Alto", - "text": "Habilite o Gerenciamento de Postura de Segurança de Nuvem do Defender para todas as assinaturas.", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Aplicar as diretrizes do parâmetro de comparação de segurança de nuvem da Microsoft relacionado ao armazenamento", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", + "severity": "Média", + "text": "Considere a 'linha de base de segurança do Azure para armazenamento'", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Por padrão, o Armazenamento do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem expor com segurança o Armazenamento do Azure apenas aos recursos de Computação do Azure que precisam de acesso, eliminando assim a exposição à Internet pública", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", "severity": "Alto", - "text": "Habilite um Plano de Proteção de Carga de Trabalho de Nuvem do Defender para Servidores em todas as assinaturas.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "text": "Considere usar pontos de extremidade privados para o Armazenamento do Azure", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", - "severity": "Alto", - "text": "Habilite os Planos de Proteção de Carga de Trabalho de Nuvem do Defender para Recursos do Azure em todas as assinaturas.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "As contas de armazenamento recém-criadas são criadas usando o modelo de implantação do ARM, para que o RBAC, a auditoria etc. estejam habilitados. Verifique se não há contas de armazenamento antigas com o modelo de implantação clássico em uma assinatura", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", + "severity": "Média", + "text": "Verifique se as contas de armazenamento mais antigas não estão usando o \"modelo de implantação clássico\"", "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Aproveite o Microsoft Defender para saber mais sobre atividades suspeitas e configurações incorretas.", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", "severity": "Alto", - "text": "Habilite o Endpoint Protection em servidores IaaS.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "text": "Habilitar o Microsoft Defender para todas as suas contas de armazenamento", "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", - "service": "VM", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "O mecanismo de exclusão reversível permite recuperar blobs excluídos acidentalmente.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "severity": "Média", - "text": "Monitore o descompasso de aplicação de patch do sistema operacional base por meio dos Logs do Azure Monitor e do Defender para Nuvem.", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "text": "Habilitar 'exclusão reversível' para blobs", "waf": "Segurança" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Considere desabilitar seletivamente a \"exclusão reversível\" para determinados contêineres de blob, por exemplo, se o aplicativo precisar garantir que as informações excluídas sejam excluídas imediatamente, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "Média", - "text": "Conecte as configurações de recursos padrão a um workspace centralizado do Log Analytics do Azure Monitor.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "text": "Desabilitar a 'exclusão reversível' para blobs", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A exclusão reversível para contêineres permite que você recupere um contêiner depois que ele foi excluído, por exemplo, recuperar de uma operação de exclusão acidental.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "severity": "Alto", - "text": "Detecção centralizada de ameaças com logs correlacionados - consolide os dados de segurança em um local central onde possam ser correlacionados em vários serviços via SIEM (gerenciamento de eventos e informações de segurança)", + "text": "Habilitar 'exclusão reversível' para contêineres", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Considere desabilitar seletivamente a \"exclusão reversível\" para determinados contêineres de blob, por exemplo, se o aplicativo precisar garantir que as informações excluídas sejam excluídas imediatamente, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", "severity": "Média", - "text": "Para Zona de Destino Soberana, habilite os logs de transparência no locatário da ID do Entra.", + "text": "Desabilitar a 'exclusão reversível' para contêineres", "waf": "Segurança" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", - "severity": "Média", - "text": "Para Zona de Destino Soberana, habilite o Sistema de Proteção de Dados do cliente no locatário da ID do Entra.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Impede a exclusão acidental de uma conta de armazenamento, forçando o usuário a remover primeiro o bloqueio de exclusão, antes da exclusão", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", + "severity": "Alto", + "text": "Habilitar bloqueios de recursos em contas de armazenamento", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", + "checklist": "Azure Storage Review Checklist", + "description": "Considere as políticas de 'retenção legal' ou 'retenção baseada em tempo' para blobs, de modo que seja impossível excluir o blob, o contêiner ou a conta de armazenamento. Observe que 'impossível' na verdade significa 'impossível'; depois que uma conta de armazenamento contém um blob imutável, a única maneira de \"se livrar\" dessa conta de armazenamento é cancelando a assinatura do Azure.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", "severity": "Alto", - "text": "Habilite a transferência segura para contas de armazenamento.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "text": "Considere blobs imutáveis", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", + "checklist": "Azure Storage Review Checklist", + "description": "Considere desabilitar o acesso HTTP/80 desprotegido à conta de armazenamento, para que todas as transferências de dados sejam criptografadas, protegidas por integridade e o servidor seja autenticado. ", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", "severity": "Alto", - "text": "Habilite a exclusão reversível do contêiner para a conta de armazenamento para recuperar um contêiner excluído e seu conteúdo.", + "text": "Exigir HTTPS, ou seja, desabilitar a porta 80 na conta de armazenamento", "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Ao configurar um domínio personalizado (nome do host) em uma conta de armazenamento, verifique se você precisa de TLS/HTTPS; nesse caso, talvez seja necessário colocar a CDN do Azure na frente de sua conta de armazenamento.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", "severity": "Alto", - "text": "Use segredos do Key Vault para evitar codificar informações confidenciais, como credenciais (máquinas virtuais, senhas de usuário), certificados ou chaves.", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", - "waf": "Operações" + "text": "Ao impor HTTPS (desabilitando o HTTP), verifique se você não usa domínios personalizados (CNAME) para a conta de armazenamento.", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Exigir HTTPS quando um cliente usa um token SAS para acessar dados de blob ajuda a minimizar o risco de perda de credenciais.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "severity": "Média", - "text": "Use o token revogável de longa duração, armazene seu token em cache e adquira o token silenciosamente usando a Microsoft Identity Library", - "waf": "Fiabilidade" + "text": "Limitar tokens de assinatura de acesso compartilhado (SAS) apenas a conexões HTTPS", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", - "severity": "Média", - "text": "Certifique-se de que os fluxos de usuário de entrada sejam armazenados em backup e resilientes. Certifique-se de que o código que você usa para entrar em seus usuários é de backup e recuperável. Interfaces resilientes com processos externos", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": ". A imposição da versão mais recente do TLS rejeitará a solicitação de clientes que usam a versão mais antiga. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Azure Storage", + "severity": "Alto", + "text": "Impor a versão mais recente do TLS para uma conta de armazenamento", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Os tokens de ID do Microsoft Entra devem ser favorecidos em relação às assinaturas de acesso compartilhado, sempre que possível", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "Alto", + "text": "Usar tokens de ID do Microsoft Entra para acesso a blobs", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Ao atribuir uma função a um usuário, grupo ou aplicativo, conceda a essa entidade de segurança apenas as permissões necessárias para que ela execute suas tarefas. Limitar o acesso aos recursos ajuda a evitar o uso indevido não intencional e mal-intencionado de seus dados.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "Média", - "text": "Os ativos de marca personalizados devem ser hospedados em uma CDN", - "waf": "Desempenho" + "text": "Privilégios mínimos em permissões de IaM", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", - "severity": "Baixo", - "text": "Ter vários provedores de identidade (ou seja, fazer login com suas contas da Microsoft, Google, Facebook)", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Uma SAS de delegação de usuário é protegida com credenciais do Azure Active Directory (Azure AD) e também pelas permissões especificadas para a SAS. Uma SAS de delegação de usuário é análoga a uma SAS de serviço em termos de escopo e função, mas oferece benefícios de segurança em relação à SAS de serviço. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", + "severity": "Alto", + "text": "Ao usar SAS, prefira 'SAS de delegação de usuário' em vez de SAS baseada em chave de conta de armazenamento.", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "Média", - "text": "Siga as regras de VM para alta disponibilidade no nível da VM (discos premium, dois ou mais em uma região, em zonas de disponibilidade diferentes)", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "As chaves da conta de armazenamento (\"chaves compartilhadas\") têm muito poucos recursos de auditoria. Embora possa ser monitorado em quem/quando buscou uma cópia das chaves, uma vez que as chaves estão nas mãos de várias pessoas, é impossível atribuir o uso a um usuário específico. Confiar apenas na autenticação do Entra ID facilita o acesso ao armazenamento a um usuário. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere desabilitar as chaves da conta de armazenamento, para que haja suporte apenas para o acesso à ID do Microsoft Entra (e à SAS de delegação de usuário).", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "Média", - "text": "Não replique! A replicação pode criar problemas com a sincronização de diretórios", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use os dados do Log de Atividades para identificar \"quando\", \"quem\", \"o quê\" e \"como\" a segurança da sua conta de armazenamento está sendo exibida ou alterada (ou seja, chaves da conta de armazenamento, políticas de acesso etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere usar o Azure Monitor para auditar as operações do painel de controle na conta de armazenamento", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Uma política de expiração de chave permite que você defina um lembrete para a rotação das chaves de acesso da conta. O lembrete é exibido se o intervalo especificado tiver decorrido e as teclas ainda não tiverem sido giradas.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "Média", - "text": "Ter ativo-ativo para várias regiões", - "waf": "Fiabilidade" + "text": "Ao usar chaves de conta de armazenamento, considere habilitar uma 'política de expiração de chave'", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Uma política de expiração de SAS especifica um intervalo recomendado durante o qual a SAS é válida. As políticas de expiração de SAS se aplicam a uma SAS de serviço ou a uma SAS de conta. Quando um usuário gera SAS de serviço ou uma SAS de conta com um intervalo de validade maior que o intervalo recomendado, ele verá um aviso.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "severity": "Média", - "text": "Adicionar carimbos de serviço de Domínio do Azure AD a regiões e locais adicionais", - "waf": "Fiabilidade" + "text": "Considere configurar uma política de expiração de SAS", + "waf": "Segurança" }, { - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "As políticas de acesso armazenadas oferecem a opção de revogar permissões para uma SAS de serviço sem precisar regenerar as chaves da conta de armazenamento. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", "severity": "Média", - "text": "Usar conjuntos de réplicas para DR", - "waf": "Fiabilidade" + "text": "Considere vincular SAS a uma política de acesso armazenada", + "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Aplicar as orientações do benchmark de segurança na nuvem da Microsoft relacionadas ao armazenamento", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", "service": "Azure Storage", "severity": "Média", - "text": "Considere a 'linha de base de segurança do Azure para armazenamento'", + "text": "Considere configurar o repositório de código-fonte do aplicativo para detectar cadeias de conexão e chaves de conta de armazenamento com check-in.", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "O Armazenamento do Azure, por padrão, tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem expor com segurança o Armazenamento do Azure apenas aos recursos de Computação do Azure que precisam de acesso, eliminando assim a exposição à Internet pública", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "checklist": "Azure Storage Review Checklist", + "description": "Idealmente, seu aplicativo deve usar uma identidade gerenciada para autenticar no Armazenamento do Azure. Se isso não for possível, considere ter a credencial de armazenamento (cadeia de conexão, chave da conta de armazenamento, SAS, credencial da entidade de serviço) no Azure KeyVault ou em um serviço equivalente.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", "service": "Azure Storage", "severity": "Alto", - "text": "Considere o uso de pontos de extremidade privados para o Armazenamento do Azure", + "text": "Considere armazenar cadeias de conexão no Azure KeyVault (em cenários em que as identidades gerenciadas não são possíveis)", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "As contas de armazenamento recém-criadas são criadas usando o modelo de implantação ARM, para que o RBAC, a auditoria, etc., estejam todos habilitados. Verifique se não há contas de armazenamento antigas com modelo de implantação clássico em uma assinatura", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use tempos de expiração de curto prazo em uma SAS de serviço SAS ad hoc ou SAS de conta. Dessa forma, mesmo que uma SAS seja comprometida, ela é válida apenas por um curto período de tempo. Essa prática é especialmente importante se você não puder fazer referência a uma política de acesso armazenada. Os tempos de expiração de curto prazo também limitam a quantidade de dados que podem ser gravados em um blob, limitando o tempo disponível para carregar nele.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", "service": "Azure Storage", - "severity": "Média", - "text": "Verifique se as contas de armazenamento mais antigas não estão usando o 'modelo de implantação clássico'", + "severity": "Alto", + "text": "Esforce-se por períodos de validade curtos para SAS ad-hoc", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Aproveite o Microsoft Defender para saber mais sobre atividades suspeitas e configurações incorretas.", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "checklist": "Azure Storage Review Checklist", + "description": "Ao criar uma SAS, seja o mais específico e restritivo possível. Prefira uma SAS para um único recurso e operação em vez de uma SAS que oferece acesso muito mais amplo.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", "service": "Azure Storage", - "severity": "Alto", - "text": "Habilitar o Microsoft Defender para todas as suas contas de armazenamento", + "severity": "Média", + "text": "Aplicar um escopo restrito a uma SAS", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "O mecanismo soft-delete permite recuperar blobs excluídos acidentalmente.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "checklist": "Azure Storage Review Checklist", + "description": "Uma SAS pode incluir parâmetros nos quais os endereços IP do cliente ou intervalos de endereços estão autorizados a solicitar um recurso usando a SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", "service": "Azure Storage", "severity": "Média", - "text": "Ativar 'exclusão suave' para blobs", + "text": "Considere definir o escopo da SAS para um endereço IP de cliente específico, sempre que possível", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "checklist": "Azure Storage Review Checklist", + "description": "Uma SAS não pode restringir a quantidade de dados que um cliente carrega; Dado o modelo de preços da quantidade de armazenamento ao longo do tempo, pode fazer sentido validar se os clientes carregaram conteúdos maliciosamente grandes.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", "service": "Azure Storage", - "severity": "Média", - "text": "Desativar 'exclusão suave' para blobs", + "severity": "Baixo", + "text": "Considere verificar os dados carregados depois que os clientes usaram uma SAS para carregar um arquivo. ", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "A exclusão suave para contêineres permite que você recupere um contêiner depois que ele tenha sido excluído, por exemplo, recuperar de uma operação de exclusão acidental.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "checklist": "Azure Storage Review Checklist", + "description": "Ao acessar o armazenamento de blobs por meio do SFTP usando uma \"conta de usuário local\", os controles RBAC \"usuais\" não se aplicam. O acesso a blobs via NFS ou REST pode ser mais restritivo do que o acesso SFTP. Infelizmente, a partir do início de 2023, os usuários locais são a única forma de gerenciamento de identidade com suporte atual para o endpoint SFTP", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", "service": "Azure Storage", "severity": "Alto", - "text": "Ativar 'exclusão suave' para contêineres", + "text": "SFTP: limite a quantidade de \"usuários locais\" para acesso SFTP e audite se o acesso é necessário ao longo do tempo.", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", "service": "Azure Storage", "severity": "Média", - "text": "Desativar 'exclusão suave' para contêineres", + "text": "SFTP: o endpoint SFTP não oferece suporte a ACLs semelhantes a POSIX.", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Evita a exclusão acidental de uma conta de armazenamento, forçando o usuário a remover primeiro o bloqueio de exclusão, antes da exclusão", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "checklist": "Azure Storage Review Checklist", + "description": "O armazenamento oferece suporte ao CORS (Cross-Origin Resource Sharing), ou seja, um recurso HTTP que permite que aplicativos Web de um domínio diferente afrouxem a política de mesma origem. Ao habilitar o CORS, mantenha as CorsRules com o menor privilégio.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", "service": "Azure Storage", "severity": "Alto", - "text": "Habilitar bloqueios de recursos em contas de armazenamento", + "text": "Evite políticas de CORS excessivamente amplas", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Considere políticas de \"retenção legal\" ou \"retenção baseada em tempo\" para blobs, de modo que seja impossível excluir o blob, o contêiner ou a conta de armazenamento. Por favor, note que \"impossível\" significa na verdade \"impossível\"; uma vez que uma conta de armazenamento contém um blob imutável, a única maneira de 'se livrar' dessa conta de armazenamento é cancelando a assinatura do Azure.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "checklist": "Azure Storage Review Checklist", + "description": "Os dados em repouso são sempre criptografados no lado do servidor e, além disso, também podem ser criptografados no lado do cliente. A criptografia do lado do servidor pode ocorrer usando uma chave gerenciada pela plataforma (padrão) ou uma chave gerenciada pelo cliente. A criptografia do lado do cliente pode acontecer fazendo com que o cliente forneça uma chave de criptografia/descriptografia por blob para o armazenamento do Azure ou manipulando completamente a criptografia no lado do cliente. portanto, não dependendo do Armazenamento do Azure para garantias de confidencialidade.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", "service": "Azure Storage", "severity": "Alto", - "text": "Considere blobs imutáveis", + "text": "Determine como os dados em repouso devem ser criptografados. Entenda o modelo de thread para dados.", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Considere desabilitar o acesso HTTP/80 desprotegido à conta de armazenamento, para que todas as transferências de dados sejam criptografadas, protegidas por integridade e o servidor seja autenticado. ", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", "service": "Azure Storage", - "severity": "Alto", - "text": "Exigir HTTPS, ou seja, desativar a porta 80 na conta de armazenamento", + "severity": "Média", + "text": "Determine qual/se a criptografia de plataforma deve ser usada.", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Ao configurar um domínio personalizado (nome do host) em uma conta de armazenamento, verifique se você precisa de TLS/HTTPS; em caso afirmativo, talvez seja necessário colocar a CDN do Azure na frente da sua conta de armazenamento.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", "service": "Azure Storage", - "severity": "Alto", - "text": "Ao impor HTTPS (desabilitando HTTP), verifique se você não usa domínios personalizados (CNAME) para a conta de armazenamento.", + "severity": "Média", + "text": "Determine qual/se a criptografia do lado do cliente deve ser usada.", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Exigir HTTPS quando um cliente usa um token SAS para acessar dados de blob ajuda a minimizar o risco de perda de credenciais.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "checklist": "Azure Storage Review Checklist", + "description": "Aproveite o Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para localizar contas de armazenamento que permitem acesso anônimo a blobs.", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", "service": "Azure Storage", - "severity": "Média", - "text": "Limitar tokens de assinatura de acesso compartilhado (SAS) somente a conexões HTTPS", + "severity": "Alto", + "text": "Considere se o acesso anônimo de blob público é necessário ou se ele pode ser desabilitado para determinadas contas de armazenamento. ", "waf": "Segurança" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Os tokens AAD devem ser favorecidos em relação às assinaturas de acesso compartilhado, sempre que possível", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", + "severity": "Alto", + "text": "Aproveite um tipo de conta storagev2 para melhor desempenho e confiabilidade", + "waf": "Fiabilidade" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", "service": "Azure Storage", "severity": "Alto", - "text": "Usar tokens do Azure Active Directory (Azure AD) para acesso de blob", - "waf": "Segurança" + "text": "Aproveite o armazenamento GRS, ZRS ou GZRS para obter a mais alta disponibilidade", + "waf": "Fiabilidade" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Ao atribuir uma função a um usuário, grupo ou aplicativo, conceda a essa entidade de segurança apenas as permissões necessárias para que eles executem suas tarefas. Limitar o acesso aos recursos ajuda a evitar o uso indevido não intencional e mal-intencionado de seus dados.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", "service": "Azure Storage", "severity": "Média", - "text": "Privilégio mínimo nas permissões do IaM", - "waf": "Segurança" + "text": "Para operação de gravação após o failover, use o failover gerenciado pelo cliente ", + "waf": "Fiabilidade" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Uma SAS de delegação de usuário é protegida com credenciais do Azure Active Directory (Azure AD) e também pelas permissões especificadas para a SAS. Uma SAS de delegação de usuário é análoga a uma SAS de serviço em termos de escopo e função, mas oferece benefícios de segurança em relação à SAS de serviço. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", "service": "Azure Storage", - "severity": "Alto", - "text": "Ao usar o SAS, prefira o SAS de delegação de usuário ao SAS baseado em chave de conta de armazenamento.", - "waf": "Segurança" + "severity": "Média", + "text": "Entender os detalhes do failover gerenciado pela Microsoft", + "waf": "Fiabilidade" }, { "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "As chaves de conta de armazenamento ('chaves compartilhadas') têm pouquíssimos recursos de auditoria. Embora possa ser monitorado em quem/quando foi obtida uma cópia das chaves, uma vez que as chaves estão nas mãos de várias pessoas, é impossível atribuir o uso a um usuário específico. Depender exclusivamente da autenticação do AAD facilita a vinculação do acesso ao armazenamento a um usuário. ", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", "service": "Azure Storage", - "severity": "Alto", - "text": "Considere desabilitar as chaves de conta de armazenamento, para que somente o acesso ao AAD (e a delegação de usuários SAS) seja suportado.", + "severity": "Média", + "text": "Habilitar exclusão reversível", + "waf": "Fiabilidade" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", + "severity": "Média", + "text": "Verifique se você está usando o SKU do Gateway de Aplicativo v2", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Use os dados do Registro de atividades para identificar \"quando\", \"quem\", \"o que\" e \"como\" a segurança da sua conta de armazenamento está sendo visualizada ou alterada (ou seja, chaves de conta de armazenamento, políticas de acesso, etc.).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere usar o Azure Monitor para auditar as operações do plano de controle na conta de armazenamento", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", + "severity": "Média", + "text": "Verifique se você está usando o SKU Standard para seus Azure Load Balancers", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Uma política de expiração de chave permite que você defina um lembrete para a rotação das chaves de acesso da conta. O lembrete será exibido se o intervalo especificado tiver decorrido e as teclas ainda não tiverem sido giradas.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", "severity": "Média", - "text": "Ao usar chaves de conta de armazenamento, considere habilitar uma 'política de expiração de chave'", + "text": "Verifique se os endereços IP de front-end dos Load Balancers têm redundância de zona (a menos que você precise de front-ends zonais).", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Uma diretiva de expiração SAS especifica um intervalo recomendado sobre o qual a SAS é válida. As políticas de expiração do SAS se aplicam a um SAS de serviço ou a um SAS de conta. Quando um usuário gera SAS de serviço ou SAS de conta com um intervalo de validade maior do que o intervalo recomendado, ele verá um aviso.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", "severity": "Média", - "text": "Considere configurar uma política de expiração SAS", + "text": "Seus Gateways de Aplicativo v2 devem ser implantados em sub-redes com prefixos IP iguais ou maiores que /24", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "As políticas de acesso armazenado oferecem a opção de revogar permissões para uma SAS de serviço sem precisar gerar novamente as chaves da conta de armazenamento. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "description": "A administração de proxies reversos em geral e WAF em particular está mais próxima do aplicativo do que da rede, portanto, eles pertencem à mesma assinatura que o aplicativo. Centralizar o Gateway de Aplicativo e o WAF na assinatura de conectividade pode ser OK se ele for gerenciado por uma única equipe.", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", "severity": "Média", - "text": "Considere vincular o SAS a uma política de acesso armazenado", + "text": "Implante o Gateway de Aplicativo do Azure v2 ou NVAs de parceiros usados para proxy de conexões HTTP(S) de entrada na rede virtual da zona de destino e com os aplicativos que eles estão protegendo.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", "severity": "Média", - "text": "Considere configurar o repositório de código-fonte do aplicativo para detectar cadeias de conexão com check-in e chaves de conta de armazenamento.", + "text": "Use uma rede DDoS ou planos de proteção de IP para todos os endereços IP públicos em zonas de destino do aplicativo.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Idealmente, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Armazenamento do Azure. Se isso não for possível, considere ter a credencial de armazenamento (cadeia de conexão, chave de conta de armazenamento, SAS, credencial da entidade de serviço) no Azure KeyVault ou em um serviço equivalente.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere armazenar cadeias de conexão no Cofre de Chaves do Azure (em cenários em que identidades gerenciadas não são possíveis)", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", + "severity": "Média", + "text": "Configure o dimensionamento automático com uma quantidade mínima de instâncias de duas.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Fiabilidade" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", + "severity": "Média", + "text": "Implantar o Gateway de Aplicativo em Zonas de Disponibilidade", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Fiabilidade" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", + "severity": "Média", + "text": "Ao usar o Front Door e o Gateway de Aplicativo para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Front Door. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Use tempos de expiração de curto prazo em um SAS de serviço SAS ad hoc ou SAS de conta. Dessa forma, mesmo que um SAS seja comprometido, ele é válido apenas por um curto período de tempo. Essa prática é especialmente importante se você não puder fazer referência a uma política de acesso armazenado. Os tempos de expiração de curto prazo também limitam a quantidade de dados que podem ser gravados em um blob, limitando o tempo disponível para carregar nele.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", "severity": "Alto", - "text": "Esforce-se por curtos períodos de validade para SAS ad-hoc", + "text": "Use o Gerenciador de Tráfego para fornecer aplicativos globais que abrangem protocolos diferentes de HTTP/S.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Fiabilidade" + }, + { + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "Baixo", + "text": "Se os usuários precisarem apenas de acesso a aplicativos internos, o Proxy de Aplicativo de ID do Microsoft Entra foi considerado como uma alternativa à AVD (Área de Trabalho Virtual) do Azure?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Ao criar um SAS, seja o mais específico e restritivo possível. Prefira um SAS para um único recurso e operação em vez de um SAS que dá acesso muito mais amplo.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "severity": "Média", - "text": "Aplicar um escopo restrito a uma SAS", + "text": "Para reduzir o número de portas de firewall abertas para conexões de entrada em sua rede, considere usar o Proxy de Aplicativo de ID do Microsoft Entra para fornecer aos usuários remotos acesso seguro e autenticado a aplicativos internos.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Uma SAS pode incluir parâmetros nos quais endereços IP de cliente ou intervalos de endereços estão autorizados a solicitar um recurso usando a SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", - "severity": "Média", - "text": "Considere a definição do escopo do SAS para um endereço IP de cliente específico, sempre que possível", + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", + "severity": "Alto", + "text": "Usar o Gateway NAT do Azure em vez das regras de saída do Load Balancer para melhorar a escalabilidade SNAT", + "waf": "Fiabilidade" + }, + { + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", + "severity": "Alto", + "text": "Habilite o conjunto de regras de proteção contra bot do WAF do Gateway de Aplicativo do Azure. As regras de bot detectam bots bons e ruins.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Um SAS não pode restringir a quantidade de dados que um cliente carrega; Dado o modelo de precificação da quantidade de armazenamento ao longo do tempo, pode fazer sentido validar se os clientes carregaram conteúdo maliciosamente grande.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "Baixo", - "text": "Considere verificar os dados carregados, depois que os clientes usaram um SAS para carregar um arquivo. ", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", + "severity": "Alto", + "text": "Verifique se o recurso de inspeção do corpo da solicitação está habilitado na política WAF do Gateway de Aplicativo do Azure.", + "waf": "Segurança" + }, + { + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", + "severity": "Alto", + "text": "Ajuste o WAF do Gateway de Aplicativo do Azure no modo de detecção para sua carga de trabalho. Reduza as detecções de falsos positivos.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Ao acessar o armazenamento de blob via SFTP usando uma 'conta de usuário local', os controles RBAC 'normais' não se aplicam. O acesso a blobs via NFS ou REST pode ser mais restritivo do que o acesso a SFTP. Infelizmente, no início de 2023, os usuários locais são a única forma de gerenciamento de identidade que atualmente é suportada para o ponto de extremidade SFTP", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "App Gateway", "severity": "Alto", - "text": "SFTP: Limite a quantidade de 'usuários locais' para acesso SFTP e audite se o acesso é necessário ao longo do tempo.", + "text": "Implante sua política de WAF para Gateway de Aplicativo no modo 'Prevenção'.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", "severity": "Média", - "text": "SFTP: O ponto de extremidade SFTP não oferece suporte a ACLs do tipo POSIX.", + "text": "Adicione a limitação de taxa ao WAF do Gateway de Aplicativo do Azure. A limitação de taxa bloqueia os clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "O armazenamento oferece suporte a CORS (Cross-Origin Resource Sharing), ou seja, um recurso HTTP que permite que aplicativos Web de um domínio diferente afrouxem a política de mesma origem. Ao habilitar o CORS, mantenha o CorsRules com o menor privilégio.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", - "severity": "Alto", - "text": "Evite políticas CORS excessivamente amplas", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", + "severity": "Média", + "text": "Use um limite alto para os limites de taxa do WAF do Gateway de Aplicativo do Azure. Os limites de limite de taxa altos evitam o bloqueio do tráfego legítimo, ao mesmo tempo em que fornecem proteção contra números extremamente altos de solicitações que podem sobrecarregar sua infraestrutura. ", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Os dados em repouso são sempre criptografados no lado do servidor e, além disso, também podem ser criptografados no lado do cliente. A criptografia do lado do servidor pode acontecer usando uma chave gerenciada por plataforma (padrão) ou uma chave gerenciada pelo cliente. A criptografia do lado do cliente pode acontecer fazendo com que o cliente forneça uma chave de criptografia/descriptografia por blob para o armazenamento do Azure ou manipulando completamente a criptografia no lado do cliente. portanto, não depende do Armazenamento do Azure para garantias de confidencialidade.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", - "severity": "Alto", - "text": "Determine como os dados em repouso devem ser criptografados. Entenda o modelo de thread para dados.", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", + "severity": "Baixo", + "text": "Se você não estiver esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", "severity": "Média", - "text": "Determine qual/se a criptografia de plataforma deve ser usada.", + "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Gateway de Aplicativo do Azure. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", "severity": "Média", - "text": "Determine qual/se a criptografia do lado do cliente deve ser usada.", + "text": "Use a versão mais recente do conjunto de regras do WAF do Gateway de Aplicativo do Azure. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário de ameaças atual.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "Aproveite o Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para localizar contas de armazenamento que permitem acesso anônimo a blobs.", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere se o acesso de blob público é necessário ou se pode ser desabilitado para determinadas contas de armazenamento. ", - "waf": "Segurança" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", + "severity": "Média", + "text": "Adicione configurações de diagnóstico para salvar os logs do WAF do Gateway de Aplicativo do Azure.", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", "severity": "Média", - "text": "O ACSS (Centro de Soluções SAP) do Azure é uma oferta do Azure que torna o SAP uma carga de trabalho de nível superior no Azure. O ACSS é uma solução de ponta a ponta que permite criar e executar sistemas SAP como uma carga de trabalho unificada no Azure e fornece uma base mais perfeita para a inovação. Você pode aproveitar os recursos de gerenciamento para sistemas SAP novos e existentes baseados no Azure.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "text": "Envie logs do WAF do Gateway de Aplicativo do Azure para o Microsoft Sentinel.", "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", "severity": "Média", - "text": "O Azure dá suporte à automação de implantações do SAP no Linux e no Windows. O SAP Deployment Automation Framework é uma ferramenta de orquestração de software livre que pode implementar, instalar e manter ambientes SAP.", - "training": "https://github.com/Azure/sap-automation", + "text": "Defina a configuração do WAF do Gateway de Aplicativo do Azure como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.", "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", "severity": "Média", - "text": "Execute uma recuperação pontual para seus bancos de dados de produção a qualquer momento e em um período de tempo que atenda ao seu RTO; a recuperação point-in-time normalmente inclui erros do operador que excluem dados na camada DBMS ou por meio do SAP, incidentalmente", - "waf": "Fiabilidade" + "text": "Use as Políticas do WAF em vez da configuração herdada do WAF.", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", "severity": "Média", - "text": "Teste os tempos de backup e recuperação para verificar se eles atendem aos requisitos de RTO para restaurar todos os sistemas simultaneamente após um desastre.", - "waf": "Fiabilidade" + "text": "Filtre o tráfego de entrada nos back-ends para que eles aceitem apenas conexões da sub-rede do Gateway de Aplicativo, por exemplo, com NSGs.", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", "severity": "Alto", - "text": "Você pode replicar o armazenamento padrão entre regiões emparelhadas, mas não pode usar o armazenamento padrão para armazenar seus bancos de dados ou discos rígidos virtuais. Você pode replicar backups somente entre regiões emparelhadas que você usa. Para todos os outros dados, execute a replicação usando recursos nativos do DBMS, como SQL Server Always On ou Replicação do Sistema SAP HANA. Use uma combinação de Site Recovery, rsync ou robocopy e outros softwares de terceiros para a camada de aplicativo SAP.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Fiabilidade" - }, - { - "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", - "severity": "Média", - "text": "Ao usar as Zonas de Disponibilidade do Azure para obter alta disponibilidade, você deve considerar a latência entre os servidores de aplicativos SAP e os servidores de banco de dados. Para zonas com altas latências, os procedimentos operacionais precisam estar em vigor para garantir que os servidores de aplicativos SAP e os servidores de banco de dados estejam em execução na mesma zona o tempo todo.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Fiabilidade" + "text": "Você deve criptografar o tráfego para os servidores de back-end.", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", "severity": "Alto", - "text": "Configure conexões do ExpressRoute do local para as regiões de recuperação de desastre primárias e secundárias do Azure. Além disso, como alternativa ao uso do ExpressRoute, considere configurar conexões VPN do local para as regiões primárias e secundárias de recuperação de desastre do Azure.", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "Fiabilidade" + "text": "Você deve usar um Web Application Firewall.", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", - "severity": "Baixo", - "text": "Replique o conteúdo do cofre de chaves, como certificados, segredos ou chaves entre regiões, para que você possa descriptografar dados na região de recuperação de desastre.", - "waf": "Fiabilidade" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "App Gateway", + "severity": "Média", + "text": "Redirecionar HTTP para HTTPS", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", "severity": "Média", - "text": "Emparelhe as redes virtuais primárias e de recuperação de desastre. Por exemplo, para a Replicação do Sistema HANA, uma rede virtual de banco de dados do SAP HANA precisa ser emparelhada com a rede virtual de banco de dados do SAP HANA do site de recuperação de desastres.", - "waf": "Fiabilidade" + "text": "Use cookies gerenciados por gateway para direcionar o tráfego de uma sessão de usuário para o mesmo servidor para processamento", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", + "severity": "Alto", + "text": "Habilitar a drenagem de conexão durante atualizações de serviço planejadas para evitar a perda de conexão para membros existentes do pool de back-end", + "waf": "Segurança" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "App Gateway", "severity": "Baixo", - "text": "Se você usar o armazenamento do Azure NetApp Files para suas implantações SAP, no mínimo, crie duas contas do Azure NetApp Files na camada Premium, em duas regiões.", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "Fiabilidade" + "text": "Crie páginas de erro personalizadas para exibir uma experiência de usuário personalizada", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "Alto", - "text": "A tecnologia de replicação de banco de dados nativa deve ser usada para sincronizar o banco de dados em um par de HA.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", - "waf": "Fiabilidade" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "App Gateway", + "severity": "Média", + "text": "Edite solicitações HTTP e cabeçalhos de resposta para facilitar o roteamento e a troca de informações entre o cliente e o servidor", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", - "severity": "Alto", - "text": "O CIDR da VNet (rede virtual) primária não deve entrar em conflito ou se sobrepor ao CIDR da VNet do site de recuperação de desastre", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Fiabilidade" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "App Gateway", + "severity": "Média", + "text": "Configure o Front Door para otimizar o roteamento de tráfego da Web global e o desempenho e a confiabilidade do usuário final de nível superior por meio de failover global rápido", + "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", - "severity": "Alto", - "text": "Use o Site Recovery para replicar um servidor de aplicativos para um site de recuperação de desastre. O Site Recovery também pode ajudar a replicar VMs de cluster de serviços centrais para o site de recuperação de desastre. Ao invocar a DR, você precisará reconfigurar o cluster do Linux Pacemaker no site de DR (por exemplo, substituir o VIP ou SBD, executar corosync.conf e muito mais).", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Fiabilidade" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", + "severity": "Média", + "text": "Usar o balanceamento de carga da camada de transporte", + "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "Alto", - "text": "Considere a disponibilidade do software SAP em relação a pontos únicos de falha. Isso inclui pontos únicos de falha em aplicativos, como SGBDs utilizados nas arquiteturas SAP NetWeaver e SAP S/4HANA, SAP AP e ASCS + SCS. Além disso, outras ferramentas, como o SAP Web Dispatcher.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "Fiabilidade" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", + "severity": "Média", + "text": "Configurar o roteamento com base no host ou no nome de domínio para vários aplicativos Web em um único gateway", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", - "severity": "Alto", - "text": "Para bancos de dados SAP e SAP, considere implementar clusters de failover automáticos. No Windows, o Clustering de Failover do Windows Server dá suporte ao failover. No Linux, o Linux Pacemaker ou ferramentas de terceiros, como o SIOS Protection Suite e o Veritas InfoScale, oferecem suporte ao failover.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Fiabilidade" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", + "severity": "Média", + "text": "Centralize o gerenciamento de certificados SSL para reduzir a sobrecarga de criptografia e descriptografia de um farm de servidores de back-end", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "Alto", - "text": "O Azure não dá suporte a arquiteturas nas quais as VMs primárias e secundárias compartilham armazenamento para dados do DBMS. Para a camada DBMS, o padrão de arquitetura comum é replicar bancos de dados ao mesmo tempo e com pilhas de armazenamento diferentes daquelas que as VMs primárias e secundárias usam.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "Fiabilidade" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", + "severity": "Baixo", + "text": "Usar o Gateway de Aplicativo para obter suporte nativo para protocolos WebSocket e HTTP/2", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", - "severity": "Alto", - "text": "Os dados do DBMS e os arquivos de log de transação/redo são armazenados no armazenamento em blocos com suporte do Azure ou no Azure NetApp Files. Não há suporte para Arquivos do Azure ou Arquivos Premium do Azure como armazenamento para dados do DBMS e/ou arquivos de log de restauração com carga de trabalho do SAP.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", + "severity": "Média", + "text": "Aproveite o servidor flexível", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", "severity": "Alto", - "text": "Você pode usar discos compartilhados do Azure no Windows para componentes ASCS + SCS e cenários específicos de alta disponibilidade. Configure seus clusters de failover separadamente para os componentes da camada de aplicativo SAP e a camada DBMS. Atualmente, o Azure não dá suporte a arquiteturas de alta disponibilidade que combinam componentes da camada de aplicativo SAP e a camada DBMS em um cluster de failover.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", - "severity": "Alto", - "text": "A maioria dos clusters de failover para componentes da camada de aplicativo SAP (ASCS) e a camada DBMS exigem um endereço IP virtual para um cluster de failover. O Azure Load Balancer deve lidar com o endereço IP virtual para todos os outros casos. Um princípio de design é usar um balanceador de carga por configuração de cluster. Recomendamos que você use a versão padrão do balanceador de carga (SKU do Balanceador de Carga Padrão).", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", + "severity": "Média", + "text": "Aproveite a replicação de dados para cenários de DR entre regiões", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", "severity": "Alto", - "text": "Certifique-se de que o IP flutuante esteja habilitado no balanceador de carga", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", "severity": "Alto", - "text": "Antes de implantar sua infraestrutura de alta disponibilidade e dependendo da região escolhida, determine se deseja implantar com um conjunto de disponibilidade do Azure ou uma zona de disponibilidade.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", "severity": "Alto", - "text": "Se você quiser atender aos SLAs de infraestrutura para seus aplicativos para componentes SAP (serviços centrais, servidores de aplicativos e bancos de dados), deverá escolher as mesmas opções de alta disponibilidade (VMs, conjuntos de disponibilidade, zonas de disponibilidade) para todos os componentes.", + "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", "severity": "Alto", - "text": "Não misture servidores de funções diferentes no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados e VMs de aplicativos em seus próprios conjuntos de disponibilidade", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", "severity": "Média", - "text": "Você não pode implantar conjuntos de disponibilidade do Azure em uma zona de disponibilidade do Azure, a menos que use grupos de posicionamento por proximidade.", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "Fiabilidade" - }, - { - "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", - "severity": "Alto", - "text": "Ao criar conjuntos de disponibilidade, use o número máximo de domínios de falha e atualize os domínios disponíveis. Por exemplo, se você implantar mais de duas VMs em um conjunto de disponibilidade, use o número máximo de domínios de falha (três) e domínios de atualização suficientes para limitar o efeito de possíveis falhas de hardware físico, interrupções de rede ou interrupções de energia, além da manutenção planejada do Azure. O número padrão de domínios de falha é dois e você não pode alterá-lo online posteriormente.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Fiabilidade" + "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", - "severity": "Alto", - "text": "Quando você usa grupos de posicionamento por proximidade do Azure em uma implantação de conjunto de disponibilidade, todos os três componentes SAP (serviços centrais, servidor de aplicativos e banco de dados) devem estar no mesmo grupo de posicionamento por proximidade.", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Aplicar as orientações do benchmark de segurança na nuvem da Microsoft relacionadas ao armazenamento", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", + "severity": "Média", + "text": "Considere a 'linha de base de segurança do Azure para armazenamento'", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "O Armazenamento do Azure, por padrão, tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem expor com segurança o Armazenamento do Azure apenas aos recursos de Computação do Azure que precisam de acesso, eliminando assim a exposição à Internet pública", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", "severity": "Alto", - "text": "Use um grupo de posicionamento por proximidade por SID SAP. Os grupos não se estendem por Zonas de Disponibilidade ou regiões do Azure", - "waf": "Fiabilidade" + "text": "Considere o uso de pontos de extremidade privados para o Armazenamento do Azure", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "Alto", - "text": "Use um dos serviços a seguir para executar clusters de serviços centrais do SAP, dependendo do sistema operacional.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "As contas de armazenamento recém-criadas são criadas usando o modelo de implantação ARM, para que o RBAC, a auditoria, etc., estejam todos habilitados. Verifique se não há contas de armazenamento antigas com modelo de implantação clássico em uma assinatura", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", + "severity": "Média", + "text": "Verifique se as contas de armazenamento mais antigas não estão usando o 'modelo de implantação clássico'", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", - "severity": "Média", - "text": "Atualmente, o Azure não dá suporte à combinação de ASCS e DB HA no mesmo cluster do Linux Pacemaker; separe-os em clusters individuais. No entanto, você pode combinar até cinco vários clusters de serviços centrais em um par de VMs.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Aproveite o Microsoft Defender para saber mais sobre atividades suspeitas e configurações incorretas.", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", + "severity": "Alto", + "text": "Habilitar o Microsoft Defender para todas as suas contas de armazenamento", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "O mecanismo soft-delete permite recuperar blobs excluídos acidentalmente.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", "severity": "Média", - "text": "Implante ambas as VMs no par de alta disponibilidade em um conjunto de disponibilidade ou em zonas de disponibilidade. Essas VMs devem ter o mesmo tamanho e a mesma configuração de armazenamento.", - "waf": "Fiabilidade" + "text": "Ativar 'exclusão suave' para blobs", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "Média", - "text": "O Azure dá suporte à instalação e configuração de instâncias do SAP HANA e ASCS/SCS e ERS no mesmo cluster de alta disponibilidade em execução no RHEL (Red Hat Enterprise Linux).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Fiabilidade" + "text": "Desativar 'exclusão suave' para blobs", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "A exclusão suave para contêineres permite que você recupere um contêiner depois que ele tenha sido excluído, por exemplo, recuperar de uma operação de exclusão acidental.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "severity": "Alto", - "text": "Execute todos os sistemas de produção em SSDs gerenciados Premium e use o Azure NetApp Files ou o Armazenamento em Disco Ultra. Pelo menos o disco do sistema operacional deve estar na camada Premium para que você possa obter melhor desempenho e o melhor SLA.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Fiabilidade" + "text": "Ativar 'exclusão suave' para contêineres", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", - "severity": "Alto", - "text": "Você deve executar o SAP HANA no Azure somente nos tipos de armazenamento certificados pelo SAP. Observe que determinados volumes devem ser executados em determinadas configurações de disco, quando aplicável. Essas configurações incluem habilitar o Acelerador de Gravação e usar o armazenamento Premium. Você também precisa garantir que o sistema de arquivos executado no armazenamento seja compatível com o DBMS executado na máquina.", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "Média", + "text": "Desativar 'exclusão suave' para contêineres", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Evita a exclusão acidental de uma conta de armazenamento, forçando o usuário a remover primeiro o bloqueio de exclusão, antes da exclusão", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "severity": "Alto", - "text": "Considere configurar a alta disponibilidade dependendo do tipo de armazenamento que você usa para suas cargas de trabalho SAP. Alguns serviços de armazenamento disponíveis no Azure não têm suporte no Azure Site Recovery, portanto, sua configuração de alta disponibilidade pode ser diferente.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", - "waf": "Fiabilidade" + "text": "Habilitar bloqueios de recursos em contas de armazenamento", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Considere políticas de \"retenção legal\" ou \"retenção baseada em tempo\" para blobs, de modo que seja impossível excluir o blob, o contêiner ou a conta de armazenamento. Por favor, note que \"impossível\" significa na verdade \"impossível\"; uma vez que uma conta de armazenamento contém um blob imutável, a única maneira de 'se livrar' dessa conta de armazenamento é cancelando a assinatura do Azure.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", "severity": "Alto", - "text": "Diferentes serviços de armazenamento nativos do Azure (como Arquivos do Azure, Azure NetApp Files, Disco Compartilhado do Azure) podem não estar disponíveis em todas as regiões. Portanto, para ter uma configuração SAP semelhante na região de recuperação de desastre após o failover, verifique se o respectivo serviço de armazenamento é oferecido no site de recuperação de desastre.", - "waf": "Fiabilidade" + "text": "Considere blobs imutáveis", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", - "severity": "Média", - "text": "Automatize o sistema SAP Start-Stop para gerenciar custos.", - "waf": "Custar" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Considere desabilitar o acesso HTTP/80 desprotegido à conta de armazenamento, para que todas as transferências de dados sejam criptografadas, protegidas por integridade e o servidor seja autenticado. ", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "Alto", + "text": "Exigir HTTPS, ou seja, desativar a porta 80 na conta de armazenamento", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "Baixo", - "text": "No caso de usar o Armazenamento Premium do Azure com o SAP HANA, o armazenamento SSD Standard do Azure pode ser usado para selecionar uma solução de armazenamento econômica. No entanto, observe que escolher o armazenamento SSD Standard ou HDD Standard do Azure afetará o SLA das VMs individuais. Além disso, para sistemas com menor taxa de transferência de E/S e baixa latência, como ambientes de não produção, as VMs de série inferior podem ser usadas.", - "waf": "Custar" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Ao configurar um domínio personalizado (nome do host) em uma conta de armazenamento, verifique se você precisa de TLS/HTTPS; em caso afirmativo, talvez seja necessário colocar a CDN do Azure na frente da sua conta de armazenamento.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", + "severity": "Alto", + "text": "Ao impor HTTPS (desabilitando HTTP), verifique se você não usa domínios personalizados (CNAME) para a conta de armazenamento.", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", - "severity": "Baixo", - "text": "Como uma configuração alternativa de baixo custo (multiuso), você pode escolher um SKU de baixo desempenho para suas VMs de servidor de banco de dados HANA que não são de produção. No entanto, é importante observar que alguns tipos de VM, como a série E, não são certificados pelo HANA (Diretório de Hardware do SAP HANA) ou não podem atingir uma latência de armazenamento inferior a 1 ms.", - "waf": "Custar" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Exigir HTTPS quando um cliente usa um token SAS para acessar dados de blob ajuda a minimizar o risco de perda de credenciais.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", + "severity": "Média", + "text": "Limitar tokens de assinatura de acesso compartilhado (SAS) somente a conexões HTTPS", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Os tokens AAD devem ser favorecidos em relação às assinaturas de acesso compartilhado, sempre que possível", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", "severity": "Alto", - "text": "Impor um modelo RBAC para grupos de gerenciamento, assinaturas, grupos de recursos e recursos", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "Usar tokens do Azure Active Directory (Azure AD) para acesso de blob", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Ao atribuir uma função a um usuário, grupo ou aplicativo, conceda a essa entidade de segurança apenas as permissões necessárias para que eles executem suas tarefas. Limitar o acesso aos recursos ajuda a evitar o uso indevido não intencional e mal-intencionado de seus dados.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "Média", - "text": "Impor a propagação da entidade de segurança para encaminhar a identidade do aplicativo de nuvem SAP para o SAP local (incluindo IaaS) por meio do conector de nuvem", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "text": "Privilégio mínimo nas permissões do IaM", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", - "severity": "Média", - "text": "Implemente SSO para aplicativos SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics e SAP C4C com Azure AD usando SAML.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Uma SAS de delegação de usuário é protegida com credenciais do Azure Active Directory (Azure AD) e também pelas permissões especificadas para a SAS. Uma SAS de delegação de usuário é análoga a uma SAS de serviço em termos de escopo e função, mas oferece benefícios de segurança em relação à SAS de serviço. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", + "severity": "Alto", + "text": "Ao usar o SAS, prefira o SAS de delegação de usuário ao SAS baseado em chave de conta de armazenamento.", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", - "severity": "Média", - "text": "Implemente o SSO para aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "As chaves de conta de armazenamento ('chaves compartilhadas') têm pouquíssimos recursos de auditoria. Embora possa ser monitorado em quem/quando foi obtida uma cópia das chaves, uma vez que as chaves estão nas mãos de várias pessoas, é impossível atribuir o uso a um usuário específico. Depender exclusivamente da autenticação do AAD facilita a vinculação do acesso ao armazenamento a um usuário. ", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere desabilitar as chaves de conta de armazenamento, para que somente o acesso ao AAD (e a delegação de usuários SAS) seja suportado.", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Use os dados do Registro de atividades para identificar \"quando\", \"quem\", \"o que\" e \"como\" a segurança da sua conta de armazenamento está sendo visualizada ou alterada (ou seja, chaves de conta de armazenamento, políticas de acesso, etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere usar o Azure Monitor para auditar as operações do plano de controle na conta de armazenamento", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Uma política de expiração de chave permite que você defina um lembrete para a rotação das chaves de acesso da conta. O lembrete será exibido se o intervalo especificado tiver decorrido e as teclas ainda não tiverem sido giradas.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "Média", - "text": "Implemente o SSO para aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "text": "Ao usar chaves de conta de armazenamento, considere habilitar uma 'política de expiração de chave'", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Uma diretiva de expiração SAS especifica um intervalo recomendado sobre o qual a SAS é válida. As políticas de expiração do SAS se aplicam a um SAS de serviço ou a um SAS de conta. Quando um usuário gera SAS de serviço ou SAS de conta com um intervalo de validade maior do que o intervalo recomendado, ele verá um aviso.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "severity": "Média", - "text": "Você pode implementar o SSO no SAP GUI usando o SAP NetWeaver SSO ou uma solução de parceiro.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "text": "Considere configurar uma política de expiração SAS", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "As políticas de acesso armazenado oferecem a opção de revogar permissões para uma SAS de serviço sem precisar gerar novamente as chaves da conta de armazenamento. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", "severity": "Média", - "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos/SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido à sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "text": "Considere vincular o SAS a uma política de acesso armazenado", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", "severity": "Média", - "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos/SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido à sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.", + "text": "Considere configurar o repositório de código-fonte do aplicativo para detectar cadeias de conexão com check-in e chaves de conta de armazenamento.", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", - "severity": "Média", - "text": "Implemente o SSO usando o OAuth para SAP NetWeaver para permitir que aplicativos personalizados ou de terceiros acessem os serviços OData do SAP NetWeaver.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Idealmente, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Armazenamento do Azure. Se isso não for possível, considere ter a credencial de armazenamento (cadeia de conexão, chave de conta de armazenamento, SAS, credencial da entidade de serviço) no Azure KeyVault ou em um serviço equivalente.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", + "severity": "Alto", + "text": "Considere armazenar cadeias de conexão no Cofre de Chaves do Azure (em cenários em que identidades gerenciadas não são possíveis)", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", - "severity": "Média", - "text": "Implementar SSO no SAP HANA", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Use tempos de expiração de curto prazo em um SAS de serviço SAS ad hoc ou SAS de conta. Dessa forma, mesmo que um SAS seja comprometido, ele é válido apenas por um curto período de tempo. Essa prática é especialmente importante se você não puder fazer referência a uma política de acesso armazenado. Os tempos de expiração de curto prazo também limitam a quantidade de dados que podem ser gravados em um blob, limitando o tempo disponível para carregar nele.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "Alto", + "text": "Esforce-se por curtos períodos de validade para SAS ad-hoc", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Ao criar um SAS, seja o mais específico e restritivo possível. Prefira um SAS para um único recurso e operação em vez de um SAS que dá acesso muito mais amplo.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "Média", - "text": "Considere o Azure AD um provedor de identidade para sistemas SAP hospedados no RISE. Para obter mais informações, consulte Integrando o serviço ao Azure AD.", + "text": "Aplicar um escopo restrito a uma SAS", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Uma SAS pode incluir parâmetros nos quais endereços IP de cliente ou intervalos de endereços estão autorizados a solicitar um recurso usando a SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", "severity": "Média", - "text": "Para aplicativos que acessam o SAP, talvez você queira usar a propagação principal para estabelecer o SSO.", + "text": "Considere a definição do escopo do SAS para um endereço IP de cliente específico, sempre que possível", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", - "severity": "Média", - "text": "Se você estiver usando serviços SAP BTP ou soluções SaaS que exigem o SAP Identity Authentication Service (IAS), considere implementar o SSO entre o SAP Cloud Identity Authentication Services e o Azure AD para acessar esses serviços SAP. Essa integração permite que o SAP IAS atue como um provedor de identidade proxy e encaminhe solicitações de autenticação para o Azure AD como o repositório central de usuários e o provedor de identidade.", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Um SAS não pode restringir a quantidade de dados que um cliente carrega; Dado o modelo de precificação da quantidade de armazenamento ao longo do tempo, pode fazer sentido validar se os clientes carregaram conteúdo maliciosamente grande.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "Baixo", + "text": "Considere verificar os dados carregados, depois que os clientes usaram um SAS para carregar um arquivo. ", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", - "severity": "Média", - "text": "Implementar SSO para SAP BTP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Ao acessar o armazenamento de blob via SFTP usando uma 'conta de usuário local', os controles RBAC 'normais' não se aplicam. O acesso a blobs via NFS ou REST pode ser mais restritivo do que o acesso a SFTP. Infelizmente, no início de 2023, os usuários locais são a única forma de gerenciamento de identidade que atualmente é suportada para o ponto de extremidade SFTP", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", + "severity": "Alto", + "text": "SFTP: Limite a quantidade de 'usuários locais' para acesso SFTP e audite se o acesso é necessário ao longo do tempo.", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "severity": "Média", - "text": "Se você estiver usando o SAP SuccessFactors, considere usar o provisionamento automatizado de usuários do Azure AD. Com essa integração, à medida que você adiciona novos funcionários ao SAP SuccessFactors, você pode criar automaticamente suas contas de usuário no Azure AD. Opcionalmente, você pode criar contas de usuário no Microsoft 365 ou em outros aplicativos SaaS compatíveis com o Azure AD. Use o write-back do endereço de email para o SAP SuccessFactors.", + "text": "SFTP: O ponto de extremidade SFTP não oferece suporte a ACLs do tipo POSIX.", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "description": "Mantenha a hierarquia do grupo de gerenciamento razoavelmente plana, não mais do que quatro.", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", - "severity": "Média", - "text": "impor políticas existentes do Grupo de Gerenciamento às Assinaturas SAP", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", - "waf": "Operações" - }, - { - "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "O armazenamento oferece suporte a CORS (Cross-Origin Resource Sharing), ou seja, um recurso HTTP que permite que aplicativos Web de um domínio diferente afrouxem a política de mesma origem. Ao habilitar o CORS, mantenha o CorsRules com o menor privilégio.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", "severity": "Alto", - "text": "Integre aplicativos fortemente acoplados na mesma assinatura SAP para evitar complexidade adicional de roteamento e gerenciamento", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", - "waf": "Operações" + "text": "Evite políticas CORS excessivamente amplas", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Os dados em repouso são sempre criptografados no lado do servidor e, além disso, também podem ser criptografados no lado do cliente. A criptografia do lado do servidor pode acontecer usando uma chave gerenciada por plataforma (padrão) ou uma chave gerenciada pelo cliente. A criptografia do lado do cliente pode acontecer fazendo com que o cliente forneça uma chave de criptografia/descriptografia por blob para o armazenamento do Azure ou manipulando completamente a criptografia no lado do cliente. portanto, não depende do Armazenamento do Azure para garantias de confidencialidade.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", "severity": "Alto", - "text": "Aproveite a assinatura como unidade de escala e dimensione nossos recursos, considere implantar a assinatura por ambiente, por exemplo. Caixa de areia, não-prod, prod ", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", - "waf": "Operações" + "text": "Determine como os dados em repouso devem ser criptografados. Entenda o modelo de thread para dados.", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", - "severity": "Alto", - "text": "Garantir o aumento da cota como parte do provisionamento da assinatura (por exemplo, total de núcleos de VM disponíveis em uma assinatura)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "waf": "Operações" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", + "severity": "Média", + "text": "Determine qual/se a criptografia de plataforma deve ser usada.", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", - "severity": "Baixo", - "text": "A API de Cota é uma API REST que você pode usar para exibir e gerenciar cotas para serviços do Azure. Considere usá-lo, se necessário.", - "waf": "Operações" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", + "severity": "Média", + "text": "Determine qual/se a criptografia do lado do cliente deve ser usada.", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "Aproveite o Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para localizar contas de armazenamento que permitem acesso anônimo a blobs.", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", "severity": "Alto", - "text": "Se estiver implantando em uma zona de disponibilidade, verifique se a implantação da zona da VM está disponível depois que a cota for aprovada. Envie uma solicitação de suporte com a assinatura, a série de VMs, o número de CPUs e a zona de disponibilidade necessárias.", - "waf": "Operações" + "text": "Considere se o acesso de blob público é necessário ou se pode ser desabilitado para determinadas contas de armazenamento. ", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", "severity": "Alto", - "text": "Certifique-se de que os serviços e recursos necessários estejam disponíveis nas regiões de implantação escolhidas, por exemplo. ANF, Zona etc.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", - "waf": "Operações" + "text": "Aproveitar zonas de disponibilidade, se aplicável regionalmente (isso é habilitado automaticamente)", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "severity": "Média", - "text": "Aproveite a marca de recurso do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Camada (Camada da Web, Camada de Aplicativo), Proprietário do Aplicativo, ProjectName)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Operações" + "text": "Esteja ciente dos failovers iniciados pela Microsoft. Eles são exercidos pela Microsoft em raras situações para fazer failover de todos os hubs IoT de uma região afetada para a região geo-emparelhada correspondente.", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", "severity": "Alto", - "text": "Ajude a proteger seu banco de dados HANA usando o serviço de Backup do Azure.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", - "severity": "Média", - "text": "Se você implantar o Azure NetApp Files para seu banco de dados HANA, Oracle ou DB2, use a ferramenta AzAcSnap (Instantâneo Consistente com o Aplicativo do Azure) para tirar instantâneos consistentes com o aplicativo. O AzAcSnap também oferece suporte a bancos de dados Oracle. Considere usar o AzAcSnap em uma VM central em vez de em VMs individuais.", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "severity": "Alto", + "text": "Saiba como acionar um failover manual.", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", "severity": "Alto", - "text": "Garanta correspondências de fuso horário entre o sistema operacional e o sistema SAP.", - "waf": "Operações" - }, - { - "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", - "severity": "Média", - "text": "Não agrupe diferentes serviços de aplicativo no mesmo cluster. Por exemplo, não combine clusters DRBD e de serviços centrais no mesmo cluster. No entanto, você pode usar o mesmo cluster do Pacemaker para gerenciar aproximadamente cinco serviços centrais diferentes (cluster de vários SID).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "Saiba como fazer failback após um failover.", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", - "severity": "Baixo", - "text": "Considere executar sistemas de desenvolvimento/teste em um modelo de adiamento para economizar e otimizar os custos de execução do Azure.", - "waf": "Custar" - }, - { - "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", "severity": "Média", - "text": "Se você fizer parceria com clientes gerenciando suas propriedades SAP, considere o Azure Lighthouse. O Azure Lighthouse permite que os provedores de serviços gerenciados usem serviços de identidade nativos do Azure para se autenticar no ambiente dos clientes. Ele coloca o controle nas mãos dos clientes, pois eles podem revogar o acesso a qualquer momento e auditar as ações dos prestadores de serviços.", - "waf": "Operações" + "text": "Implante seus recursos de conectividade de zona de destino do Azure em várias regiões, para que você possa dar suporte rapidamente a zonas de destino de aplicativos de várias regiões e cenários de recuperação de desastre.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", "severity": "Média", - "text": "Use o Azure Update Manager para verificar o status das atualizações disponíveis para uma única VM ou várias VMs e considere agendar patches regulares.", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "text": "Use um locatário do Entra para gerenciar seus recursos do Azure, a menos que você tenha um requisito regulatório ou comercial claro para multilocatários.", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", "severity": "Baixo", - "text": "Otimize e gerencie as operações do SAP Basis usando o SAP Landscape Management (LaMa). Use o conector SAP LaMa para Azure para realocar, copiar, clonar e atualizar sistemas SAP.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "text": "Use a abordagem de Automação Multilocatário para gerenciar seus locatários de ID do Microsoft Entra.", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", - "severity": "Média", - "text": "Use o Azure Monitor para soluções SAP para monitorar suas cargas de trabalho SAP (SAP HANA, clusters SUSE de alta disponibilidade e sistemas SQL) no Azure. Considere complementar o Azure Monitor para soluções SAP com o SAP Solution Manager.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", + "severity": "Alto", + "text": "Use o Azure Lighthouse para gerenciamento de vários locatários com as mesmas IDs.", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", "severity": "Alto", - "text": "Execute uma extensão de VM para verificação SAP. A Extensão de VM para SAP usa a identidade gerenciada atribuída de uma VM (máquina virtual) para acessar dados de monitoramento e configuração de VM. A verificação garante que todas as métricas de desempenho em seu aplicativo SAP venham da Extensão do Azure para SAP subjacente.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", - "waf": "Operações" + "text": "Se você conceder a um parceiro acesso para administrar seu locatário, use o Azure Lighthouse.", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "Custar" }, { - "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", - "severity": "Média", - "text": "Use o Azure Policy para controle de acesso e relatórios de conformidade. O Azure Policy fornece a capacidade de impor configurações em toda a organização para garantir a adesão consistente à política e a detecção rápida de violações. ", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operações" + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", + "severity": "Alto", + "text": "Aplique um modelo RBAC que se alinhe ao seu modelo operacional de nuvem. Escopo e Atribuição entre Grupos de Gerenciamento e Assinaturas.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", "severity": "Média", - "text": "Use o Monitor da Conexão no Observador de Rede do Azure para monitorar métricas de latência para bancos de dados SAP e servidores de aplicativos. Ou colete e exiba medidas de latência de rede usando o Azure Monitor.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", - "waf": "Operações" + "text": "Use apenas o tipo de autenticação Conta corporativa ou de estudante para todos os tipos de conta. Evite usar a conta da Microsoft", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", "severity": "Média", - "text": "Execute uma verificação de qualidade para o SAP HANA na infraestrutura provisionada do Azure para verificar se as VMs provisionadas estão em conformidade com as práticas recomendadas do SAP HANA no Azure.", - "waf": "Operações" + "text": "Use apenas grupos para atribuir permissões. Adicione grupos locais ao grupo Somente ID do Entra se um sistema de gerenciamento de grupo já estiver em vigor.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", "severity": "Alto", - "text": "Para cada assinatura do Azure, execute um teste de latência nas zonas de disponibilidade do Azure antes da implantação zonal para escolher zonas de baixa latência para implantação do SAP no Azure.", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "waf": "Desempenho" + "text": "Imponha políticas de Acesso Condicional da ID do Microsoft Entra para qualquer usuário com direitos a ambientes do Azure.", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", - "severity": "Média", - "text": "Execute o Relatório de Resiliência para garantir que a configuração de toda a infraestrutura provisionada do Azure (Computação, Banco de Dados, Rede, Armazenamento, Site Recovery) esteja em conformidade com a configuração definida pelo Cloud Adaption Framework for Azure.", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", - "waf": "Fiabilidade" + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", + "severity": "Alto", + "text": "Imponha a autenticação multifator para qualquer usuário com direitos aos ambientes do Azure.", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", "severity": "Média", - "text": "Implemente a proteção contra ameaças usando a solução do Microsoft Sentinel para SAP. Use essa solução para monitorar seus sistemas SAP e detectar ameaças sofisticadas em toda a lógica de negócios e nas camadas de aplicativos.", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", + "text": "Imponha o Microsoft Entra ID Privileged Identity Management (PIM) para estabelecer acesso permanente zero e privilégios mínimos.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "Média", - "text": "A marcação do Azure pode ser aproveitada para agrupar e rastrear recursos logicamente, automatizar suas implantações e, o mais importante, fornecer visibilidade sobre os custos incorridos.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", - "waf": "Operações" - }, - { - "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", - "severity": "Baixo", - "text": "Use o monitoramento de latência entre VMs para aplicativos sensíveis à latência.", - "waf": "Desempenho" + "text": "Se estiver planejando alternar dos Serviços de Domínio Active Directory para os serviços de domínio Entra, avalie a compatibilidade de todas as cargas de trabalho.", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "Média", - "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastre para servidores de aplicativos SAP.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "text": "Ao usar o Microsoft Entra Domain Services, use conjuntos de réplicas. Os conjuntos de réplicas melhorarão a resiliência do domínio gerenciado e permitirão que você implante em regiões adicionais. ", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "severity": "Média", - "text": "Exclua todos os sistemas de arquivos de banco de dados e programas executáveis das verificações antivírus. Incluí-los pode levar a problemas de desempenho. Verifique com os fornecedores de banco de dados os detalhes prescritivos na lista de exclusão. Por exemplo, a Oracle recomenda excluir /oracle//sapdata das verificações antivírus.", - "waf": "Desempenho" + "text": "Integre os logs de ID do Microsoft Entra com o Azure Monitor central da plataforma. O Azure Monitor permite uma única fonte de verdade sobre dados de log e monitoramento no Azure, oferecendo às organizações opções nativas de nuvem para atender aos requisitos de coleta e retenção de logs.", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", - "severity": "Baixo", - "text": "Considere coletar estatísticas completas do banco de dados para bancos de dados não HANA após a migração. Por exemplo, implemente a nota 1020260 do SAP - Entrega de estatísticas do Oracle.", - "waf": "Desempenho" + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", + "severity": "Alto", + "text": "Implemente um acesso de emergência ou contas de emergência para evitar o bloqueio de conta em todo o locatário. A MFA será ativada por padrão para todos os usuários em outubro de 2024. Recomendamos atualizar essas contas para usar a chave de acesso (FIDO2) ou configurar a autenticação baseada em certificado para MFA. ", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", "severity": "Média", - "text": "Considere usar o ASM (Gerenciamento Automático de Armazenamento) do Oracle para todas as implantações do Oracle que usam o SAP no Azure.", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", - "waf": "Desempenho" + "text": "Não use contas sincronizadas locais para atribuições de função de ID do Microsoft Entra, a menos que você tenha um cenário que exija isso especificamente.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", + "severity": "Média", + "text": "Ao usar o Proxy de Aplicativo de ID do Microsoft Entra para fornecer acesso de usuários remotos a aplicativos, gerencie-o como um recurso da plataforma, pois você só pode ter uma instância por locatário.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", "severity": "Média", - "text": "Para SAP no Azure executando Oracle, uma coleção de scripts SQL pode ajudá-lo a diagnosticar problemas de desempenho. Os relatórios do Automatic Workload Repository (AWR) contêm informações valiosas para diagnosticar problemas no sistema Oracle. Recomendamos que você execute um relatório AWR durante várias sessões e escolha horários de pico para ele, para garantir uma ampla cobertura para a análise.", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", - "waf": "Desempenho" + "text": "Use uma topologia de rede hub-and-spoke para cenários de rede que exigem flexibilidade máxima.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", "severity": "Alto", - "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastre para servidores de aplicativos SAP.", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "waf": "Operações" + "text": "Implante serviços de rede compartilhados, incluindo gateways do ExpressRoute, gateways de VPN e Firewall do Azure ou NVAs de parceiros na rede virtual do hub central. Se necessário, implante também serviços DNS.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Custar" }, { - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", - "severity": "Média", - "text": "Para entrega segura de aplicativos HTTP/S, use o Gateway de Aplicativo v2 e verifique se a proteção e as políticas do WAF estão habilitadas.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "service": "VNet", + "severity": "Alto", + "text": "Use um plano de proteção de IP ou rede DDoS para todos os endereços IP públicos nas zonas de destino do aplicativo.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "severity": "Média", - "text": "Se o DNS ou o nome virtual da máquina virtual não for alterado durante a migração para o Azure, o DNS em segundo plano e os nomes virtuais conectarão muitas interfaces do sistema no cenário SAP, e os clientes só às vezes estarão cientes das interfaces que os desenvolvedores definem ao longo do tempo. Surgem desafios de conexão entre vários sistemas quando os nomes virtuais ou DNS são alterados após as migrações, e é recomendável manter os aliases DNS para evitar esses tipos de dificuldades.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operações" + "text": "Ao implantar tecnologias de rede de parceiros ou NVAs, siga as diretrizes do fornecedor do parceiro.", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", - "severity": "Média", - "text": "Use diferentes zonas DNS para distinguir cada ambiente (sandbox, desenvolvimento, pré-produção e produção) uns dos outros. A exceção é para implantações SAP com sua própria VNet; aqui, as zonas DNS privadas podem não ser necessárias.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operações" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", + "severity": "Baixo", + "text": "Se você precisar de trânsito entre o ExpressRoute e os gateways de VPN em cenários hub e spoke, use o Servidor de Rota do Azure.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "description": "Ao configurar o emparelhamento VNet, use a configuração Permitir tráfego para redes virtuais remotas.", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", - "severity": "Média", - "text": "O emparelhamento VNet local e global fornece conectividade e é a abordagem preferencial para garantir a conectividade entre zonas de destino para implantações SAP em várias regiões do Azure", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "Baixo", + "text": "Se estiver usando o Servidor de Roteamento, use um prefixo /27 para a sub-rede do Servidor de Roteamento.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", - "severity": "Alto", - "text": "Não há suporte para implantar qualquer NVA entre o aplicativo SAP e o servidor de banco de dados SAP", - "training": "https://me.sap.com/notes/2731110", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", + "severity": "Média", + "text": "Para arquiteturas de rede com várias topologias hub-and-spoke em regiões do Azure, use emparelhamentos de rede virtual global entre as VNets do hub para conectar as regiões entre si.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", "severity": "Média", - "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais em que você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "text": "Use o Azure Monitor para Redes para monitorar o estado de ponta a ponta das redes no Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "Média", - "text": "Considere implantar NVAs (soluções de virtualização de rede) entre regiões somente se NVAs de parceiros forem usadas. NVAs entre regiões ou VNets não serão necessárias se NVAs nativas estiverem presentes. Ao implantar tecnologias de rede de parceiros e NVAs, siga as diretrizes do fornecedor para verificar configurações conflitantes com a rede do Azure.", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "Operações" + "text": "Se você tiver mais de 400 redes spoke em uma região, implante um hub adicional para ignorar os limites de emparelhamento VNet (500) e o número máximo de prefixos que podem ser anunciados por meio do ExpressRoute (1000).", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "Média", - "text": "A WAN Virtual gerencia a conectividade entre VNets spoke para topologias baseadas em WAN virtual (não é necessário configurar UDR [roteamento definido pelo usuário] ou NVAs) e a taxa de transferência máxima de rede para tráfego de VNet para VNet no mesmo hub virtual é de 50 gigabits por segundo. Se necessário, as zonas de destino do SAP podem usar o emparelhamento VNet para se conectar a outras zonas de destino e superar essa limitação de largura de banda.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", - "waf": "Operações" + "text": "Limite o número de rotas por tabela de rotas a 400.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", "severity": "Alto", - "text": "A atribuição de IP público à VM que executa a carga de trabalho SAP não é recomendada.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "Segurança" + "text": "Use a configuração 'Permitir tráfego para rede virtual remota' ao configurar emparelhamentos VNet.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", "severity": "Alto", - "text": "Considere reservar o endereço IP no lado da recuperação de desastre ao configurar o ASR", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Operações" + "text": "Use o SKU do Standard Load Balancer com uma implantação com redundância de zona, a seleção do SKU Standard Load Balancer aumenta a confiabilidade por meio de zonas de disponibilidade e resiliência de zona, garantindo que as implantações resistam a falhas de zona e região. Ao contrário do Basic, ele oferece suporte ao balanceamento de carga global e oferece um SLA.", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", "severity": "Alto", - "text": "Evite usar intervalos de endereços IP sobrepostos para sites de produção e DR.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "Operações" - }, - { - "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", - "severity": "Média", - "text": "Embora o Azure ajude você a criar várias sub-redes delegadas em uma VNet, apenas uma sub-rede delegada pode existir em uma VNet para Azure NetApp Files. As tentativas de criar um novo volume falharão se você usar mais de uma sub-rede delegada para o Azure NetApp Files.", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "Operações" - }, - { - "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", - "severity": "Média", - "text": "Usar o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir)", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", - "waf": "Segurança" + "text": "Verifique se os pools de back-end do balanceador de carga contêm pelo menos duas instâncias, a implantação de Azure Load Balancers com pelo menos duas instâncias no back-end evita um único ponto de falha e dá suporte à escalabilidade.", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", "severity": "Média", - "text": "O Gateway de Aplicativo e o Firewall de Aplicativo Web têm limitações quando o Gateway de Aplicativo serve como um proxy reverso para aplicativos Web SAP, conforme mostrado na comparação entre o Gateway de Aplicativo, o SAP Web Dispatcher e outros serviços de terceiros.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "text": "Quando você estiver usando o ExpressRoute Direct, configure o MACsec para criptografar o tráfego no nível da camada dois entre os roteadores da organização e o MSEE. O diagrama mostra essa criptografia no fluxo.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", "severity": "Média", - "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre regiões do Azure para conexões HTTP/S de entrada para uma zona de destino.", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "text": "Para cenários em que o MACsec não é uma opção (por exemplo, não usando o ExpressRoute Direct), use um gateway de VPN para estabelecer túneis IPsec no emparelhamento privado do ExpressRoute.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", - "severity": "Média", - "text": "Aproveite as políticas de Firewall de Aplicativo Web no Azure Front Door quando estiver usando o Azure Front Door e o Gateway de Aplicativo para proteger aplicativos HTTP/S. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Azure Front Door.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", + "severity": "Alto", + "text": "Verifique se nenhum espaço de endereço IP sobreposto entre regiões do Azure e locais é usado.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "severity": "Média", - "text": "Use um firewall de aplicativo Web para verificar seu tráfego quando ele for exposto à Internet. Outra opção é usá-lo com o balanceador de carga ou com recursos que tenham recursos de firewall internos, como Gateway de Aplicativo ou soluções de terceiros.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "text": "Use endereços IP dos intervalos de alocação de endereços para Internets privadas (RFC 1918).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", - "severity": "Média", - "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais em que você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "Alto", + "text": "Certifique-se de que o espaço de endereço IP não seja desperdiçado, não crie redes virtuais desnecessariamente grandes (por exemplo, /16).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", - "severity": "Média", - "text": "Para evitar o vazamento de dados, use o Link Privado do Azure para acessar com segurança os recursos da plataforma como serviço, como Armazenamento de Blobs do Azure, Arquivos do Azure, Azure Data Lake Storage Gen2, Azure Data Factory e muito mais. O Ponto de Extremidade Privado do Azure também pode ajudar a proteger o tráfego entre VNets e serviços como Armazenamento do Azure, Backup do Azure e muito mais. O tráfego entre sua VNet e o serviço habilitado para Ponto de Extremidade Privado viaja pela rede global da Microsoft, o que impede sua exposição à Internet pública.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", - "waf": "Segurança" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", + "severity": "Alto", + "text": "Não use intervalos de endereços IP sobrepostos para sites de produção e recuperação de desastres.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", "severity": "Alto", - "text": "Verifique se a rede acelerada do Azure está habilitada nas VMs usadas no aplicativo SAP e nas camadas do DBMS.", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Desempenho" + "text": "Use SKU Standard e IPs com redundância de zona quando aplicável, os endereços IP públicos no Azure podem ser de SKU padrão, disponíveis como não zonal, zonal ou com redundância de zona. Os IPs com redundância de zona podem ser acessados em todas as zonas, resistindo a qualquer falha de zona única, fornecendo assim maior resiliência. ", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", "severity": "Média", - "text": "Verifique se as implantações internas do Azure Load Balancer estão configuradas para usar o DSR (Retorno Direto do Servidor). Essa configuração (Habilitando IP Flutuante) reduzirá a latência quando as configurações do balanceador de carga interno forem usadas para configurações de alta disponibilidade na camada DBMS.", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "Segurança" + "text": "Para ambientes em que a resolução de nomes no Azure é tudo o que é necessário, use o DNS Privado do Azure para resolução com uma zona delegada para resolução de nomes (como 'azure.contoso.com').", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", "severity": "Média", - "text": "Você pode usar o ASG (grupo de segurança do aplicativo) e as regras do NSG para definir listas de controle de acesso de segurança de rede entre o aplicativo SAP e as camadas do DBMS. Os ASGs agrupam máquinas virtuais para ajudar a gerenciar sua segurança.", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "text": "Para ambientes em que a resolução de nomes no Azure e no local é necessária e não há nenhum serviço DNS corporativo existente, como o Active Directory, use o Resolvedor Privado de DNS do Azure para rotear solicitações de DNS para o Azure ou para servidores DNS locais.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "severity": "Alto", - "text": "Não há suporte para a colocação da camada de aplicativo SAP e do DBMS SAP em diferentes VNets do Azure que não estão emparelhadas.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Desempenho" - }, - { - "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", - "severity": "Média", - "text": "Para obter a latência de rede ideal com aplicativos SAP, considere usar grupos de posicionamento por proximidade do Azure.", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "Desempenho" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "severity": "Baixo", + "text": "Cargas de trabalho especiais que exigem e implantam seu próprio DNS (como o Red Hat OpenShift) devem usar sua solução de DNS preferida.", + "training": "https://learn.microsoft.com/training/courses/az-700t00", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", "severity": "Alto", - "text": "NÃO há suporte para executar uma camada do Servidor de Aplicativos SAP e uma camada do DBMS dividida entre o local e o Azure. Ambas as camadas precisam residir completamente no local ou no Azure.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Desempenho" + "text": "Habilite o registro automático para o DNS do Azure para gerenciar automaticamente o ciclo de vida dos registros DNS para as máquinas virtuais implantadas em uma rede virtual.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", - "severity": "Alto", - "text": "Não é recomendável hospedar o DBMS (sistema de gerenciamento de banco de dados) e as camadas de aplicativo de sistemas SAP em VNets diferentes e conectá-los ao emparelhamento VNet devido aos custos substanciais que o tráfego de rede excessivo entre as camadas pode produzir. Recomendamos o uso de sub-redes na rede virtual do Azure para separar a camada de aplicativo SAP e a camada de DBMS.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Custar" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", + "severity": "Média", + "text": "Implementar um plano para gerenciar a resolução de DNS entre várias regiões do Azure e quando os serviços fazem failover para outra região", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", - "severity": "Alto", - "text": "Se estiver usando o Load Balancer com sistemas operacionais convidados Linux, verifique se o parâmetro de rede Linux net.ipv4.tcp_timestamps está definido como 0.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Desempenho" + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", + "severity": "Média", + "text": "Use o Azure Bastion para se conectar com segurança à sua rede.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", "severity": "Média", - "text": "Para implantações do SAP RISE/ECS, o emparelhamento virtual é a maneira preferencial de estabelecer conectividade com o ambiente existente do Azure do cliente. Tanto a rede virtual SAP quanto a(s) rede virtual(is) do cliente são protegidas com NSG (grupos de segurança de rede), permitindo a comunicação nas portas SAP e de banco de dados por meio do emparelhamento de rede virtual", + "text": "Use o Azure Bastion em uma sub-rede /26 ou maior.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "Alto", - "text": "Examine os backups de banco de dados do SAP HANA para VMs do Azure.", - "waf": "Custar" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", + "severity": "Média", + "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre regiões do Azure para conexões HTTP/S de entrada para uma zona de destino.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", - "severity": "Média", - "text": "Examine o monitoramento interno do Site Recovery, quando usado para SAP.", - "waf": "Custar" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "Baixo", + "text": "Ao usar o Azure Front Door e o Gateway de Aplicativo do Azure para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Azure Front Door. Bloqueie o Gateway de Aplicativo do Azure para receber tráfego somente do Azure Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "severity": "Alto", - "text": "Revise as diretrizes Monitorando o cenário do sistema SAP HANA.", - "waf": "Operações" + "text": "Quando WAFs e outros proxies reversos forem necessários para conexões HTTP/S de entrada, implante-os em uma rede virtual de zona de destino e junto com os aplicativos que eles estão protegendo e expondo à Internet.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", - "severity": "Média", - "text": "Examine o Oracle Database nas estratégias de backup de VM Linux do Azure.", - "waf": "Operações" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "Alto", + "text": "Use os planos de Rede ou Proteção de IP do Azure contra DDoS para ajudar a proteger os pontos de extremidade de endereços IP públicos nas redes virtuais.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", - "severity": "Média", - "text": "Examine o uso do Armazenamento de Blobs do Azure com o SQL Server 2016.", - "waf": "Operações" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", + "severity": "Alto", + "text": "Planeje como gerenciar a configuração e a estratégia de tráfego de saída da rede antes da próxima alteração significativa. Em 30 de setembro de 2025, o acesso de saída padrão para novas implantações será desativado e somente configurações de acesso explícito serão permitidas.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", - "severity": "Média", - "text": "Examine o uso do Backup Automatizado v2 para VMs do Azure.", - "waf": "Operações" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "Alto", + "text": "Adicione configurações de diagnóstico para salvar logs relacionados a DDoS para todos os endereços IP públicos protegidos (IP DDoS ou Proteção de Rede).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", "severity": "Alto", - "text": "Habilitando o acelerador de gravação para a série M ao usar discos premium (V1)", - "waf": "Operações" + "text": "Verifique se há uma atribuição de política para negar endereços IP públicos diretamente vinculados a máquinas virtuais. Use exclusões se IPs públicos forem necessários em VMs específicas.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "Média", - "text": "Teste a latência da zona de disponibilidade.", + "text": "Use o ExpressRoute como a conexão principal com o Azure. Use VPNs como fonte de conectividade de backup.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "description": "Você pode usar o prefixo AS-path e pesos de conexão para influenciar o tráfego do Azure para o local e toda a gama de atributos BGP em seus próprios roteadores para influenciar o tráfego do local para o Azure.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", "severity": "Média", - "text": "Ative o SAP EarlyWatch Alert para todos os componentes SAP.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "Desempenho" + "text": "Ao usar vários circuitos do ExpressRoute ou vários locais locais, use atributos BGP para otimizar o roteamento.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", "severity": "Média", - "text": "Revise a latência do servidor de aplicativos SAP para o servidor de banco de dados usando o relatório SAP ABAPMeter /SSA/CAT.", - "training": "https://me.sap.com/notes/0002879613", + "text": "Selecione o SKU correto para os gateways ExpressRoute/VPN com base nos requisitos de largura de banda e desempenho.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", - "severity": "Média", - "text": "Revise o monitoramento de desempenho do SQL Server usando o CCMS.", - "waf": "Desempenho" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", + "severity": "Alto", + "text": "Verifique se você está usando circuitos do ExpressRoute de dados ilimitados somente se atingir a largura de banda que justifica seu custo.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Custar" }, { - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", - "severity": "Média", - "text": "Teste a latência de rede entre VMs da camada de aplicativo SAP e VMs do DBMS (NIPING).", - "training": "https://me.sap.com/notes/1100926/E", - "waf": "Desempenho" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", + "severity": "Alto", + "text": "Aproveite o SKU local do ExpressRoute para reduzir o custo de seus circuitos, se o local de emparelhamento de circuito der suporte às regiões do Azure para o SKU Local.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Custar" }, { - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", "severity": "Média", - "text": "Revise os alertas do SAP HANA Studio.", - "waf": "Desempenho" + "text": "Implante um gateway do ExpressRoute com redundância de zona nas regiões do Azure com suporte.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "Média", - "text": "Execute verificações de integridade do SAP HANA usando HANA_Configuration_Minichecks.", + "text": "Para cenários que exigem largura de banda superior a 10 Gbps ou portas dedicadas de 10/100 Gbps, use o ExpressRoute Direct.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", "severity": "Média", - "text": "Se você executar VMs do Windows e do Linux no Azure, localmente ou em outros ambientes de nuvem, poderá usar o Centro de gerenciamento de atualizações na Automação do Azure para gerenciar atualizações do sistema operacional, incluindo patches de segurança.", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", - "waf": "Segurança" + "text": "Quando a baixa latência for necessária ou a taxa de transferência do local para o Azure precisar ser maior que 10 Gbps, habilite o FastPath para ignorar o gateway do ExpressRoute do caminho de dados.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", "severity": "Média", - "text": "Revise rotineiramente as notas de OSS de segurança do SAP porque o SAP lança patches de segurança altamente críticos, ou hot fixes, que exigem ação imediata para proteger seus sistemas SAP.", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", - "waf": "Segurança" + "text": "Use gateways de VPN com redundância de zona para conectar branches ou locais remotos ao Azure (quando disponível).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", - "severity": "Baixo", - "text": "Para SAP no SQL Server, você pode desabilitar a conta de administrador do sistema do SQL Server porque os sistemas SAP no SQL Server não usam a conta. Certifique-se de que outro usuário com direitos de administrador do sistema possa acessar o servidor antes de desabilitar a conta original de administrador do sistema.", - "waf": "Segurança" + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", + "severity": "Média", + "text": "Use dispositivos VPN redundantes locais (ativo/ativo ou ativo/passivo).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", "severity": "Alto", - "text": "Desative xp_cmdshell. O recurso SQL Server xp_cmdshell habilita um shell de comando do sistema operacional interno do SQL Server. É um risco potencial em auditorias de segurança.", - "training": "https://me.sap.com/notes/3019299/E", - "waf": "Segurança" + "text": "Se estiver usando o ExpressRoute Direct, considere usar circuitos locais do ExpressRoute para as regiões locais do Azure para economizar custos.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Custar" }, { - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Alto", - "text": "A criptografia de servidores de banco de dados SAP HANA no Azure usa a tecnologia de criptografia nativa do SAP HANA. Além disso, se você estiver usando o SQL Server no Azure, use a TDE (Transparent Data Encryption) para proteger seus dados e arquivos de log e garantir que seus backups também sejam criptografados.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", + "severity": "Média", + "text": "Quando o isolamento de tráfego ou a largura de banda dedicada for necessária, como para separar ambientes de produção e não produção, use circuitos diferentes do ExpressRoute. Ele ajudará você a garantir domínios de roteamento isolados e aliviar os riscos de vizinhos barulhentos.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", "severity": "Média", - "text": "A criptografia do Armazenamento do Azure está habilitada para todas as contas de armazenamento clássicas e do Azure Resource Manager e não pode ser desabilitada. Como seus dados são criptografados por padrão, você não precisa modificar seu código ou aplicativos para usar a criptografia do Armazenamento do Azure.", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", - "waf": "Segurança" + "text": "Monitore a disponibilidade e a utilização do ExpressRoute usando o Express Route Insights interno.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", - "severity": "Alto", - "text": "Usar o Azure Key Vault para armazenar seus segredos e credenciais", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Segurança" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", + "severity": "Média", + "text": "Use o Monitor da Conexão para monitoramento de conectividade em toda a rede, especialmente entre o local e o Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", "severity": "Média", - "text": "É recomendável BLOQUEAR os Recursos do Azure após a implantação bem-sucedida para proteger contra alterações não autorizadas. Você também pode impor restrições e regras de LOCK por assinatura usando políticas personalizadas do Azure (função personalizada).", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", - "waf": "Segurança" + "text": "Use circuitos do ExpressRoute de diferentes locais de emparelhamento para redundância.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", "severity": "Média", - "text": "Provisione o Azure Key Vault com as políticas de exclusão reversível e limpeza habilitadas para permitir a proteção de retenção para objetos excluídos.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Segurança" - }, - { - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", - "severity": "Alto", - "text": "Com base nos requisitos existentes, controles regulatórios e de conformidade (internos/externos) – determine quais políticas do Azure e a função RBAC do Azure são necessárias", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", - "waf": "Segurança" + "text": "Use a VPN site a site como failover do ExpressRoute, se estiver usando apenas um único circuito do ExpressRoute.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", "severity": "Alto", - "text": "Ao habilitar o Microsoft Defender para Ponto de Extremidade no ambiente SAP, recomendamos excluir dados e arquivos de log em servidores DBMS em vez de direcionar todos os servidores. Siga as recomendações do fornecedor do DBMS ao excluir arquivos de destino.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", - "waf": "Segurança" + "text": "Se você estiver usando uma tabela de rotas no GatewaySubnet, certifique-se de que as rotas de gateway sejam propagadas.", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", "severity": "Alto", - "text": "Delegue uma função personalizada de administrador do SAP com acesso just-in-time do Microsoft Defender para Nuvem.", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "waf": "Segurança" - }, - { - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Baixo", - "text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações de rede seguras (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", - "waf": "Segurança" + "text": "Se estiver usando o ExpressRoute, o roteamento local deverá ser dinâmico: no caso de uma falha de conexão, ele deverá convergir para a conexão restante do circuito. A carga deve ser compartilhada entre ambas as conexões, idealmente como ativa/ativa, embora ativa/passiva também seja suportada.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", "severity": "Média", - "text": "Padrão para chaves gerenciadas pela Microsoft para funcionalidade de criptografia principal e use chaves gerenciadas pelo cliente quando necessário.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Segurança" - }, - { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", - "severity": "Alto", - "text": "Use um Azure Key Vault por aplicativo por ambiente por região.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Segurança" + "text": "Verifique se os dois links físicos do circuito do ExpressRoute estão conectados a dois dispositivos de borda distintos em sua rede.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", - "severity": "Alto", - "text": "Para controlar e gerenciar chaves e segredos de criptografia de disco para sistemas operacionais Windows e Windows não HANA, use o Azure Key Vault. Não há suporte para o SAP HANA com o Azure Key Vault, portanto, você deve usar métodos alternativos, como chaves SAP ABAP ou SSH.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", - "waf": "Segurança" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", + "severity": "Média", + "text": "Certifique-se de que a Detecção de Encaminhamento Bidirecional (BFD) esteja habilitada e configurada em dispositivos de roteamento de borda do cliente ou provedor.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", "severity": "Alto", - "text": "Personalizar funções RBAC (controle de acesso baseado em função) para assinaturas SAP on Azure spoke para evitar alterações acidentais relacionadas à rede", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", - "waf": "Segurança" + "text": "Conecte o Gateway do ExpressRoute a dois ou mais circuitos de diferentes locais de emparelhamento para maior resiliência.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Fiabilidade" }, { - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", - "severity": "Alto", - "text": "Isole DMZs e NVAs do restante da propriedade SAP, configure o Link Privado do Azure e gerencie e controle com segurança os recursos do SAP no Azure", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "waf": "Segurança" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", + "severity": "Média", + "text": "Configure logs de diagnóstico e alertas para o gateway de rede virtual do ExpressRoute.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operações" }, { - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "severity": "Baixo", - "text": "Considere usar o software antimalware da Microsoft no Azure para proteger suas máquinas virtuais contra arquivos mal-intencionados, adware e outras ameaças.", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", - "waf": "Segurança" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", + "severity": "Média", + "text": "Não use circuitos do ExpressRoute para comunicação VNet para VNet.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", "severity": "Baixo", - "text": "Para obter uma proteção ainda mais poderosa, considere usar Microsoft Defender para Ponto de Extremidade.", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", - "waf": "Segurança" + "text": "Não envie o tráfego do Azure para locais híbridos para inspeção. Em vez disso, siga o princípio \"o tráfego no Azure permanece no Azure\" para que a comunicação entre os recursos no Azure ocorra por meio da rede de backbone da Microsoft.", + "waf": "Desempenho" }, { - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", "severity": "Alto", - "text": "Isole o aplicativo SAP e os servidores de banco de dados da Internet ou da rede local passando todo o tráfego pela rede virtual do hub, que está conectada à rede spoke por emparelhamento de rede virtual. As redes virtuais emparelhadas garantem que a solução SAP no Azure seja isolada da Internet pública.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", - "waf": "Segurança" - }, - { - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Baixo", - "text": "Para aplicativos voltados para a Internet, como o SAP Fiori, certifique-se de distribuir a carga por requisitos do aplicativo, mantendo os níveis de segurança. Para segurança de Camada 7, você pode usar um WAF (Firewall de Aplicativo Web) de terceiros disponível no Azure Marketplace.", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "text": "Use o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", "severity": "Média", - "text": "Para habilitar a comunicação segura no Azure Monitor para soluções SAP, você pode optar por usar um certificado raiz ou um certificado de servidor. É altamente recomendável que você use certificados raiz.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "Crie uma política global de Firewall do Azure para controlar a postura de segurança em todo o ambiente de rede global e atribua-a a todas as instâncias do Firewall do Azure. Permita que políticas granulares atendam aos requisitos de regiões específicas delegando políticas de firewall incrementais às equipes de segurança locais por meio do controle de acesso baseado em função do Azure.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "O Barramento de Serviço Premium do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", "severity": "Baixo", - "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "A comunicação entre um aplicativo cliente e um namespace do Barramento de Serviço do Azure é criptografada usando TLS (Transport Layer Security). Os namespaces do Barramento de Serviço do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace do Barramento de Serviço para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS.", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", - "severity": "Média", - "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "text": "Configure provedores de segurança SaaS de parceiros compatíveis no Firewall Manager se a organização quiser usar essas soluções para ajudar a proteger as conexões de saída.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Quando você cria um namespace do Barramento de Serviço, uma regra SAS chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. É recomendável usar o AAD como um provedor de autenticação com RBAC. ", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", - "severity": "Média", - "text": "Evite usar a conta root quando não for necessário", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", + "severity": "Alto", + "text": "Use regras de aplicativo para filtrar o tráfego de saída no nome do host de destino para protocolos com suporte. Use regras de rede baseadas em FQDN e Firewall do Azure com proxy DNS para filtrar o tráfego de saída para a Internet em outros protocolos.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Um aplicativo cliente do Barramento de Serviço em execução dentro de um aplicativo do Serviço de Aplicativo do Azure ou em uma máquina virtual com entidades gerenciadas habilitadas para suporte a recursos do Azure não precisa lidar com regras e chaves SAS ou quaisquer outros tokens de acesso. O aplicativo cliente só precisa do endereço do ponto de extremidade do namespace do Sistema de Mensagens do Barramento de Serviço. ", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", - "service": "Service Bus", - "severity": "Média", - "text": "Quando possível, seu aplicativo deve usar uma identidade gerenciada para se autenticar no Barramento de Serviço do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial de entidade de serviço) no Azure Key Vault ou em um serviço equivalente", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "severity": "Alto", + "text": "Use o Firewall do Azure Premium para habilitar recursos de segurança adicionais.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Segurança" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Barramento de Serviço do Azure. As permissões no Barramento de Serviço do Azure podem e devem ter como escopo o nível de recurso individual, por exemplo, fila, tópico ou assinatura. ", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", "severity": "Alto", - "text": "Usar o RBAC do plano de dados com privilégios mínimos", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "Configure o modo de Inteligência contra Ameaças do Firewall do Azure como Alerta e Negação para proteção adicional.", "waf": "Segurança" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Os logs de recursos do Barramento de Serviço do Azure incluem logs operacionais, logs de rede virtual e filtragem de IP. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para várias operações de acesso ao plano de dados (como enviar ou receber mensagens) no Barramento de Serviço.", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", - "severity": "Média", - "text": "Habilite o registro em log para investigação de segurança. Usar o Azure Monitor para rastrear logs de recursos e logs de auditoria de runtime (atualmente disponível apenas na camada premium)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", + "severity": "Alto", + "text": "Configure o modo IDPS do Firewall do Azure como Negar para proteção adicional.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Segurança" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Por padrão, o Barramento de Serviço do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Barramento de Serviço do Azure atravesse a rede de backbone da Microsoft. Além disso, você deve desabilitar os endpoints públicos se eles não forem usados. ", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", - "severity": "Média", - "text": "Considere usar pontos de extremidade privados para acessar o Barramento de Serviço do Azure e desabilitar o acesso à rede pública quando aplicável.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", + "severity": "Alto", + "text": "Para sub-redes em VNets não conectadas à WAN Virtual, anexe uma tabela de rotas para que o tráfego da Internet seja redirecionado para o Firewall do Azure ou uma Solução de Virtualização de Rede.", "waf": "Segurança" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Com o firewall IP, você pode restringir ainda mais o endpoint público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Classless Inter-Domain Routing). ", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", "severity": "Média", - "text": "Considere permitir apenas o acesso ao namespace do Barramento de Serviço do Azure de endereços IP ou intervalos específicos", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Segurança" + "text": "Adicione configurações de diagnóstico para salvar logs, usando a tabela de destino Específico do Recurso, para todas as implantações do Firewall do Azure.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operações" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Aplicar as diretrizes do parâmetro de comparação de segurança de nuvem da Microsoft relacionado ao armazenamento", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", - "severity": "Média", - "text": "Considere a 'linha de base de segurança do Azure para armazenamento'", - "waf": "Segurança" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", + "severity": "Alto", + "text": "Migre das regras clássicas do Firewall do Azure (se houver) para a Política de Firewall.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operações" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Por padrão, o Armazenamento do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem expor com segurança o Armazenamento do Azure apenas aos recursos de Computação do Azure que precisam de acesso, eliminando assim a exposição à Internet pública", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", "severity": "Alto", - "text": "Considere usar pontos de extremidade privados para o Armazenamento do Azure", + "text": "Use um prefixo /26 para suas sub-redes do Firewall do Azure.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "As contas de armazenamento recém-criadas são criadas usando o modelo de implantação do ARM, para que o RBAC, a auditoria etc. estejam habilitados. Verifique se não há contas de armazenamento antigas com o modelo de implantação clássico em uma assinatura", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", "severity": "Média", - "text": "Verifique se as contas de armazenamento mais antigas não estão usando o \"modelo de implantação clássico\"", - "waf": "Segurança" + "text": "Organize as regras dentro da política de firewall em Grupos de Coleção de Regras e Coleções de Regras e com base em sua frequência de uso.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Aproveite o Microsoft Defender para saber mais sobre atividades suspeitas e configurações incorretas.", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", - "severity": "Alto", - "text": "Habilitar o Microsoft Defender para todas as suas contas de armazenamento", - "waf": "Segurança" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", + "severity": "Média", + "text": "Use grupos de IP ou prefixos de IP para reduzir o número de regras de tabela de IP.", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "O mecanismo de exclusão reversível permite recuperar blobs excluídos acidentalmente.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", "severity": "Média", - "text": "Habilitar 'exclusão reversível' para blobs", - "waf": "Segurança" + "text": "Não use curingas como um IP de origem para DNATS, como * ou any, você deve especificar IPs de origem para DNATs de entrada.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Considere desabilitar seletivamente a \"exclusão reversível\" para determinados contêineres de blob, por exemplo, se o aplicativo precisar garantir que as informações excluídas sejam excluídas imediatamente, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", "severity": "Média", - "text": "Desabilitar a 'exclusão reversível' para blobs", - "waf": "Segurança" + "text": "Evite o esgotamento da porta SNAT monitorando o uso da porta SNAT, avaliando as configurações do NAT Gateway e garantindo um failover contínuo. Se a contagem de portas se aproximar do limite, é um sinal de que o esgotamento do SNAT pode ser iminente.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A exclusão reversível para contêineres permite que você recupere um contêiner depois que ele foi excluído, por exemplo, recuperar de uma operação de exclusão acidental.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", "severity": "Alto", - "text": "Habilitar 'exclusão reversível' para contêineres", - "waf": "Segurança" + "text": "Se você estiver usando o Firewall do Azure Premium, habilite a Inspeção TLS.", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Considere desabilitar seletivamente a \"exclusão reversível\" para determinados contêineres de blob, por exemplo, se o aplicativo precisar garantir que as informações excluídas sejam excluídas imediatamente, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", + "severity": "Baixo", + "text": "Use categorias da Web para permitir ou negar o acesso de saída a tópicos específicos.", + "waf": "Desempenho" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", "severity": "Média", - "text": "Desabilitar a 'exclusão reversível' para contêineres", + "text": "Como parte da inspeção TLS, planeje o recebimento de tráfego dos Gateways de Aplicativo do Azure para inspeção.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "Desempenho" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", + "severity": "Média", + "text": "Habilite a configuração de proxy DNS do Firewall do Azure.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Impede a exclusão acidental de uma conta de armazenamento, forçando o usuário a remover primeiro o bloqueio de exclusão, antes da exclusão", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "severity": "Alto", - "text": "Habilitar bloqueios de recursos em contas de armazenamento", - "waf": "Segurança" + "text": "Integre o Firewall do Azure ao Azure Monitor e habilite o log de diagnóstico para armazenar e analisar logs e métricas de firewall.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "Operações" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "Baixo", + "text": "Implementar backups para suas regras de firewall", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Operações" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Considere as políticas de 'retenção legal' ou 'retenção baseada em tempo' para blobs, de modo que seja impossível excluir o blob, o contêiner ou a conta de armazenamento. Observe que 'impossível' na verdade significa 'impossível'; depois que uma conta de armazenamento contém um blob imutável, a única maneira de \"se livrar\" dessa conta de armazenamento é cancelando a assinatura do Azure.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "severity": "Alto", - "text": "Considere blobs imutáveis", - "waf": "Segurança" + "text": "Implante o Firewall do Azure em várias zonas de disponibilidade. O Firewall do Azure oferece SLAs diferentes, dependendo de sua implantação; em uma única zona de disponibilidade ou em várias, melhorando potencialmente a confiabilidade e o desempenho.", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Considere desabilitar o acesso HTTP/80 desprotegido à conta de armazenamento, para que todas as transferências de dados sejam criptografadas, protegidas por integridade e o servidor seja autenticado. ", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", "severity": "Alto", - "text": "Exigir HTTPS, ou seja, desabilitar a porta 80 na conta de armazenamento", - "waf": "Segurança" + "text": "Configure a Proteção contra DDoS na VNet do Firewall do Azure, associe um plano de proteção contra DDoS à rede virtual que hospeda o Firewall do Azure para fornecer mitigação aprimorada contra ataques de DDoS. O Gerenciador de Firewall do Azure integra a criação de infraestrutura de firewall e planos de proteção contra DDoS. ", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Ao configurar um domínio personalizado (nome do host) em uma conta de armazenamento, verifique se você precisa de TLS/HTTPS; nesse caso, talvez seja necessário colocar a CDN do Azure na frente de sua conta de armazenamento.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", "severity": "Alto", - "text": "Ao impor HTTPS (desabilitando o HTTP), verifique se você não usa domínios personalizados (CNAME) para a conta de armazenamento.", + "text": "Não interrompa a comunicação do painel de controle para serviços de PaaS do Azure injetados em redes virtuais, como com uma rota 0.0.0.0/0 ou uma regra NSG que bloqueia o tráfego do painel de controle.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Exigir HTTPS quando um cliente usa um token SAS para acessar dados de blob ajuda a minimizar o risco de perda de credenciais.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", "severity": "Média", - "text": "Limitar tokens de assinatura de acesso compartilhado (SAS) apenas a conexões HTTPS", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": ". A imposição da versão mais recente do TLS rejeitará a solicitação de clientes que usam a versão mais antiga. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Azure Storage", - "severity": "Alto", - "text": "Impor a versão mais recente do TLS para uma conta de armazenamento", + "text": "Acesse os serviços de PaaS do Azure localmente por meio de pontos de extremidade privados e emparelhamento privado do ExpressRoute. Esse método evita o trânsito pela Internet pública.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Os tokens de ID do Microsoft Entra devem ser favorecidos em relação às assinaturas de acesso compartilhado, sempre que possível", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", "severity": "Alto", - "text": "Usar tokens de ID do Microsoft Entra para acesso a blobs", + "text": "Não habilite pontos de extremidade de serviço de rede virtual por padrão em todas as sub-redes.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Ao atribuir uma função a um usuário, grupo ou aplicativo, conceda a essa entidade de segurança apenas as permissões necessárias para que ela execute suas tarefas. Limitar o acesso aos recursos ajuda a evitar o uso indevido não intencional e mal-intencionado de seus dados.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "severity": "Média", - "text": "Privilégios mínimos em permissões de IaM", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Uma SAS de delegação de usuário é protegida com credenciais do Azure Active Directory (Azure AD) e também pelas permissões especificadas para a SAS. Uma SAS de delegação de usuário é análoga a uma SAS de serviço em termos de escopo e função, mas oferece benefícios de segurança em relação à SAS de serviço. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "Alto", - "text": "Ao usar SAS, prefira 'SAS de delegação de usuário' em vez de SAS baseada em chave de conta de armazenamento.", + "text": "Filtre o tráfego de saída para os serviços de PaaS do Azure usando FQDNs em vez de endereços IP no Firewall do Azure ou em uma NVA para evitar a exfiltração de dados. Se estiver usando o Link Privado, você poderá bloquear todos os FQDNs, caso contrário, permita apenas os serviços de PaaS necessários.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "As chaves da conta de armazenamento (\"chaves compartilhadas\") têm muito poucos recursos de auditoria. Embora possa ser monitorado em quem/quando buscou uma cópia das chaves, uma vez que as chaves estão nas mãos de várias pessoas, é impossível atribuir o uso a um usuário específico. Confiar apenas na autenticação do Entra ID facilita o acesso ao armazenamento a um usuário. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", "severity": "Alto", - "text": "Considere desabilitar as chaves da conta de armazenamento, para que haja suporte apenas para o acesso à ID do Microsoft Entra (e à SAS de delegação de usuário).", + "text": "Utilize pelo menos um prefixo /27 para as sub-redes do Gateway.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Use os dados do Log de Atividades para identificar \"quando\", \"quem\", \"o quê\" e \"como\" a segurança da sua conta de armazenamento está sendo exibida ou alterada (ou seja, chaves da conta de armazenamento, políticas de acesso etc.).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", "severity": "Alto", - "text": "Considere usar o Azure Monitor para auditar as operações do painel de controle na conta de armazenamento", + "text": "Não confie nas regras padrão de entrada do NSG usando a marca de serviço VirtualNetwork para limitar a conectividade.", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Uma política de expiração de chave permite que você defina um lembrete para a rotação das chaves de acesso da conta. O lembrete é exibido se o intervalo especificado tiver decorrido e as teclas ainda não tiverem sido giradas.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", "severity": "Média", - "text": "Ao usar chaves de conta de armazenamento, considere habilitar uma 'política de expiração de chave'", + "text": "Use NSGs para ajudar a proteger o tráfego entre sub-redes, bem como o tráfego leste/oeste na plataforma (tráfego entre zonas de destino).", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Uma política de expiração de SAS especifica um intervalo recomendado durante o qual a SAS é válida. As políticas de expiração de SAS se aplicam a uma SAS de serviço ou a uma SAS de conta. Quando um usuário gera SAS de serviço ou uma SAS de conta com um intervalo de validade maior que o intervalo recomendado, ele verá um aviso.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", "severity": "Média", - "text": "Considere configurar uma política de expiração de SAS", + "text": "Use NSGs e grupos de segurança de aplicativos para microssegmentar o tráfego dentro da zona de destino e evite usar uma NVA central para filtrar fluxos de tráfego.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "As políticas de acesso armazenadas oferecem a opção de revogar permissões para uma SAS de serviço sem precisar regenerar as chaves da conta de armazenamento. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", "severity": "Média", - "text": "Considere vincular SAS a uma política de acesso armazenada", + "text": "Habilite os Logs de Fluxo de VNet e alimente-os na Análise de Tráfego para obter insights sobre fluxos de tráfego internos e externos.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", "severity": "Média", - "text": "Considere configurar o repositório de código-fonte do aplicativo para detectar cadeias de conexão e chaves de conta de armazenamento com check-in.", - "waf": "Segurança" + "text": "Não implemente mais de 900 regras de NSG por NSG, devido ao limite de 1000 regras.", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Idealmente, seu aplicativo deve usar uma identidade gerenciada para autenticar no Armazenamento do Azure. Se isso não for possível, considere ter a credencial de armazenamento (cadeia de conexão, chave da conta de armazenamento, SAS, credencial da entidade de serviço) no Azure KeyVault ou em um serviço equivalente.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", - "severity": "Alto", - "text": "Considere armazenar cadeias de conexão no Azure KeyVault (em cenários em que as identidades gerenciadas não são possíveis)", - "waf": "Segurança" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", + "severity": "Média", + "text": "Use a WAN Virtual se o cenário estiver explicitamente descrito na lista de designs de roteamento da WAN Virtual.", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "waf": "Operações" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Use tempos de expiração de curto prazo em uma SAS de serviço SAS ad hoc ou SAS de conta. Dessa forma, mesmo que uma SAS seja comprometida, ela é válida apenas por um curto período de tempo. Essa prática é especialmente importante se você não puder fazer referência a uma política de acesso armazenada. Os tempos de expiração de curto prazo também limitam a quantidade de dados que podem ser gravados em um blob, limitando o tempo disponível para carregar nele.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", - "severity": "Alto", - "text": "Esforce-se por períodos de validade curtos para SAS ad-hoc", - "waf": "Segurança" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", + "severity": "Média", + "text": "Use um hub de WAN Virtual por região do Azure para conectar várias zonas de destino entre regiões do Azure por meio de uma WAN Virtual do Azure global comum.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Ao criar uma SAS, seja o mais específico e restritivo possível. Prefira uma SAS para um único recurso e operação em vez de uma SAS que oferece acesso muito mais amplo.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", "severity": "Média", - "text": "Aplicar um escopo restrito a uma SAS", + "text": "Para proteção e filtragem de tráfego de saída da Internet, implante o Firewall do Azure em hubs seguros.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Uma SAS pode incluir parâmetros nos quais os endereços IP do cliente ou intervalos de endereços estão autorizados a solicitar um recurso usando a SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", "severity": "Média", - "text": "Considere definir o escopo da SAS para um endereço IP de cliente específico, sempre que possível", - "waf": "Segurança" + "text": "Verifique se a arquitetura de rede da WAN virtual está alinhada a um cenário de arquitetura identificado.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Uma SAS não pode restringir a quantidade de dados que um cliente carrega; Dado o modelo de preços da quantidade de armazenamento ao longo do tempo, pode fazer sentido validar se os clientes carregaram conteúdos maliciosamente grandes.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "Baixo", - "text": "Considere verificar os dados carregados depois que os clientes usaram uma SAS para carregar um arquivo. ", - "waf": "Segurança" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", + "severity": "Média", + "text": "Use o Azure Monitor Insights para WAN Virtual para monitorar a topologia de ponta a ponta da WAN Virtual, o status e as principais métricas.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Operações" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Ao acessar o armazenamento de blobs por meio do SFTP usando uma \"conta de usuário local\", os controles RBAC \"usuais\" não se aplicam. O acesso a blobs via NFS ou REST pode ser mais restritivo do que o acesso SFTP. Infelizmente, a partir do início de 2023, os usuários locais são a única forma de gerenciamento de identidade com suporte atual para o endpoint SFTP", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", - "severity": "Alto", - "text": "SFTP: limite a quantidade de \"usuários locais\" para acesso SFTP e audite se o acesso é necessário ao longo do tempo.", - "waf": "Segurança" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", + "severity": "Média", + "text": "Não desabilite o tráfego branch a branch na WAN Virtual, a menos que esses fluxos devam ser bloqueados explicitamente.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", "severity": "Média", - "text": "SFTP: o endpoint SFTP não oferece suporte a ACLs semelhantes a POSIX.", - "waf": "Segurança" + "text": "Use AS-Path como preferência de roteamento de hub, pois é mais flexível que ExpressRoute ou VPN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "O armazenamento oferece suporte ao CORS (Cross-Origin Resource Sharing), ou seja, um recurso HTTP que permite que aplicativos Web de um domínio diferente afrouxem a política de mesma origem. Ao habilitar o CORS, mantenha as CorsRules com o menor privilégio.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", + "severity": "Média", + "text": "Configure a propagação baseada em rótulos na WAN Virtual, caso contrário, a conectividade entre hubs virtuais será prejudicada.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidade" + }, + { + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", "severity": "Alto", - "text": "Evite políticas de CORS excessivamente amplas", - "waf": "Segurança" + "text": "Atribua pelo menos um prefixo /23 a hubs virtuais para garantir que haja espaço IP suficiente disponível.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Os dados em repouso são sempre criptografados no lado do servidor e, além disso, também podem ser criptografados no lado do cliente. A criptografia do lado do servidor pode ocorrer usando uma chave gerenciada pela plataforma (padrão) ou uma chave gerenciada pelo cliente. A criptografia do lado do cliente pode acontecer fazendo com que o cliente forneça uma chave de criptografia/descriptografia por blob para o armazenamento do Azure ou manipulando completamente a criptografia no lado do cliente. portanto, não dependendo do Armazenamento do Azure para garantias de confidencialidade.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Alto", - "text": "Determine como os dados em repouso devem ser criptografados. Entenda o modelo de thread para dados.", + "text": "Aproveite o Azure Policy estrategicamente, defina controles para seu ambiente, usando Iniciativas de Política para agrupar políticas relacionadas.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Média", - "text": "Determine qual/se a criptografia de plataforma deve ser usada.", + "text": "Mapeie os requisitos regulatórios e de conformidade para definições do Azure Policy e atribuições de função do Azure.", + "training": "https://learn.microsoft.com/training/modules/governance-security/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Média", - "text": "Determine qual/se a criptografia do lado do cliente deve ser usada.", + "text": "Estabeleça definições do Azure Policy no grupo de gerenciamento raiz intermediário para que elas possam ser atribuídas em escopos herdados.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Aproveite o Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para localizar contas de armazenamento que permitem acesso anônimo a blobs.", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Alto", - "text": "Considere se o acesso anônimo de blob público é necessário ou se ele pode ser desabilitado para determinadas contas de armazenamento. ", + "text": "Gerencie atribuições de política no nível apropriado mais alto com exclusões nos níveis inferiores, se necessário.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Azure Storage", - "severity": "Alto", - "text": "Aproveite um tipo de conta storagev2 para melhor desempenho e confiabilidade", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "Baixo", + "text": "Use o Azure Policy para controlar quais serviços os usuários podem provisionar no nível da assinatura/grupo de gerenciamento.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Alto", - "text": "Aproveite o armazenamento GRS, ZRS ou GZRS para obter a mais alta disponibilidade", - "waf": "Fiabilidade" + "text": "Use políticas internas sempre que possível para minimizar a sobrecarga operacional.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "description": "Atribuir a função Colaborador de Política de Recursos a escopos específicos permite delegar o gerenciamento de políticas a equipes relevantes. Por exemplo, uma equipe central de TI pode supervisionar as políticas no nível do grupo de gerenciamento, enquanto as equipes de aplicativos lidam com as políticas de suas assinaturas, permitindo a governança distribuída com adesão aos padrões organizacionais.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "severity": "Média", - "text": "Para operação de gravação após o failover, use o failover gerenciado pelo cliente ", - "waf": "Fiabilidade" + "text": "Atribua a função interna de Colaborador de Política de Recursos em um escopo específico para habilitar a governança no nível do aplicativo.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Média", - "text": "Entender os detalhes do failover gerenciado pela Microsoft", - "waf": "Fiabilidade" + "text": "Limite o número de atribuições do Azure Policy feitas no escopo do grupo de gerenciamento raiz para evitar o gerenciamento por meio de exclusões em escopos herdados.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Azure Storage", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", "severity": "Média", - "text": "Habilitar exclusão reversível", - "waf": "Fiabilidade" + "text": "Se houver requisitos de soberania de dados, as Políticas do Azure deverão ser implantadas para aplicá-los.", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", - "severity": "Baixo", - "text": "Consulte a arquitetura de aplicativo Web com redundância de zona altamente disponível da linha de base para obter as práticas recomendadas", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", + "severity": "Média", + "text": "Para a Zona de Destino Soberana, implante a linha de base da política de soberania e atribua no nível correto do grupo de gerenciamento.", + "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", - "service": "App Services", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", "severity": "Média", - "text": "Use as camadas Premium e Standard. Esses níveis oferecem suporte a slots de preparo e backups automatizados.", - "waf": "Fiabilidade" + "text": "Para Zona de Aterrissagem Soberana, documente os objetivos de Controle Soberano para mapeamento de políticas.", + "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", - "service": "App Services", - "severity": "Alto", - "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente (requer a camada Premium v2 ou v3)", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", + "severity": "Média", + "text": "Para a Zona de Aterrissagem Soberana, certifique-se de que o processo esteja em vigor para o gerenciamento de 'Objetivos de Controle Soberano para mapeamento de políticas'.", + "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "severity": "Média", - "text": "Implementar verificações de integridade", - "waf": "Fiabilidade" + "text": "Use um workspace de logs de monitor único para gerenciar plataformas centralmente, exceto quando o RBAC (controle de acesso baseado em função) do Azure, os requisitos de soberania de dados ou as políticas de retenção de dados exigirem workspaces separados.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", - "service": "App Services", - "severity": "Alto", - "text": "Consulte as práticas recomendadas de backup e restauração para o Serviço de Aplicativo do Azure", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", + "severity": "Média", + "text": "Decida se deseja usar um único workspace de Logs do Azure Monitor para todas as regiões ou criar vários workspaces para abranger várias regiões geográficas. Cada abordagem tem vantagens e desvantagens, incluindo possíveis cobranças de rede entre regiões", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "waf": "Fiabilidade" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "severity": "Alto", - "text": "Implementar práticas recomendadas de confiabilidade do Serviço de Aplicativo do Azure", - "waf": "Fiabilidade" + "text": "Exporte logs para o Armazenamento do Azure se os requisitos de retenção de log excederem doze anos. Use o armazenamento imutável com uma política de gravação única e leitura múltipla para tornar os dados não apagáveis e não modificáveis por um intervalo especificado pelo usuário.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", - "severity": "Baixo", - "text": "Familiarizar-se com como mover um aplicativo do Serviço de Aplicativo para outra região durante um desastre", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", + "severity": "Média", + "text": "Monitore o descompasso de configuração da VM (máquina virtual) no nível do sistema operacional usando o Azure Policy. Habilitar os recursos de auditoria da Configuração de Computador do Gerenciamento Automatizado do Azure por meio da política ajuda as cargas de trabalho da equipe de aplicativos a consumir imediatamente os recursos de recursos com pouco esforço.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", - "service": "App Services", - "severity": "Alto", - "text": "Familiarizar-se com o suporte de confiabilidade no Serviço de Aplicativo do Azure", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "service": "VM", + "severity": "Média", + "text": "Use o Azure Update Manager como um mecanismo de aplicação de patch para VMs Windows e Linux no Azure.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", "severity": "Média", - "text": "Verifique se \"Sempre Ativo\" está habilitado para Aplicativos de Função em execução em um plano de serviço de aplicativo", - "waf": "Fiabilidade" + "text": "Use o Gerenciador de Atualizações do Azure como um mecanismo de aplicação de patch para VMs do Windows e do Linux fora do Azure usando o Azure Arc.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "arm-service": "microsoft.network/networkWatchers", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", "severity": "Média", - "text": "Monitorar instâncias do Serviço de Aplicativo usando verificações de integridade", - "waf": "Fiabilidade" + "text": "Use o Observador de Rede para monitorar proativamente os fluxos de tráfego.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", - "service": "App Services", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", "severity": "Média", - "text": "Monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site usando testes de disponibilidade do Application Insights", - "waf": "Fiabilidade" + "text": "Use os Logs do Azure Monitor para obter insights e relatórios.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", - "severity": "Baixo", - "text": "Usar o teste Application Insights Standard para monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site", - "waf": "Fiabilidade" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", + "severity": "Média", + "text": "Use alertas do Azure Monitor para a geração de alertas operacionais.", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use o Cofre de Chaves do Azure para armazenar quaisquer segredos de que o aplicativo precisa. O Cofre de Chaves fornece um ambiente seguro e auditado para armazenar segredos e está bem integrado ao Serviço de Aplicativo por meio do SDK do Cofre de Chaves ou das Referências do Cofre de Chaves do Serviço de Aplicativo.", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", - "severity": "Alto", - "text": "Usar o Cofre de Chaves para armazenar segredos", - "waf": "Segurança" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", + "severity": "Média", + "text": "Ao usar o Acompanhamento de Alterações e Inventário por meio de Contas de Automação do Azure, verifique se você selecionou regiões com suporte para vincular seu workspace do Log Analytics e contas de automação.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use uma Identidade Gerenciada para se conectar ao Cofre de Chaves usando o SDK do Cofre de Chaves ou por meio das Referências do Cofre de Chaves do Serviço de Aplicativo.", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", - "severity": "Alto", - "text": "Usar a Identidade Gerenciada para se conectar ao Cofre de Chaves", - "waf": "Segurança" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "severity": "Baixo", + "text": "Ao usar o Backup do Azure, use os tipos de backup corretos (GRS, ZRS E LRS) para o backup, pois a configuração padrão é GRS.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Armazene o certificado TLS do Serviço de Aplicativo no Cofre de Chaves.", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", - "severity": "Alto", - "text": "Use o Cofre de Chaves para armazenar o certificado TLS.", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", + "severity": "Média", + "text": "Use as políticas de convidado do Azure para implantar automaticamente as configurações de software por meio de extensões de VM e impor uma configuração de VM de linha de base compatível.", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Os sistemas que processam informações confidenciais devem ser isolados. Para fazer isso, use Planos do Serviço de Aplicativo ou Ambientes do Serviço de Aplicativo separados e considere o uso de assinaturas ou grupos de gerenciamento diferentes.", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "description": "Use os recursos de configuração de convidado do Azure Policy para auditar e corrigir as configurações do computador (por exemplo, sistema operacional, aplicativo, ambiente) para garantir que os recursos estejam alinhados com as configurações esperadas e que o Gerenciamento de Atualizações possa impor o gerenciamento de patches para VMs.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", "severity": "Média", - "text": "Isolar sistemas que processam informações confidenciais", + "text": "Monitore o descompasso de configuração de segurança da VM por meio do Azure Policy.", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Os discos locais no Serviço de Aplicativo não são criptografados e os dados confidenciais não devem ser armazenados neles. (Por exemplo: D:\\\\Local e %TMP%).", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", "severity": "Média", - "text": "Não armazene dados confidenciais no disco local", - "waf": "Segurança" + "text": "Use o Azure Site Recovery para cenários de recuperação de desastre de Máquinas Virtuais do Azure para o Azure. Isso permite replicar cargas de trabalho entre regiões.", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Para aplicativos Web autenticados, use um Provedor de Identidade bem estabelecido, como o Azure AD ou o Azure AD B2C. Aproveite a estrutura de aplicativo de sua escolha para se integrar a esse provedor ou use o recurso de Autenticação/Autorização do Serviço de Aplicativo.", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", "severity": "Média", - "text": "Usar um provedor de identidade estabelecido para autenticação", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Implante código no Serviço de Aplicativo a partir de um ambiente controlado e confiável, como um pipeline de implantação de DevOps bem gerenciado e seguro. Isso evita que o código que não foi controlado por versão e verificado para ser implantado a partir de um host mal-intencionado.", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", - "severity": "Alto", - "text": "Implantar a partir de um ambiente confiável", - "waf": "Segurança" + "text": "Use recursos de backup nativos do Azure ou uma solução de backup de terceiros compatível com o Azure.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Desative a autenticação básica para FTP/FTPS e WebDeploy/SCM. Isso desabilita o acesso a esses serviços e impõe o uso de pontos de extremidade protegidos do Azure AD para implantação. Observe que o site do SCM também pode ser aberto usando credenciais do Azure AD.", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", "severity": "Alto", - "text": "Desabilitar a autenticação básica", - "waf": "Segurança" + "text": "Adicione configurações de diagnóstico para salvar logs do WAF de serviços de entrega de aplicativos, como o Azure Front Door e o Gateway de Aplicativo do Azure. Revise regularmente os logs para verificar se há ataques e detecções de falsos positivos.", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Sempre que possível, use a Identidade Gerenciada para se conectar aos recursos protegidos do Azure AD. Se isso não for possível, armazene segredos no Cofre de Chaves e conecte-se ao Cofre de Chaves usando uma Identidade Gerenciada.", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", - "severity": "Alto", - "text": "Usar a Identidade Gerenciada para se conectar a recursos", - "waf": "Segurança" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", + "severity": "Média", + "text": "Envie logs do WAF de seus serviços de entrega de aplicativos, como o Azure Front Door e o Gateway de Aplicativo do Azure, para o Microsoft Sentinel. Detecte ataques e integre a telemetria do WAF ao seu ambiente geral do Azure.", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "waf": "Operações" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Onde estiver usando imagens armazenadas no Registro de Contêiner do Azure, extraia-as usando uma Identidade Gerenciada.", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "severity": "Alto", - "text": "Extrair contêineres usando uma identidade gerenciada", + "text": "Use o Azure Key Vault para armazenar seus segredos e credenciais.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ao definir as configurações de diagnóstico do Serviço de Aplicativo, você pode enviar toda a telemetria para o Log Analytics como o destino central para registro em log e monitoramento. Isso permite que você monitore a atividade de tempo de execução do Serviço de Aplicativo, como logs HTTP, logs de aplicativos, logs de plataforma, ...", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", "severity": "Média", - "text": "Enviar logs de tempo de execução do Serviço de Aplicativo para o Log Analytics", + "text": "Use diferentes Azure Key Vaults para diferentes aplicativos e regiões para evitar limites de escala de transação e restringir o acesso a segredos.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure uma configuração de diagnóstico para enviar o log de atividades para o Log Analytics como o destino central para registro e monitoramento. Isso permite que você monitore a atividade do plano de controle no próprio recurso do Serviço de Aplicativo.", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Média", - "text": "Enviar logs de atividade do Serviço de Aplicativo para o Log Analytics", + "text": "Provisione o Azure Key Vault com as políticas de exclusão reversível e limpeza habilitadas para permitir a proteção de retenção para objetos excluídos.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Controle o acesso à rede de saída usando uma combinação de integração regional de VNet, grupos de segurança de rede e UDR's. O tráfego deve ser roteado para um NVA, como o Firewall do Azure. Certifique-se de monitorar os logs do Firewall.", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Média", - "text": "O acesso à rede de saída deve ser controlado", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Você pode fornecer um IP de saída estável usando a integração de rede virtual e um gateway NAT de rede virtual ou um NVA como o Firewall do Azure. Isso permite que a parte receptora permita uma lista com base no IP, caso seja necessário. Observe que, para comunicações com os Serviços do Azure, geralmente não há necessidade de depender do endereço IP e mecânicas como Pontos de Extremidade de Serviço devem ser usadas. (Além disso, o uso de pontos de extremidade privados na extremidade de recebimento evita que o SNAT aconteça e fornece um intervalo de IP de saída estável.)", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", - "severity": "Baixo", - "text": "Garantir um IP estável para comunicações de saída para endereços de Internet", + "text": "Siga um modelo de privilégios mínimos limitando a autorização para excluir permanentemente chaves, segredos e certificados a funções personalizadas especializadas de ID do Microsoft Entra.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Controle o acesso à rede de entrada usando uma combinação de Restrições de Acesso do Serviço de Aplicativo, Pontos de Extremidade de Serviço ou Pontos de Extremidade Privados. Diferentes restrições de acesso podem ser necessárias e configuradas para o próprio aplicativo Web e o site do SCM.", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "Alto", - "text": "O acesso à rede de entrada deve ser controlado", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Média", + "text": "Automatize o processo de gerenciamento e renovação de certificados com autoridades de certificação públicas para facilitar a administração.", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Proteja-se contra tráfego de entrada mal-intencionado usando um Firewall de Aplicativo Web, como o Gateway de Aplicativo ou o Azure Front Door. Certifique-se de monitorar os logs do WAF.", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", - "severity": "Alto", - "text": "Usar um WAF na frente do Serviço de Aplicativo", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Média", + "text": "Estabeleça um processo automatizado para rotação de chaves e certificados.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Certifique-se de que o WAF não pode ser ignorado bloqueando o acesso apenas ao WAF. Use uma combinação de Restrições de Acesso, Pontos de Extremidade de Serviço e Pontos de Extremidade Privados.", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "Alto", - "text": "Evite que o WAF seja ignorado", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Média", + "text": "Habilite o firewall e o ponto de extremidade de serviço de rede virtual ou o ponto de extremidade privado no cofre para controlar o acesso ao cofre de chaves.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Defina a política TLS mínima como 1.2 na configuração do Serviço de Aplicativo.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", "severity": "Média", - "text": "Definir a política TLS mínima como 1.2", + "text": "Use o workspace do Log Analytics do Azure Monitor central da plataforma para auditar o uso de chave, certificado e segredo em cada instância do Key Vault.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure o Serviço de Aplicativo para usar somente HTTPS. Isso faz com que o Serviço de Aplicativo redirecione de HTTP para HTTPS. Considere fortemente o uso de HTTP Strict Transport Security (HSTS) em seu código ou a partir de seu WAF, que informa aos navegadores que o site só deve ser acessado usando HTTPS.", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", - "severity": "Alto", - "text": "Usar somente HTTPS", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Média", + "text": "Delegue a instanciação e o acesso privilegiado do Key Vault e use o Azure Policy para impor uma configuração consistente e compatível.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Não use curingas em sua configuração do CORS, pois isso permite que todas as origens acessem o serviço (derrotando assim o propósito do CORS). Especificamente, permita apenas as origens que você espera poder acessar o serviço.", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", - "severity": "Alto", - "text": "Curingas não devem ser usados para CORS", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Média", + "text": "Use um Azure Key Vault por aplicativo por ambiente por região.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "A depuração remota não deve ser ativada na produção, pois isso abre portas adicionais no serviço, o que aumenta a superfície de ataque. Observe que o serviço ativa a depuração remota automaticamente após 48 horas.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", - "severity": "Alto", - "text": "Desativar a depuração remota", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "Média", + "text": "Se você quiser trazer suas próprias chaves, isso pode não ser compatível com todos os serviços considerados. Implemente mitigação relevante para que as inconsistências não prejudiquem os resultados desejados. Escolha pares de regiões apropriados e regiões de recuperação de desastre que minimizem a latência.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Habilite o Defender para o Serviço de Aplicativo. Isso (entre outras ameaças) detecta comunicações com endereços IP mal-intencionados conhecidos. Analise as recomendações do Defender for App Service como parte de suas operações.", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", "severity": "Média", - "text": "Habilitar o Defender for Cloud - Defender for App Service", + "text": "Para a Zona de Destino Soberana, use o HSM gerenciado do Azure Key Vault para armazenar seus segredos e credenciais.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "O Azure fornece proteção contra DDoS Basic em sua rede, que pode ser aprimorada com recursos inteligentes de DDoS Standard que aprendem sobre padrões normais de tráfego e podem detectar comportamentos incomuns. O DDoS Standard se aplica a uma Rede Virtual, portanto, ele deve ser configurado para o recurso de rede na frente do aplicativo, como o Application Gateway ou um NVA.", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", "severity": "Média", - "text": "Habilitar o padrão de proteção DDOS na rede virtual WAF", + "text": "Use os recursos de relatório de ID do Microsoft Entra para gerar relatórios de auditoria de controle de acesso.", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ao usar imagens armazenadas no Registro de Contêiner do Azure, extraia-as por uma rede virtual do Registro de Contêiner do Azure usando seu ponto de extremidade privado e a configuração do aplicativo 'WEBSITE_PULL_IMAGE_OVER_VNET'.", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", - "severity": "Média", - "text": "Extrair contêineres por uma rede virtual", + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", + "severity": "Alto", + "text": "Habilite o Gerenciamento de Postura de Segurança de Nuvem do Defender para todas as assinaturas.", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Realizar um teste de penetração na aplicação web seguindo as regras de teste de penetração de engajamento.", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", - "severity": "Média", - "text": "Realizar um teste de penetração", + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", + "severity": "Alto", + "text": "Habilite um Plano de Proteção de Carga de Trabalho de Nuvem do Defender para Servidores em todas as assinaturas.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Implante código confiável que foi validado e verificado em busca de vulnerabilidades de acordo com as práticas de DevSecOps.", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", - "severity": "Média", - "text": "Implantar código validado", + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", + "severity": "Alto", + "text": "Habilite os Planos de Proteção de Carga de Trabalho de Nuvem do Defender para Recursos do Azure em todas as assinaturas.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", "waf": "Segurança" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use as versões mais recentes de plataformas, linguagens de programação, protocolos e estruturas suportadas.", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", "severity": "Alto", - "text": "Use plataformas, linguagens, protocolos e frameworks atualizados", + "text": "Habilite o Endpoint Protection em servidores IaaS.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", - "service": "APIM", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", "severity": "Média", - "text": "Implementar uma política de tratamento de erros em nível global", - "waf": "Operações" + "text": "Monitore o descompasso de aplicação de patch do sistema operacional base por meio dos Logs do Azure Monitor e do Defender para Nuvem.", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", - "service": "APIM", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "Média", - "text": "Certifique-se de que todas as políticas de APIs incluam um elemento .", - "waf": "Operações" + "text": "Conecte as configurações de recursos padrão a um workspace centralizado do Log Analytics do Azure Monitor.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", - "service": "APIM", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", + "severity": "Alto", + "text": "Detecção centralizada de ameaças com logs correlacionados - consolide os dados de segurança em um local central onde possam ser correlacionados em vários serviços via SIEM (gerenciamento de eventos e informações de segurança)", + "waf": "Segurança" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "severity": "Média", - "text": "Usar fragmentos de política para evitar a repetição das mesmas definições de políticas em várias APIs", - "waf": "Operações" + "text": "Para Zona de Destino Soberana, habilite os logs de transparência no locatário da ID do Entra.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", - "service": "APIM", + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", "severity": "Média", - "text": "Se você estiver planejando monetizar suas APIs, consulte o artigo 'suporte à monetização' para obter as práticas recomendadas", - "waf": "Operações" + "text": "Para Zona de Destino Soberana, habilite o Sistema de Proteção de Dados do cliente no locatário da ID do Entra.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", - "service": "APIM", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", "severity": "Alto", - "text": "Habilitar Configurações de Diagnóstico para exportar logs para o Azure Monitor", - "waf": "Operações" + "text": "Habilite a transferência segura para contas de armazenamento.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", - "service": "APIM", - "severity": "Média", - "text": "Habilite o Application Insights para telemetria mais detalhada", - "waf": "Operações" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", + "severity": "Alto", + "text": "Habilite a exclusão reversível do contêiner para a conta de armazenamento para recuperar um contêiner excluído e seu conteúdo.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", - "service": "APIM", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", "severity": "Alto", - "text": "Configurar alertas sobre as métricas mais críticas", + "text": "Use segredos do Key Vault para evitar codificar informações confidenciais, como credenciais (máquinas virtuais, senhas de usuário), certificados ou chaves.", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", "waf": "Operações" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Certifique-se de que os certificados SSL personalizados sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança", - "waf": "Segurança" + "text": "Siga as proteções do Metaprompting para uma IA razoável", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Proteger solicitações de entrada para APIs (plano de dados) com o Azure AD", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", - "service": "APIM", - "severity": "Média", - "text": "Usar o Microsoft Entra ID para autenticar usuários no Portal do Desenvolvedor", - "waf": "Segurança" + "text": "Considere padrões de gateway com APIM ou soluções como AI central para melhor limitação de taxa, balanceamento de carga, autenticação e registro", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", - "service": "APIM", - "severity": "Média", - "text": "Criar grupos apropriados para controlar a visibilidade dos produtos", - "waf": "Segurança" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Habilitar o monitoramento para suas instâncias AOAI", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", - "service": "APIM", - "severity": "Média", - "text": "Use o recurso Back-ends para eliminar configurações redundantes de back-end de API", - "waf": "Operações" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Crie alertas para notificar as equipes sobre eventos, como uma entrada no log de atividades criada por uma ação executada no recurso, como regenerar suas chaves de assinatura ou um limite de métrica, como o número de erros que excedem 10 em uma hora", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", - "service": "APIM", - "severity": "Média", - "text": "Usar Valores Nomeados para armazenar valores comuns que podem ser usados em políticas", - "waf": "Operações" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Monitore o uso do token para evitar interrupções de serviço devido à capacidade", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "severity": "Média", - "text": "Para DR, aproveite o nível premium com implantações dimensionadas em duas ou mais regiões para um SLA de 99,99%", - "waf": "Fiabilidade" + "text": "Observe métricas como tokens de inferência processados, monitoramento de tokens de conclusão gerados para limite de taxa", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", - "service": "APIM", - "severity": "Média", - "text": "Implante pelo menos uma unidade em duas ou mais zonas de disponibilidade para um SLA aumentado de 99,99%", - "waf": "Fiabilidade" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "Azure OpenAI", + "severity": "Baixo", + "text": "Se o diagnóstico não for suficiente para você, considere usar um gateway como o Gerenciamento de API do Azure na frente do Azure OpenAI para registrar prompts de entrada e respostas de saída, quando permitido", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Verifique se há uma rotina de backup automatizada", - "waf": "Fiabilidade" + "text": "Usar a infraestrutura como código para implantar o serviço OpenAI do Azure, implantações de modelo e todos os recursos relacionados", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", - "severity": "Média", - "text": "Use Políticas para adicionar uma URL de back-end de failover e cache para reduzir chamadas com falha.", - "waf": "Fiabilidade" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Usar a autenticação do Microsoft Entra com identidade gerenciada em vez de chave de API", + "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", - "severity": "Baixo", - "text": "Se você precisar registrar em níveis de alto desempenho, considere a política de Hubs de Eventos", - "waf": "Operações" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Avalie o desempenho/precisão do sistema com um conjunto de dados dourado conhecido que tenha as entradas e as respostas corretas. Aproveite os recursos do PromptFlow para avaliação.", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", - "severity": "Média", - "text": "Aplicar políticas de limitação para controlar o número de solicitações por segundo", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Avaliar o uso do modelo de taxa de transferência provisionada ", "waf": "Desempenho" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", - "severity": "Média", - "text": "Configurar o dimensionamento automático para dimensionar o número de instâncias quando a carga aumenta", - "waf": "Desempenho" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Examinar e implementar a segurança de conteúdo do Azure AI", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", - "severity": "Média", - "text": "Implante gateways auto-hospedados onde o Azure não tem uma região próxima às APIs de back-end.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Defina e avalie a taxa de transferência do sistema com base em tokens e resposta por minuto e alinhe-se aos requisitos", "waf": "Desempenho" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "Azure OpenAI", "severity": "Média", - "text": "Use a camada premium para cargas de trabalho de produção.", - "waf": "Fiabilidade" + "text": "Melhore a latência do sistema limitando os tamanhos dos tokens, as opções de streaming", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "severity": "Média", - "text": "No modelo de várias regiões, use Políticas para rotear as solicitações para back-ends regionais com base na disponibilidade ou latência.", - "waf": "Fiabilidade" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", - "severity": "Alto", - "text": "Esteja atento aos limites da APIM", - "waf": "Fiabilidade" + "text": "Estime as demandas de elasticidade para determinar a segregação de solicitações síncronas e em lote com base na prioridade. Para alta prioridade, use a abordagem síncrona e, para baixa prioridade, o processamento em lote assíncrono com fila é preferível", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Certifique-se de que as implantações de gateway auto-hospedado sejam resilientes.", - "waf": "Fiabilidade" + "text": "Compare os requisitos de consumo de token com base nas demandas estimadas dos consumidores. Considere usar a ferramenta de benchmarking OpenAI do Azure para ajudá-lo a validar a taxa de transferência se você estiver usando implantações de Unidade de Produtividade Provisionada", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "Média", - "text": "Usar o Azure Front Door na frente do APIM para implantação em várias regiões", + "text": "Se você estiver usando PTUs (Unidades de Produtividade Provisionadas), considere implantar uma implantação de token por minuto (TPM) para solicitações de estouro. Use um gateway para rotear solicitações para a implantação do TPM quando os limites de PTU forem atingidos.", "waf": "Desempenho" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", - "severity": "Média", - "text": "Implantar o serviço em uma rede virtual (VNet)", - "waf": "Segurança" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Escolha o modelo certo para a tarefa certa. Escolha modelos com a compensação certa entre velocidade, qualidade de resposta e complexidade de saída", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "severity": "Média", - "text": "Implante NSG (grupos de segurança de rede) em suas sub-redes para restringir ou monitorar o tráfego de/para APIM.", - "waf": "Segurança" + "text": "Tenha uma linha de base para o desempenho sem ajuste fino para saber se o ajuste fino melhorou ou não o desempenho do modelo", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", - "severity": "Média", - "text": "Implante pontos de extremidade privados para filtrar o tráfego de entrada quando o APIM não for implantado em uma rede virtual.", - "waf": "Segurança" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", + "severity": "Baixo", + "text": "Implantar várias instâncias de OAI em regiões", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Desabilitar o acesso à rede pública", - "waf": "Segurança" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", - "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", - "service": "APIM", - "severity": "Média", - "text": "Simplifique o gerenciamento com scripts de automação do PowerShell", - "waf": "Operações" + "text": "Implemente novas tentativas e verificações de integridade com o padrão de Gateway como APIM", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "Azure OpenAI", "severity": "Média", - "text": "Configure APIM via Infrastructure-as-code. Analise as práticas recomendadas de DevOps do Cloud Adaption Framework APIM Landing Zone Accelerator", - "waf": "Operações" + "text": "Garantir que tenha cotas adequadas de TPM e RPM para a carga de trabalho", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", - "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "Azure OpenAI", "severity": "Média", - "text": "Promover o uso da extensão API do Visual Studio Code para um desenvolvimento de API mais rápido", - "waf": "Operações" + "text": "Revise as considerações nas diretrizes do kit de ferramentas HAI e aplique essas práticas de interação para a análise", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "354f1c03-8112-4965-85ad-c0074bddf231", - "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Azure OpenAI", "severity": "Média", - "text": "Implemente DevOps e CI/CD em seu fluxo de trabalho", - "waf": "Operações" + "text": "Implantar modelos ajustados separados entre regiões se o ajuste fino for empregado", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "b6439493-426a-45f3-9697-cf65baee208d", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "Azure OpenAI", "severity": "Média", - "text": "APIs seguras usando autenticação de certificado de cliente", - "waf": "Segurança" + "text": "Faça backup e replique regularmente dados críticos para garantir a disponibilidade e a capacidade de recuperação dos dados em caso de perda de dados ou falhas do sistema. Aproveite os serviços de backup e recuperação de desastre do Azure para proteger seus dados.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2a67d143-1033-4c0a-8732-680896478f08", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", - "service": "APIM", - "severity": "Média", - "text": "Serviços de back-end seguros usando autenticação de certificado de cliente", - "waf": "Segurança" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "As camadas de serviço de pesquisa de IA do Azure devem ser escolhidas para ter um SLA ", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", - "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", - "service": "APIM", - "severity": "Média", - "text": "Consulte o artigo \"Recomendações para mitigar as 10 principais ameaças da segurança da API OWASP\" e verifique o que é aplicável às suas APIs", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "Azure OpenAI", + "severity": "Baixo", + "text": "Classifique os dados e a confidencialidade, rotulando com o Microsoft Purview antes de gerar as inserções e certifique-se de tratar as inserções geradas com a mesma confidencialidade e classificação", "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", - "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", - "severity": "Média", - "text": "Usar o recurso Autorizações para simplificar o gerenciamento do token OAuth 2.0 para suas APIs de back-end", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Criptografar dados usados para RAG com criptografia SSE/Disco com BYOK opcional", "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Use a versão mais recente do TLS ao criptografar informações em trânsito. Desative protocolos e cifras desatualizados e desnecessários quando possível.", + "text": "Certifique-se de que o TLS seja aplicado para dados em trânsito entre fontes de dados, pesquisa de IA usada para RG (Geração Aumentada por Recuperação) e comunicação LLM", "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Certifique-se de que os segredos (valores nomeados) sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança", + "text": "Use o RBAC para gerenciar o acesso aos serviços do OpenAI do Azure. Atribua permissões apropriadas aos usuários e restrinja o acesso com base em suas funções e responsabilidades", "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "Azure OpenAI", "severity": "Média", - "text": "Use identidades gerenciadas para autenticar em outros recursos do Azure sempre que possível", + "text": "Implemente técnicas de criptografia, mascaramento ou redação de dados para ocultar dados confidenciais ou substituí-los por valores ofuscados em ambientes de não produção ou ao compartilhar dados para fins de teste ou solução de problemas", "waf": "Segurança" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Usar o WAF (Web Application Firewall) implantando o Application Gateway na frente do APIM", + "text": "Utilize o Azure Defender para detectar e responder a ameaças de segurança e configurar mecanismos de monitoramento e alerta para identificar atividades suspeitas ou violações. Aproveite o Azure Sentinel para detecção e resposta avançadas a ameaças", "waf": "Segurança" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", - "severity": "Alto", - "text": "Selecione o plano de hospedagem de função certo com base em seus requisitos de negócios e SLO", - "waf": "Fiabilidade" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Estabeleça políticas de retenção e descarte de dados para cumprir os regulamentos de conformidade. Implemente métodos de exclusão segura para dados que não são mais necessários e mantenha uma trilha de auditoria das atividades de retenção e descarte de dados", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Aproveitar zonas de disponibilidade quando aplicável regionalmente (não disponível para a camada de consumo)", - "waf": "Fiabilidade" + "text": "Implementar proteções imediatas e detecção de aterramento usando a Segurança de conteúdo ", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", - "severity": "Média", - "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas", - "waf": "Fiabilidade" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Garanta a conformidade com os regulamentos de proteção de dados relevantes, como GDPR ou HIPAA, implementando controles de privacidade e obtendo os consentimentos ou permissões necessários para atividades de processamento de dados.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", - "severity": "Alto", - "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3", - "waf": "Fiabilidade" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Eduque seus funcionários sobre as melhores práticas de segurança de dados, a importância de lidar com dados com segurança e os possíveis riscos associados a violações de dados. Incentive-os a seguir os protocolos de segurança de dados diligentemente.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "Azure Functions", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Verifique se 'Sempre Ativado' está habilitado para todos os Aplicativos de Função em execução no Plano do Serviço de Aplicativo", - "waf": "Fiabilidade" + "text": "Mantenha os dados de produção separados dos dados de desenvolvimento e teste. Use apenas dados confidenciais reais na produção e utilize dados anônimos ou sintéticos em ambientes de desenvolvimento e teste.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "Azure OpenAI", "severity": "Média", - "text": "Emparelhe um aplicativo de função com sua própria conta de armazenamento. Tente não reutilizar contas de armazenamento para aplicativos de função, a menos que eles estejam firmemente acoplados", - "waf": "Fiabilidade" + "text": "Se você tiver níveis variados de confidencialidade de dados, considere criar índices separados para cada nível. Por exemplo, você pode ter um índice para dados gerais e outro para dados confidenciais, cada um regido por diferentes protocolos de acesso", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "Azure OpenAI", "severity": "Média", - "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código do Aplicativo de Função", - "waf": "Operações" + "text": "Leve a segregação um passo adiante, colocando conjuntos de dados confidenciais em diferentes instâncias do serviço. Cada instância pode ser controlada com seu próprio conjunto específico de políticas RBAC", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Aproveitar zonas de disponibilidade, se aplicável regionalmente (isso é habilitado automaticamente)", - "waf": "Fiabilidade" + "text": "Reconheça que incorporações e vetores gerados a partir de informações confidenciais são eles próprios sensíveis. Esses dados devem receber as mesmas medidas de proteção que o material de origem", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "Média", - "text": "Esteja ciente dos failovers iniciados pela Microsoft. Eles são exercidos pela Microsoft em raras situações para fazer failover de todos os hubs IoT de uma região afetada para a região geo-emparelhada correspondente.", - "waf": "Fiabilidade" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Aplique o RBAC aos armazenamentos de dados com incorporações e vetores e acesso ao escopo com base nos requisitos de acesso da função", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas", - "waf": "Fiabilidade" + "text": "Configurar o ponto de extremidade privado para serviços de IA para restringir o acesso ao serviço em sua rede", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Saiba como acionar um failover manual.", - "waf": "Fiabilidade" + "text": "Imponha um controle estrito de tráfego de entrada e saída com o Firewall do Azure e UDRs e limite os pontos de integração externos", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "Azure OpenAI", "severity": "Alto", - "text": "Saiba como fazer failback após um failover.", - "waf": "Fiabilidade" + "text": "Implemente segmentação de rede e controles de acesso para restringir o acesso ao aplicativo LLM apenas a usuários e sistemas autorizados e evitar movimentos laterais", + "waf": "Segurança" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "Azure OpenAI", "severity": "Média", - "text": "Siga as recomendações de suporte de confiabilidade no Serviço de Bot do Azure", - "waf": "Fiabilidade" + "text": "Use ferramentas de compactação imediatas como LLMLingua ou gprtrim", + "waf": "Otimização de custos" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", - "severity": "Média", - "text": "Implantando bots com residência de dados local e conformidade regional", - "waf": "Fiabilidade" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Certifique-se de que as APIs e os endpoints usados pelo aplicativo LLM estejam devidamente protegidos com mecanismos de autenticação e autorização, como identidades gerenciadas, chaves de API ou OAuth, para impedir o acesso não autorizado.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "Azure OpenAI", "severity": "Média", - "text": "O Serviço de Bot do Azure é executado no modo ativo-ativo para serviços globais e regionais. Quando ocorre uma paralisação, você não precisa detectar erros ou gerenciar o serviço. O Serviço de Bot do Azure executa automaticamente o failover automático e a recuperação automática em uma arquitetura geográfica de várias regiões. Para o serviço regional de bot da UE, o Serviço de Bot do Azure fornece duas regiões completas dentro da Europa com replicação ativa/ativa para garantir redundância. Para o serviço de bot global, todas as regiões/geografias disponíveis podem ser servidas como a presença global.", - "waf": "Fiabilidade" + "text": "Aplique mecanismos fortes de autenticação do usuário final, como autenticação multifator, para impedir o acesso não autorizado ao aplicativo LLM e aos recursos de rede associados", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Azure Monitor", - "text": "Regras de coleta de dados no Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Implemente ferramentas de monitoramento de rede para detectar e analisar o tráfego de rede em busca de atividades suspeitas ou maliciosas. Habilite o registro para capturar eventos de rede e facilitar a análise forense em caso de incidentes de segurança", + "waf": "Segurança" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Azure Backup", - "text": "Verificar instâncias de backup com a fonte de dados subjacente não encontrada", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Realize auditorias de segurança e testes de penetração para identificar e resolver quaisquer pontos fracos ou vulnerabilidades de segurança de rede na infraestrutura de rede do aplicativo LLM", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", - "text": "Excluir ou arquivar serviços não associados (discos, nics, endereços IP etc.)", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "Azure OpenAI", + "severity": "Baixo", + "text": "Os Serviços de IA do Azure são marcados corretamente para melhor gerenciamento", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Azure Backup", - "text": "Considere um bom equilíbrio entre recuperação de local, armazenamento e backup para aplicativos não essenciais", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "Azure OpenAI", + "severity": "Baixo", + "text": "As contas do Serviço de IA do Azure seguem as convenções de nomenclatura organizacional", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Azure Monitor", - "text": "Verifique os gastos e as oportunidades de economia entre os 40 diferentes espaços de trabalho de análise de log - use retenção e coleta de dados diferentes para espaços de trabalho não prod - crie limite diário para reconhecimento e dimensionamento de camadas - Se você definir um limite diário, além de criar um alerta quando o limite for atingido, certifique-se de também criar uma regra de alerta para ser notificado quando alguma porcentagem for atingida (90%, por exemplo). - considerar a transformação do espaço de trabalho, se possível - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Os logs de diagnóstico nos recursos de serviços de IA do Azure devem ser habilitados", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Azure Monitor", - "text": "Impor uma política de log de limpeza e automação (se necessário, os logs podem ser movidos para armazenamento frio)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Recomenda-se que o acesso à chave (autenticação local) seja desabilitado por segurança. Depois de desabilitar o acesso baseado em chave, o Microsoft Entra ID se torna o único método de acesso, o que permite manter o princípio de privilégio mínimo e o controle granular. ", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", - "text": "Verifique se os discos são realmente necessários, se não: excluir. Se forem necessários, encontre níveis de armazenamento mais baixos ou use backup -", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Armazene e gerencie chaves com segurança usando o Azure Key Vault. Evite codificar ou inserir chaves confidenciais no código do aplicativo LLM e recuperá-las com segurança do Azure Key Vault usando identidades gerenciadas", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", - "text": "Considere mover o armazenamento não utilizado para o nível inferior, com regra personalizada - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Gire e expire regularmente as chaves armazenadas no Azure Key Vault para minimizar o risco de acesso não autorizado.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", - "text": "Verifique se o Advisor está configurado para o dimensionamento correto da VM ", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Use tiktoken para entender os tamanhos de token para otimizações de token no modo de conversação", + "waf": "Otimização de custos" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "description": "verifique pesquisando as Licenças de Categoria de Medidor na Análise de Custos", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", - "service": "VM", - "text": "executar o script em todas as VMs do Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- considere implementar uma diretiva se as VMs do Windows forem criadas com frequência", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Siga práticas de codificação segura para evitar vulnerabilidades comuns, como ataques de injeção, cross-site scripting (XSS) ou configurações incorretas de segurança", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "VM", - "text": " isso também pode ser colocado no AHUB se você já tiver licenças https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Configure um processo para atualizar e corrigir regularmente as bibliotecas LLM e outros componentes do sistema", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", - "text": "Consolidar famílias de VM reservadas com opção de flexibilidade (não mais do que 4-5 famílias)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Aderir aos termos de uso, políticas e diretrizes do Azure OpenAI ou de outros LLMs e casos de uso permitidos", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", - "text": "Utilize instâncias reservadas do Azure: esse recurso permite reservar VMs por um período de 1 ou 3 anos, proporcionando uma economia significativa em comparação com os preços do PAYG.", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Entender a diferença no custo de modelos básicos e modelos ajustados e tamanhos de etapa de token", + "waf": "Otimização de custos" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", - "text": "Somente discos maiores podem ser reservados => 1 TiB -", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Solicitações em lote, sempre que possível, para minimizar a sobrecarga por chamada, o que pode reduzir os custos gerais. Certifique-se de otimizar o tamanho do lote", + "waf": "Otimização de custos" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", - "text": "Após a otimização do dimensionamento correto", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Configure um sistema de rastreamento de custos que monitore o uso do modelo e use essas informações para ajudar a informar as escolhas do modelo e solicitar tamanhos", + "waf": "Otimização de custos" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", - "text": "Verifique se aplicável e aplique a política/alteração https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Defina um limite máximo para o número de tokens por resposta do modelo. Otimize o tamanho para garantir que seja grande o suficiente para uma resposta válida", + "waf": "Otimização de custos" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", - "text": "O desconto da peça de licença VM + (ahub + 3YRI) é de cerca de 70% de desconto", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Examine as diretrizes fornecidas sobre como configurar a pesquisa de IA para confiabilidade", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", - "text": "Considere o uso de um VMSS para corresponder à demanda em vez de dimensionamento simples", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Planejar e gerenciar o armazenamento de vetores do AI Search", + "waf": "Excelência Operacional" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", - "text": "Use o autoscaler AKS para corresponder ao uso de clusters (verifique se os requisitos dos pods correspondem ao dimensionador)", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Aplique as práticas do LLMOps para automatizar o gerenciamento do ciclo de vida de seus aplicativos GenAI", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Azure Backup", - "text": "Mover pontos de recuperação para o vault-archive, quando aplicável (Validar)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Avalie o uso de modelos de faturamento - PAYG vs PTU", + "waf": "Otimização de custos" }, { - "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", - "text": "Considere o uso de VMs spot com fallback sempre que possível. Considere o autotermination de clusters.", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Avaliar a qualidade de prompts e aplicativos ao alternar entre versões de modelo", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Azure Functions", - "text": "Funções - Reutilizar conexões", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Avalie, monitore e refine seus aplicativos GenAI para recursos como fundamentação, relevância, precisão, coerência, fluência,", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Azure Functions", - "text": "Funções - Armazenar dados em cache localmente", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Avaliar os resultados do Azure AI Search com base em diferentes parâmetros de pesquisa", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Azure Functions", - "text": "Funções - Partidas a frio - Use a funcionalidade 'Executar do pacote'. Dessa forma, o código é baixado como um único arquivo zip. Isso pode, por exemplo, resultar em melhorias significativas com as funções Javascript, que possuem muitos módulos de nó. Use ferramentas específicas de linguagem para reduzir o tamanho do pacote, por exemplo, aplicativos Javascript que agitam árvores.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Olhe para os modelos de ajuste fino como forma de aumentar a precisão somente quando você tiver tentado outras abordagens básicas, como engenharia rápida e RAG com seus dados", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Azure Functions", - "text": "Funções - Mantenha suas funções aquecidas", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Use técnicas de engenharia rápida para melhorar a precisão das respostas do LLM", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Azure Functions", - "text": "Ao usar o dimensionamento automático com funções diferentes, pode haver um que conduza todo o dimensionamento automático para todos os recursos - considere movê-lo para um plano de consumo separado (e considere um plano mais alto para a CPU)", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Equipe vermelha de seus aplicativos GenAI", + "waf": "Segurança" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Forneça aos usuários finais opções de pontuação para respostas LLM e acompanhe essas pontuações. ", + "waf": "Excelência Operacional" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Azure Functions", - "text": "Os aplicativos de função em um determinado plano são todos dimensionados juntos, portanto, quaisquer problemas com o dimensionamento podem afetar todos os aplicativos no plano.", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", + "severity": "Alto", + "text": "Considere as práticas de gerenciamento de cotas", + "waf": "Otimização de custos" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Azure Functions", - "text": "Sou cobrado por 'tempo de espera'? Essa pergunta geralmente é feita no contexto de uma função C# que faz uma operação assíncrona e aguarda o resultado, por exemplo, aguardar Task.Delay(1000) ou aguardar cliente. GetAsync('http://google.com'). A resposta é sim - o segundo cálculo de GB é baseado na hora de início e término da função e no uso de memória durante esse período. O que realmente acontece ao longo desse tempo em termos de atividade da CPU não é levado em consideração no cálculo. Uma exceção a essa regra é se você estiver usando funções duráveis. Você não é cobrado pelo tempo gasto em espera em funções de orquestrador.aplique técnicas de modelagem de demanda sempre que possível (ambientes de desenvolvimento?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "Custar" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "Azure OpenAI", + "severity": "Média", + "text": "Use soluções de balanceador de carga, como gateway baseado em APIM, para balancear carga e capacidade entre serviços e regiões", + "waf": "Excelência Operacional" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", - "text": "Frontdoor - Desativar a página inicial padrãoNas configurações do aplicativo do seu aplicativo, defina AzureWebJobsDisableHomepage como true. Isso retornará um 204 (Sem Conteúdo) para o PoP para que apenas os dados de cabeçalho sejam retornados.", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", + "severity": "Baixo", + "text": "Consulte a arquitetura de aplicativo Web com redundância de zona altamente disponível da linha de base para obter as práticas recomendadas", + "waf": "Fiabilidade" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", - "text": "Frontdoor - Rota para algo que não retorna nada. Configure uma Função, Proxy de Função ou adicione uma rota em seu WebApp que retorne 200 (OK) e envie conteúdo nulo ou mínimo. A vantagem disso é que você poderá fazer logout quando for chamado.", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "Média", + "text": "Use as camadas Premium e Standard. Esses níveis oferecem suporte a slots de preparo e backups automatizados.", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", - "text": "Considere níveis de arquivamento para dados menos usados", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", + "service": "App Services", + "severity": "Alto", + "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente (requer a camada Premium v2 ou v3)", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", - "text": "Verifique os tamanhos de disco em que o tamanho não corresponde à camada (ou seja, um disco de 513 GiB pagará um P30 (1TiB) e considere o redimensionamento", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Média", + "text": "Implementar verificações de integridade", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", - "text": "Considere usar SSD padrão em vez de Premium ou Ultra sempre que possível", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", + "service": "App Services", + "severity": "Alto", + "text": "Consulte as práticas recomendadas de backup e restauração para o Serviço de Aplicativo do Azure", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", - "text": "Para contas de armazenamento, verifique se a camada escolhida não está somando encargos de transação (pode ser mais barato passar para a próxima camada)", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", + "severity": "Alto", + "text": "Implementar práticas recomendadas de confiabilidade do Serviço de Aplicativo do Azure", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", - "text": "Para ASR, considere o uso de discos SSD padrão se o RPO/RTO e a taxa de transferência de replicação permitirem", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", + "severity": "Baixo", + "text": "Familiarizar-se com como mover um aplicativo do Serviço de Aplicativo para outra região durante um desastre", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", - "text": "Contas de armazenamento: verifique o hot tier e/ou o GRS necessário", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", + "service": "App Services", + "severity": "Alto", + "text": "Familiarizar-se com o suporte de confiabilidade no Serviço de Aplicativo do Azure", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "text": "Discos - valide o uso de discos SSD Premium em todos os lugares: por exemplo, não-prod pode trocar para SSD padrão ou SSD Premium sob demanda ", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", + "severity": "Média", + "text": "Verifique se \"Sempre Ativo\" está habilitado para Aplicativos de Função em execução em um plano de serviço de aplicativo", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", - "text": "Crie orçamentos para gerenciar custos e crie alertas que notifiquem automaticamente as partes interessadas sobre anomalias de gastos e riscos de gastos excessivos.", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Média", + "text": "Monitorar instâncias do Serviço de Aplicativo usando verificações de integridade", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", - "text": "Exporte dados de custo para uma conta de armazenamento para análise de dados adicionais.", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", + "service": "App Services", + "severity": "Média", + "text": "Monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site usando testes de disponibilidade do Application Insights", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", - "text": "Controle os custos de um pool SQL dedicado pausando o recurso quando ele não estiver em uso.", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", + "severity": "Baixo", + "text": "Usar o teste Application Insights Standard para monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site", + "waf": "Fiabilidade" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", - "text": "Habilite o recurso de pausa automática do Apache Spark sem servidor e defina seu valor de tempo limite de acordo.", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use o Cofre de Chaves do Azure para armazenar quaisquer segredos de que o aplicativo precisa. O Cofre de Chaves fornece um ambiente seguro e auditado para armazenar segredos e está bem integrado ao Serviço de Aplicativo por meio do SDK do Cofre de Chaves ou das Referências do Cofre de Chaves do Serviço de Aplicativo.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "Alto", + "text": "Usar o Cofre de Chaves para armazenar segredos", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", - "text": "Crie várias definições de pool do Apache Spark de vários tamanhos.", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use uma Identidade Gerenciada para se conectar ao Cofre de Chaves usando o SDK do Cofre de Chaves ou por meio das Referências do Cofre de Chaves do Serviço de Aplicativo.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "Alto", + "text": "Usar a Identidade Gerenciada para se conectar ao Cofre de Chaves", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", - "text": "Adquira unidades de confirmação (SCU) do Azure Synapse por um ano com um plano de pré-compra para economizar nos custos do Azure Synapse Analytics.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Armazene o certificado TLS do Serviço de Aplicativo no Cofre de Chaves.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", + "severity": "Alto", + "text": "Use o Cofre de Chaves para armazenar o certificado TLS.", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", - "text": "Usar VMs spot para trabalhos interruptíveis: são VMs que podem ser licitadas e compradas a um preço com desconto, fornecendo uma solução econômica para cargas de trabalho não críticas.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Os sistemas que processam informações confidenciais devem ser isolados. Para fazer isso, use Planos do Serviço de Aplicativo ou Ambientes do Serviço de Aplicativo separados e considere o uso de assinaturas ou grupos de gerenciamento diferentes.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "Média", + "text": "Isolar sistemas que processam informações confidenciais", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", - "text": "Dimensionamento correto de todas as VMs", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Os discos locais no Serviço de Aplicativo não são criptografados e os dados confidenciais não devem ser armazenados neles. (Por exemplo: D:\\\\Local e %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", + "severity": "Média", + "text": "Não armazene dados confidenciais no disco local", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", - "text": "Trocar VM dimensionada com tamanhos normalizados e mais recentes", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Para aplicativos Web autenticados, use um Provedor de Identidade bem estabelecido, como o Azure AD ou o Azure AD B2C. Aproveite a estrutura de aplicativo de sua escolha para se integrar a esse provedor ou use o recurso de Autenticação/Autorização do Serviço de Aplicativo.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", + "severity": "Média", + "text": "Usar um provedor de identidade estabelecido para autenticação", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "VMs de dimensionamento correto - comece com o monitoramento do uso abaixo de 5% e, em seguida, trabalhe até 40%", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Implante código no Serviço de Aplicativo a partir de um ambiente controlado e confiável, como um pipeline de implantação de DevOps bem gerenciado e seguro. Isso evita que o código que não foi controlado por versão e verificado para ser implantado a partir de um host mal-intencionado.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", + "severity": "Alto", + "text": "Implantar a partir de um ambiente confiável", + "waf": "Segurança" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "A conteinerização de um aplicativo pode melhorar a densidade da VM e economizar dinheiro no dimensionamento", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Custar" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Desative a autenticação básica para FTP/FTPS e WebDeploy/SCM. Isso desabilita o acesso a esses serviços e impõe o uso de pontos de extremidade protegidos do Azure AD para implantação. Observe que o site do SCM também pode ser aberto usando credenciais do Azure AD.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", + "severity": "Alto", + "text": "Desabilitar a autenticação básica", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Sempre que possível, use a Identidade Gerenciada para se conectar aos recursos protegidos do Azure AD. Se isso não for possível, armazene segredos no Cofre de Chaves e conecte-se ao Cofre de Chaves usando uma Identidade Gerenciada.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", "severity": "Alto", - "text": "Familiarize-se com as práticas recomendadas do Key Vault, como recomendações de isolamento, controle de acesso, proteção de dados, backup e registro em log.", - "waf": "Fiabilidade" + "text": "Usar a Identidade Gerenciada para se conectar a recursos", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Key Vault", - "severity": "Média", - "text": "O Key Vault é um serviço gerenciado e a Microsoft lidará com o failover dentro e entre regiões. Familiarize-se com a disponibilidade e a redundância do Key Vault.", - "waf": "Fiabilidade" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Onde estiver usando imagens armazenadas no Registro de Contêiner do Azure, extraia-as usando uma Identidade Gerenciada.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", + "severity": "Alto", + "text": "Extrair contêineres usando uma identidade gerenciada", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", - "service": "Key Vault", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ao definir as configurações de diagnóstico do Serviço de Aplicativo, você pode enviar toda a telemetria para o Log Analytics como o destino central para registro em log e monitoramento. Isso permite que você monitore a atividade de tempo de execução do Serviço de Aplicativo, como logs HTTP, logs de aplicativos, logs de plataforma, ...", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", "severity": "Média", - "text": "O conteúdo do cofre de chaves é replicado dentro da região e para uma região secundária a pelo menos 150 milhas de distância, mas dentro da mesma geografia para manter a alta durabilidade de suas chaves e segredos. Familiarize-se com a replicação de dados do Key Vault.", - "waf": "Fiabilidade" + "text": "Enviar logs de tempo de execução do Serviço de Aplicativo para o Log Analytics", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", - "service": "Key Vault", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure uma configuração de diagnóstico para enviar o log de atividades para o Log Analytics como o destino central para registro e monitoramento. Isso permite que você monitore a atividade do plano de controle no próprio recurso do Serviço de Aplicativo.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", "severity": "Média", - "text": "Durante o failover, as configurações e configurações de política de acesso ou firewall não podem ser alteradas. O cofre de chaves estará no modo somente leitura durante o failover. Familiarize-se com as diretrizes de failover do Key Vault.", - "waf": "Fiabilidade" + "text": "Enviar logs de atividade do Serviço de Aplicativo para o Log Analytics", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", - "service": "Key Vault", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Controle o acesso à rede de saída usando uma combinação de integração regional de VNet, grupos de segurança de rede e UDR's. O tráfego deve ser roteado para um NVA, como o Firewall do Azure. Certifique-se de monitorar os logs do Firewall.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", "severity": "Média", - "text": "Quando você faz backup de um objeto do cofre de chaves, como um segredo, uma chave ou um certificado, a operação de backup baixa o objeto como um blob criptografado. Esse blob não pode ser descriptografado fora do Azure. Para obter dados utilizáveis desse blob, você deve restaurar o blob em um cofre de chaves dentro da mesma assinatura do Azure e da mesma geografia do Azure. Familiarize-se com as diretrizes de backup e restauração do Key Vault.", - "waf": "Fiabilidade" + "text": "O acesso à rede de saída deve ser controlado", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Você pode fornecer um IP de saída estável usando a integração de rede virtual e um gateway NAT de rede virtual ou um NVA como o Firewall do Azure. Isso permite que a parte receptora permita uma lista com base no IP, caso seja necessário. Observe que, para comunicações com os Serviços do Azure, geralmente não há necessidade de depender do endereço IP e mecânicas como Pontos de Extremidade de Serviço devem ser usadas. (Além disso, o uso de pontos de extremidade privados na extremidade de recebimento evita que o SNAT aconteça e fornece um intervalo de IP de saída estável.)", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", + "severity": "Baixo", + "text": "Garantir um IP estável para comunicações de saída para endereços de Internet", + "waf": "Segurança" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Controle o acesso à rede de entrada usando uma combinação de Restrições de Acesso do Serviço de Aplicativo, Pontos de Extremidade de Serviço ou Pontos de Extremidade Privados. Diferentes restrições de acesso podem ser necessárias e configuradas para o próprio aplicativo Web e o site do SCM.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "severity": "Alto", - "text": "Se você quiser proteção contra exclusão acidental ou mal-intencionada de seus segredos, configure recursos de proteção de exclusão reversível e limpeza em seu cofre de chaves.", - "waf": "Fiabilidade" + "text": "O acesso à rede de entrada deve ser controlado", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", - "severity": "Baixo", - "text": "Os recursos excluídos temporariamente do Key Vault são retidos por um período definido de 90 dias corridos. Familiarize-se com as diretrizes de exclusão reversível do Key Vault.", - "waf": "Fiabilidade" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Proteja-se contra tráfego de entrada mal-intencionado usando um Firewall de Aplicativo Web, como o Gateway de Aplicativo ou o Azure Front Door. Certifique-se de monitorar os logs do WAF.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", + "severity": "Alto", + "text": "Usar um WAF na frente do Serviço de Aplicativo", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "Baixo", - "text": "Entenda as limitações de backup do Key Vault. O Key Vault não dá suporte à capacidade de fazer backup de mais de 500 versões anteriores de um objeto de chave, segredo ou certificado. A tentativa de fazer backup de uma chave, segredo ou objeto de certificado pode resultar em um erro. Não é possível excluir versões anteriores de uma chave, segredo ou certificado.", - "waf": "Fiabilidade" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Certifique-se de que o WAF não pode ser ignorado bloqueando o acesso apenas ao WAF. Use uma combinação de Restrições de Acesso, Pontos de Extremidade de Serviço e Pontos de Extremidade Privados.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", + "severity": "Alto", + "text": "Evite que o WAF seja ignorado", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "Baixo", - "text": "Atualmente, o Key Vault não fornece uma maneira de fazer backup de um cofre de chaves inteiro em uma única operação e chaves, segredos e certificados devem ser copiados individualmente. Familiarize-se com as diretrizes de backup e restauração do Key Vault.", - "waf": "Fiabilidade" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Defina a política TLS mínima como 1.2 na configuração do Serviço de Aplicativo.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", + "severity": "Média", + "text": "Definir a política TLS mínima como 1.2", + "waf": "Segurança" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure o Serviço de Aplicativo para usar somente HTTPS. Isso faz com que o Serviço de Aplicativo redirecione de HTTP para HTTPS. Considere fortemente o uso de HTTP Strict Transport Security (HSTS) em seu código ou a partir de seu WAF, que informa aos navegadores que o site só deve ser acessado usando HTTPS.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", + "severity": "Alto", + "text": "Usar somente HTTPS", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", - "service": "Key Vault", - "severity": "Média", - "text": "A proteção contra limpeza é recomendada ao usar chaves para criptografia para evitar a perda de dados. A proteção contra limpeza é um comportamento opcional do Key Vault e não está habilitada por padrão. A proteção contra limpeza só pode ser habilitada depois que a exclusão reversível estiver habilitada. Ele pode ser ativado via CLI, PowerShell ou Portal.", - "waf": "Fiabilidade" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Não use curingas em sua configuração do CORS, pois isso permite que todas as origens acessem o serviço (derrotando assim o propósito do CORS). Especificamente, permita apenas as origens que você espera poder acessar o serviço.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", + "severity": "Alto", + "text": "Curingas não devem ser usados para CORS", + "waf": "Segurança" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", - "guid": "d0642c1c-312b-4116-94ab-439e1c836819", - "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", - "service": "Key Vault", - "severity": "Média", - "text": "O RBAC é recomendado para controlar o acesso ao cofre de chaves. Familiarize-se com as diretrizes de controle de acesso do Key Vault.", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "A depuração remota não deve ser ativada na produção, pois isso abre portas adicionais no serviço, o que aumenta a superfície de ataque. Observe que o serviço ativa a depuração remota automaticamente após 48 horas.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", + "severity": "Alto", + "text": "Desativar a depuração remota", "waf": "Segurança" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", - "service": "Azure Data Factory", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Habilite o Defender para o Serviço de Aplicativo. Isso (entre outras ameaças) detecta comunicações com endereços IP mal-intencionados conhecidos. Analise as recomendações do Defender for App Service como parte de suas operações.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", "severity": "Média", - "text": "Aproveite o Manual de Resiliência de FTA para o Azure Data Factory", - "waf": "Fiabilidade" + "text": "Habilitar o Defender for Cloud - Defender for App Service", + "waf": "Segurança" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", - "severity": "Alto", - "text": "Usar pipelines redundantes de zona em regiões que oferecem suporte a zonas de disponibilidade", - "waf": "Fiabilidade" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "O Azure fornece proteção contra DDoS Basic em sua rede, que pode ser aprimorada com recursos inteligentes de DDoS Standard que aprendem sobre padrões normais de tráfego e podem detectar comportamentos incomuns. O DDoS Standard se aplica a uma Rede Virtual, portanto, ele deve ser configurado para o recurso de rede na frente do aplicativo, como o Application Gateway ou um NVA.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", + "severity": "Média", + "text": "Habilitar o padrão de proteção DDOS na rede virtual WAF", + "waf": "Segurança" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", - "service": "Azure Data Factory", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ao usar imagens armazenadas no Registro de Contêiner do Azure, extraia-as por uma rede virtual do Registro de Contêiner do Azure usando seu ponto de extremidade privado e a configuração do aplicativo 'WEBSITE_PULL_IMAGE_OVER_VNET'.", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", "severity": "Média", - "text": "Usar DevOps para fazer backup dos modelos ARM com a integração Github/Azure DevOps ", - "waf": "Fiabilidade" + "text": "Extrair contêineres por uma rede virtual", + "waf": "Segurança" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Realizar um teste de penetração na aplicação web seguindo as regras de teste de penetração de engajamento.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", "severity": "Média", - "text": "Certifique-se de replicar as VMs do Self-Hosted Integration Runtime em outra região ", - "waf": "Fiabilidade" + "text": "Realizar um teste de penetração", + "waf": "Segurança" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Implante código confiável que foi validado e verificado em busca de vulnerabilidades de acordo com as práticas de DevSecOps.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", "severity": "Média", - "text": "Certifique-se de replicar ou duplicar sua rede na região irmã. Você tem que fazer uma cópia do seu Vnet em outra região", - "waf": "Fiabilidade" + "text": "Implantar código validado", + "waf": "Segurança" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "description": "Se seus pipelines do ADF usarem o Cofre de Chaves, você não precisará fazer nada para replicar o Cofre de Chaves. O Cofre de Chaves é um serviço gerenciado e a Microsoft cuida dele para você", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Azure Data Factory", - "severity": "Baixo", - "text": "Se estiver usando a integração do Keyvault, use o SLA do Keyvault para entender sua disponibilidade", - "waf": "Fiabilidade" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use as versões mais recentes de plataformas, linguagens de programação, protocolos e estruturas suportadas.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", + "severity": "Alto", + "text": "Use plataformas, linguagens, protocolos e frameworks atualizados", + "waf": "Segurança" }, { "arm-service": "Microsoft.Devices/provisioningServices", @@ -9225,193 +10092,73 @@ { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", - "severity": "Baixo", - "text": "Se necessário, considere usar hosts dedicados do Azure para nós AKS", - "waf": "Desempenho" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "Alto", - "text": "Usar discos efêmeros do sistema operacional", - "waf": "Desempenho" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", - "severity": "Alto", - "text": "Para discos não efêmeros, use IOPS altos e discos maiores do sistema operacional para os nós ao executar muitos pods/nó, pois requer alto desempenho para executar vários pods e gerará logs enormes com limites de rotação de log AKS padrão", - "waf": "Desempenho" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", - "severity": "Baixo", - "text": "Para a opção de armazenamento de hiperdesempenho, use Ultra Disks no AKS", - "waf": "Desempenho" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", - "severity": "Média", - "text": "Evite manter o estado no cluster e armazene dados fora (AzStorage, AzSQL, Cosmos, etc)", - "waf": "Desempenho" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", - "severity": "Média", - "text": "Se estiver usando o AzFiles Standard, considere o AzFiles Premium e/ou ANF por motivos de desempenho", - "waf": "Desempenho" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", - "severity": "Média", - "text": "Se estiver usando Discos e AZs do Azure, considere ter nodepools dentro de uma zona para disco LRS com VolumeBindingMode:WaitForFirstConsumer para provisionar armazenamento na zona direita ou use o disco ZRS para nodepools abrangendo várias zonas", - "waf": "Desempenho" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "severity": "Alto", - "text": "Permitir que 2 réplicas tenham 99,9% de disponibilidade para operações de leitura", - "waf": "Fiabilidade" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "severity": "Média", - "text": "Permitir que 3 réplicas tenham 99,9% de disponibilidade para operações de leitura/gravação", - "waf": "Fiabilidade" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", - "severity": "Alto", - "text": "Aproveite as zonas de disponibilidade habilitando réplicas de leitura e/ou gravação", - "waf": "Fiabilidade" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", - "severity": "Média", - "text": "Para redução regional, crie manualmente serviços em 2 ou mais regiões para a Pesquisa, pois não fornece um método automatizado de replicação de índices de pesquisa entre regiões geográficas", - "waf": "Fiabilidade" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", - "severity": "Média", - "text": "Para sincronizar dados em vários serviços: Use indexadores para atualizar conteúdo em vários serviços ou Use APIs REST para enviar atualizações de conteúdo em vários serviços", - "waf": "Fiabilidade" - }, - { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", - "severity": "Média", - "text": "Usar o Gerenciador de Tráfego do Azure para coordenar solicitações", - "waf": "Fiabilidade" + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", + "severity": "Baixo", + "text": "Se necessário, considere usar hosts dedicados do Azure para nós AKS", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", "severity": "Alto", - "text": "Backup e restauração de um índice de pesquisa cognitiva do Azure. Use este código de exemplo para fazer backup da definição de índice e instantâneo em uma série de arquivos Json", - "waf": "Fiabilidade" + "text": "Usar discos efêmeros do sistema operacional", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", "severity": "Alto", - "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO", - "waf": "Fiabilidade" + "text": "Para discos não efêmeros, use IOPS altos e discos maiores do sistema operacional para os nós ao executar muitos pods/nó, pois requer alto desempenho para executar vários pods e gerará logs enormes com limites de rotação de log AKS padrão", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", - "severity": "Alto", - "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade", - "waf": "Fiabilidade" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", + "severity": "Baixo", + "text": "Para a opção de armazenamento de hiperdesempenho, use Ultra Disks no AKS", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", - "severity": "Alto", - "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas", - "waf": "Fiabilidade" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", + "severity": "Média", + "text": "Evite manter o estado no cluster e armazene dados fora (AzStorage, AzSQL, Cosmos, etc)", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", - "severity": "Alto", - "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3", - "waf": "Fiabilidade" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", + "severity": "Média", + "text": "Se estiver usando o AzFiles Standard, considere o AzFiles Premium e/ou ANF por motivos de desempenho", + "waf": "Desempenho" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", "severity": "Média", - "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico", - "waf": "Operações" + "text": "Se estiver usando Discos e AZs do Azure, considere ter nodepools dentro de uma zona para disco LRS com VolumeBindingMode:WaitForFirstConsumer para provisionar armazenamento na zona direita ou use o disco ZRS para nodepools abrangendo várias zonas", + "waf": "Desempenho" }, { "arm-service": "microsoft.network/frontdoors", @@ -9817,170 +10564,11 @@ "severity": "Alto", "text": "Ao usar o Front Door com origem como serviços de aplicativos, considere bloquear o tráfego para serviços de aplicativos somente por meio do Azure Front Door usando restrições de acesso. ", "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "O Hub de Eventos do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", - "severity": "Baixo", - "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Os namespaces dos Hubs de Eventos do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace dos Hubs de Eventos para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS. Se um namespace de Hubs de Eventos exigir uma versão mínima do TLS, todas as solicitações feitas com uma versão mais antiga falharão. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", - "severity": "Média", - "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Quando você cria um namespace de Hubs de Eventos, uma regra de política chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. Recomenda-se o uso do AAD como um provedor de autenticação com RBAC. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", - "severity": "Média", - "text": "Evite usar conta root quando não for necessário", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "As identidades gerenciadas para recursos do Azure podem autorizar o acesso a recursos dos Hubs de Eventos usando credenciais do Azure AD de aplicativos em execução em VMs (Máquinas Virtuais) do Azure, aplicativos de Função, Conjuntos de Dimensionamento de Máquina Virtual e outros serviços. Usando identidades gerenciadas para recursos do Azure junto com a autenticação do Azure AD, você pode evitar o armazenamento de credenciais com seus aplicativos executados na nuvem. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", - "severity": "Média", - "text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Hub de Eventos do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre de Chaves do Azure ou em um serviço equivalente", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Hub de Eventos do Azure. As permissões no Hub de Eventos do Azure podem e devem ter o escopo definido para o nível de recurso individual, por exemplo, grupo de consumidores, entidade de hub de eventos, namespaces de hub de eventos, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", - "severity": "Alto", - "text": "Usar RBAC do plano de dados de privilégios mínimos", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Os logs de recursos do Hub de Eventos do Azure incluem logs operacionais, logs de rede virtual e logs de Kafka. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para todas as operações de acesso ao plano de dados (como eventos de envio ou recebimento) nos Hubs de Eventos.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", - "severity": "Média", - "text": "Habilite o registro em log para investigação de segurança. Use o Azure Monitor para capturar métricas e logs como logs de recursos, logs de auditoria de tempo de execução e logs Kafka", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Por padrão, o Hub de Eventos do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Hub de Eventos do Azure percorra a rede de backbone da Microsoft. Além disso, você deve desabilitar os pontos de extremidade públicos se eles não forem usados. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", - "severity": "Média", - "text": "Considere o uso de pontos de extremidade privados para acessar o Hub de Eventos do Azure e desabilitar o acesso à rede pública quando aplicável.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Com o firewall IP, você pode restringir ainda mais o ponto de extremidade público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Roteamento entre Domínios Sem Classe). ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", - "severity": "Média", - "text": "Considere permitir apenas o acesso ao namespace do Hub de Eventos do Azure a partir de endereços IP ou intervalos específicos", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Segurança" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", - "severity": "Média", - "text": "Aproveite o Manual de Resilência do FTA", - "waf": "Fiabilidade" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": " Isso será ativado automaticamente para um novo namespace de EH criado a partir do portal com SKUs Premium, Dedicado ou Standard em uma região habilitada para região. Os metadados do EH e os próprios dados do evento são replicados entre zonas", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", - "severity": "Alto", - "text": "Aproveite as zonas de disponibilidade, se aplicável regionalmente", - "waf": "Fiabilidade" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", - "severity": "Média", - "text": "Use os SKUs Premium ou Dedicado para desempenho previsível", - "waf": "Fiabilidade" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "O recurso interno de recuperação de desastres geográficos, quando habilitado, garante que toda a configuração de um namespace (Hubs de Eventos, Grupos de Consumidores e configurações) seja replicada continuamente de um namespace primário para um namespace secundário e permite uma movimentação de failover única do primário para o secundário a qualquer momento. O recurso Ativo/Passivo foi projetado para facilitar a recuperação e o abandono de uma região do Azure com falha sem precisar alterar as configurações do aplicativo", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", - "severity": "Alto", - "text": "Planejar a recuperação de desastres geográficos usando a configuração passiva ativa", - "waf": "Fiabilidade" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Deve ser usado para configurações de DR em que uma interrupção ou perda de dados de eventos na região derrubada não pode ser tolerada. Para esses casos, siga as diretrizes de replicação e não use o recurso interno de recuperação de desastres geográficos (ativo/passivo). Com Ativo/Ativo, mantenha vários Hubs de Eventos em diferentes regiões e namespaces, e os eventos serão replicados entre os hubs", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", - "severity": "Média", - "text": "Para aplicativos críticos para os negócios, use a configuração ativa", - "waf": "Fiabilidade" - }, - { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", - "severity": "Média", - "text": "Projetar Hubs de Eventos Resilientes", - "waf": "Fiabilidade" } ], "metadata": { "name": "WAF checklist", - "timestamp": "October 02, 2024" + "timestamp": "October 21, 2024" }, "severities": [ { @@ -10003,15 +10591,15 @@ "name": "Abrir" }, { - "description": "Essa verificação foi verificada e não há outros itens de ação associados a ela", + "description": "Essa verificação foi verificada e não há mais itens de ação associados a ela", "name": "Cumprido" }, { "description": "Recomendação compreendida, mas não necessária pelos requisitos atuais", - "name": "Risco aceito" + "name": "Não é necessário" }, { - "description": "Não aplicável ao projeto atual", + "description": "Não aplicável para o projeto atual", "name": "N/A" } ] diff --git a/checklists/waf_checklist.zh-Hant.json b/checklists/waf_checklist.zh-Hant.json index 8447891cf..d0abd21be 100644 --- a/checklists/waf_checklist.zh-Hant.json +++ b/checklists/waf_checklist.zh-Hant.json @@ -1,54 +1,54 @@ { "items": [ { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", "severity": "高", - "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃", + "text": "利用可用區(如果區域適用)(這是自動啟用的)", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", - "severity": "高", - "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "severity": "中等", + "text": "請注意 Microsoft 發起的故障轉移。Microsoft 在極少數情況下會執行這些操作,以將所有IoT中心從受影響的區域故障轉移到相應的異地配對區域。", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", "severity": "高", "text": "考慮為關鍵工作負載制定跨區域災難恢復策略", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "severity": "高", - "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3", + "text": "瞭解如何觸發手動故障轉移。", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", - "severity": "中等", - "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼", - "waf": "操作" + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", + "severity": "高", + "text": "瞭解如何在故障轉移後進行故障回復。", + "waf": "可靠性" }, { "arm-service": "Microsoft.AppPlatform/Spring", @@ -131,3079 +131,3812 @@ "waf": "可靠性" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", - "service": "Azure Monitor", - "text": "Azure Monitor 中的數據收集規則 -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "成本" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", + "severity": "高", + "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃", + "waf": "可靠性" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Azure Backup", - "text": "檢查未找到底層數據源的備份實例", - "waf": "成本" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", + "severity": "高", + "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "VM", - "text": "刪除或存檔未關聯的服務(磁碟、網卡、IP 位址等)", - "waf": "成本" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", + "severity": "高", + "text": "考慮為關鍵工作負載制定跨區域災難恢復策略", + "waf": "可靠性" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Azure Backup", - "text": "考慮在網站恢復存儲和非任務關鍵型應用程式的備份之間取得良好的平衡", - "waf": "成本" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", + "severity": "高", + "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Azure Monitor", - "text": "檢查 40 個不同 Log Analytics 工作區之間的支出和節省機會 - 對非生產工作區使用不同的保留和數據收集 - 創建每日上限以實現意識和層大小調整 - 如果確實設置了每日上限,除了在達到上限時創建警報外,請確保還創建警報規則,以便在達到某個百分比(例如 90%)時收到通知。- 如果可能,考慮工作空間改造 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "成本" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", + "severity": "中等", + "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼", + "waf": "操作" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Azure Monitor", - "text": "強制執行清除日誌策略和自動化(如果需要,可以將記錄移至冷存儲)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "高", + "text": "熟悉 Key Vault 的最佳實踐,例如隔離建議、訪問控制、數據保護、備份和日誌記錄。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", - "text": "檢查磁碟是否確實需要,如果不是:刪除。如果需要,請尋找較低的儲存層或使用備份 -", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Key Vault", + "severity": "中等", + "text": "Key Vault 是一項託管服務,Microsoft 將處理區域內和區域之間的故障轉移。熟悉 Key Vault 的可用性和冗餘。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", - "text": "考慮使用自定義規則將未使用的存儲移動到較低層 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", + "service": "Key Vault", + "severity": "中等", + "text": "密鑰保管庫的內容將在區域內複製到至少 150 英里外的次要區域,但要在同一地理位置內,以保持金鑰和機密的高持久性。熟悉 Key Vault 的數據複製。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", - "text": "確保 advisor 配置為適合 VM 大小調整", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", + "service": "Key Vault", + "severity": "中等", + "text": "在故障轉移期間,無法訪問策略或防火牆配置和設置。在故障轉移期間,金鑰保管庫將處於只讀模式。熟悉 Key Vault 的故障轉移指南。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "description": "通過在成本分析系統中搜索計量類別許可證進行檢查", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", - "service": "VM", - "text": "在所有 Windows VM 上運行腳本 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server - 如果頻繁創建 Windows VM,請考慮實施策略", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", + "service": "Key Vault", + "severity": "中等", + "text": "備份金鑰保管庫物件(例如機密、金鑰或證書)時,備份操作會將該物件下載為加密的 blob。無法在 Azure 外部解密此 blob。若要從此 blob 獲取可用數據,必須將 blob 還原到同一 Azure 訂閱和 Azure 地理位置中的金鑰保管庫中。熟悉 Key Vault 的備份和還原指南。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "VM", - "text": "如果您已經擁有許可證,也可以將其置於 AHUB https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "高", + "text": "如果要防止意外或惡意刪除機密,請在密鑰保管庫上配置軟刪除和清除保護功能。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "VM", - "text": "使用靈活性選項(不超過 4-5 個系列)整合保留的 VM 系列", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "Key Vault", + "severity": "低", + "text": "Key Vault 的軟刪除資源將保留 90 個日曆日的固定期限。熟悉 Key Vault 的軟刪除指南。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", - "text": "利用 Azure 預留實例:此功能允許將 VM 預留 1 年或 3 年,與 PAYG 價格相比,可顯著節省成本。", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "低", + "text": "瞭解 Key Vault 的備份限制。Key Vault 不支援備份超過 500 個金鑰、機密或證書對象的過去版本。嘗試備份金鑰、金鑰或證書物件可能會導致錯誤。無法刪除金鑰、金鑰或證書的早期版本。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", - "text": "只能保留較大的磁碟 => 1 TiB -", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", + "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", + "service": "Key Vault", + "severity": "低", + "text": "Key Vault 目前不提供在單個操作中備份整個 Key Vault 的方法,並且必須單獨備份密鑰、機密和證書。熟悉 Key Vault 的備份和還原指南。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", - "text": "調整大小優化后", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", + "service": "Key Vault", + "severity": "中等", + "text": "使用金鑰進行加密時,建議使用清除保護,以防止數據丟失。清除保護是一種可選的 Key Vault 行為,預設情況下未啟用。只有在啟用軟刪除後,才能啟用清除保護。可以通過 CLI、PowerShell 或 Portal 打開它。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Azure SQL", - "text": "檢查是否適用並強制執行策略/更改 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Key Vault", + "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", + "guid": "d0642c1c-312b-4116-94ab-439e1c836819", + "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", + "service": "Key Vault", + "severity": "中等", + "text": "建議使用 RBAC 來控制對 Key Vault 的訪問。熟悉 Key Vault 的訪問控制指南。", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", - "text": "虛擬機 + 許可證部分折扣 (ahub + 3YRI) 約為 70% 的折扣", - "waf": "成本" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure 服務總線高級版提供靜態數據加密。如果您使用自己的金鑰,則數據仍使用 Microsoft 管理的金鑰進行加密,但此外,Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", + "severity": "低", + "text": "需要時,在靜態數據加密中使用客戶管理的金鑰選項", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", - "text": "考慮使用 VMSS 來滿足需求,而不是按比例調整", - "waf": "成本" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "用戶端應用程式與 Azure 服務總線命名空間之間的通信使用傳輸層安全性 (TLS) 進行加密。Azure 服務總線命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施,可以將服務總線命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", + "severity": "中等", + "text": "對請求強制實施最低要求的傳輸層安全性 (TLS) 版本", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", - "text": "使用 AKS 自動縮放程式符合群集使用方式(確保 Pod 要求與縮放程式符合)", - "waf": "成本" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "創建服務總線命名空間時,會自動為命名空間創建名為 RootManageSharedAccessKey 的 SAS 規則。此策略具有整個命名空間的 Manage 許可權。建議您將此規則視為管理根帳戶,不要在應用程式中使用它。 建議使用 AAD 作為 RBAC 的身份驗證提供程式。", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", + "severity": "中等", + "text": "避免在不需要時使用 root 帳戶", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "安全" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Azure Backup", - "text": "將恢復點移至保管庫存檔(如果適用)(驗證)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "成本" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "在 Azure 應用服務應用程式內或在啟用了 Azure 資源支援的託管實體的虛擬機中運行的服務總線用戶端應用不需要處理 SAS 規則和密鑰或任何其他存取權杖。用戶端應用程式只需要 Service Bus Messaging 命名空間的終結點位址。", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", + "service": "Service Bus", + "severity": "中等", + "text": "如果可能,應用程式應使用託管標識向 Azure 服務總線進行身份驗證。如果沒有,請考慮在 Azure Key Vault 或等效服務中使用存儲憑據(SAS、服務主體憑據)", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "安全" }, { - "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", - "text": "請考慮盡可能使用帶回退功能的現成 VM。考慮群集的自動終止。", - "waf": "成本" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "創建許可權時,請對用戶端對 Azure 服務總線的訪問提供精細控制。Azure 服務總線中的許可權可以而且應該限定為單個資源級別,例如佇列、主題或訂閱。", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", + "severity": "高", + "text": "使用最低許可權數據平面 RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Azure Functions", - "text": "功能 - 重用連接", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "成本" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure 服務總線資源日誌包括操作日誌、虛擬網路和IP篩選日誌。運行時審核日誌捕獲服務總線中各種數據平面訪問操作(例如發送或接收消息)的聚合診斷資訊。", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", + "severity": "中等", + "text": "啟用記錄以進行安全調查。使用 Azure Monitor 追蹤資源紀錄和執行時審核紀錄(目前僅在進階層中可用 )", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Azure Functions", - "text": "函數 - 本地快取資料", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "成本" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "默認情況下,Azure 服務總線具有公共IP位址,並且可通過Internet訪問。專用終結點允許虛擬網路與 Azure 服務總線之間的流量遍歷 Microsoft 主幹網路。除此之外,如果未使用公有終端節點,則應禁用這些終端節點。", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", + "severity": "中等", + "text": "請考慮使用專用終結點訪問 Azure 服務總線,並在適用時禁用公用網路訪問。", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "安全" + }, + { + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "使用IP防火牆,您可以將公有終端節點進一步限製為僅一組 IPv4 位址或 CIDR(無類域間路由)表示法的 IPv4 位址範圍。", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", + "severity": "中等", + "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 服務總線命名空間", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "安全" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", + "severity": "低", + "text": "有關最佳實踐,請參閱基線高可用性區域冗餘 Web 應用程式體系結構", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "中等", + "text": "使用高級層和標準層。這些層支援暫存槽和自動備份。", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", + "service": "App Services", + "severity": "高", + "text": "利用區域適用的可用性區域(需要高級 v2 或 v3 層)", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "中等", + "text": "實施健康檢查", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", + "service": "App Services", + "severity": "高", + "text": "請參閱 Azure 應用服務的備份和還原最佳做法", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", + "severity": "高", + "text": "實現 Azure 應用服務可靠性最佳做法", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", + "severity": "低", + "text": "熟悉如何在災難期間將應用服務應用移動到另一個區域", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", + "service": "App Services", + "severity": "高", + "text": "熟悉 Azure 應用服務中的可靠性支援", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", + "severity": "中等", + "text": "確保為在應用服務計劃上運行的函數應用啟用“Always On”", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "中等", + "text": "使用運行狀況檢查監視應用服務實例", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", + "service": "App Services", + "severity": "中等", + "text": "使用 Application Insights 可用性測試監視 Web 應用或網站的可用性和回應能力", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", + "severity": "低", + "text": "使用 Application Insights 標準測試監視 Web 應用或網站的可用性和回應能力", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "使用 Azure Key Vault 儲存應用程式所需的任何機密。 Key Vault 為儲存機密提供安全且經過審核的環境,並通過 Key Vault SDK 或應用服務 Key Vault 引用與應用服務很好地集成。", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "高", + "text": "使用 Key Vault 儲存機密", + "waf": "安全" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "使用託管標識通過 Key Vault SDK 或透過應用服務 Key Vault 引用連接到 Key Vault。", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", + "severity": "高", + "text": "使用託管標識連接到 Key VaultUse Managed Identity to connect to Key Vault", + "waf": "安全" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "將應用服務 TLS 證書存儲在 Key Vault 中。", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", + "severity": "高", + "text": "使用 Key Vault 儲存 TLS 證書。", + "waf": "安全" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "處理敏感信息的系統應隔離。 為此,請使用單獨的應用服務計劃或應用服務環境,並考慮使用不同的訂閱或管理組。", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "中等", + "text": "隔離處理敏感信息的系統", + "waf": "安全" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "應用服務上的本地磁碟未加密,敏感數據不應存儲在這些磁碟上。 (例如:D:\\\\Local 和 %TMP%)。", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", + "severity": "中等", + "text": "不要將敏感數據存儲在本地磁碟上", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Azure Functions", - "text": "函數 - 冷啟動 - 使用“從包運行”功能。這樣,代碼將下載為單個 zip 檔。例如,這可以顯著改進具有大量節點模組的 Javascript 函數。使用特定於語言的工具來減小包大小,例如,搖樹 Javascript 應用程式。", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "對於經過身份驗證的 Web 應用程式,請使用成熟的標識提供者,例如 Azure AD 或 Azure AD B2C。 利用所選的應用程式框架與此提供程式整合,或使用應用服務身份驗證/授權功能。", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", + "severity": "中等", + "text": "使用已建立的身份提供程式進行身份驗證", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Azure Functions", - "text": "功能 - 保持功能溫暖", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "將代碼從受控且受信任的環境(例如管理良好且安全的 DevOps 部署管道)部署到應用服務。這樣可以避免未經版本控制和驗證從惡意主機部署的代碼。", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", + "severity": "高", + "text": "從受信任的環境部署", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Azure Functions", - "text": "使用具有不同功能的自動縮放時,可能會有一個資源驅動所有資源的所有自動縮放 - 請考慮將其移動到單獨的消耗計劃(並考慮更高的 CPU 計劃)", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "禁用 FTP/FTPS 和 WebDeploy/SCM 的基本身份驗證。 這將禁止訪問這些服務,並強制使用 Azure AD 安全終結點進行部署。 請注意,還可以使用 Azure AD 憑據打開 SCM 網站。", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", + "severity": "高", + "text": "禁用基本身份驗證", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Azure Functions", - "text": "給定計劃中的函數應用都縮放在一起,因此縮放的任何問題都可能影響計劃中的所有應用。", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "如果可能,請使用託管標識連接到 Azure AD 受保護的資源。 如果無法做到這一點,請將機密存儲在 Key Vault 中,並改用託管標識連接到 Key Vault。", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", + "severity": "高", + "text": "使用託管標識連接到資源", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Azure Functions", - "text": "我需要為「等待時間」付費嗎?這個問題通常是在執行異步操作並等待結果的 C# 函數的上下文中提出的,例如 await Task.Delay(1000) 或 await client。GetAsync('http://google.com')。答案是肯定的 - GB 秒計算基於函數的開始和結束時間以及該時間段內的記憶體使用方式。在這段時間內實際發生的CPU活動未計入計算。此規則的一個例外是,如果使用的是持久函數。您無需為在業務流程協調程式函數中等待所花費的時間付費。在可能的情況下應用需求塑造技術(開發環境?)https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "如果使用 Azure 容器註冊表中儲存的映像,請使用託管標識拉取這些映像。", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", + "severity": "高", + "text": "使用託管標識拉取容器", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", - "text": "Frontdoor - 關閉預設主頁在應用的應用程式設置中,將 AzureWebJobsDisableHomepage 設置為 true。這將向PoP返回204(無內容),因此僅返回標頭數據。", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "通過配置應用服務的診斷設置,可以將所有遙測數據發送到Log Analytics,作為日誌記錄和監視的中心目標。這允許你監視應用服務的運行時活動,例如 HTTP 日誌、應用程式日誌、平臺日誌等。", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", + "severity": "中等", + "text": "將應用服務運行時日誌發送到Log Analytics", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", - "text": "Frontdoor - 路由到不返回任何內容的內容。設置函數、函數代理,或在 WebApp 中添加返回 200 (OK) 且不發送內容或發送最少內容的路由。這樣做的好處是您可以在調用時註銷。", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "設置診斷設置,將活動日誌發送到Log Analytics,作為日誌記錄和監視的中心目標。這樣,你就可以監視應用服務資源本身上的控制平面活動。", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", + "severity": "中等", + "text": "將應用服務活動日誌發送到Log Analytics", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", - "text": "考慮為使用較少的數據存檔層", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "使用區域 VNet 集成、網路安全組和 UDR 的組合來控制出站網路訪問。 流量應路由到 NVA,例如 Azure 防火牆。 確保監控防火牆的日誌。", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", + "severity": "中等", + "text": "應控制出站網路訪問", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "VM", - "text": "檢查大小與層不匹配的磁碟大小(即 513 GiB 磁碟將支付 P30 (1TiB) 並考慮調整大小", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "可以使用 VNet 集成並使用 VNet NAT 閘道或 NVA(如 Azure 防火牆)來提供穩定的出站 IP。 這允許接收方根據需要根據IP列出允許清單。 請注意,對於與 Azure 服務的通信,通常不需要依賴於 IP 位址,應改用服務終結點等機制。 (此外,在接收端使用專用終結點可避免發生 SNAT,並提供穩定的出站 IP 範圍。", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", + "severity": "低", + "text": "確保與互聯網位址的出站通信具有穩定的IP", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", - "text": "盡可能考慮使用標準 SSD,而不是 Premium 或 Ultra", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "使用應用服務訪問限制、服務終結點或專用終結點的組合來控制入站網路訪問。對於 Web 應用本身和 SCM 網站,可能需要和配置不同的訪問限制。", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", + "severity": "高", + "text": "應控制入站網路訪問", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", - "text": "對於存儲帳戶,請確保所選層不會增加事務費用(移動到下一層可能會更便宜)", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "使用 Web 應用程式防火牆(如應用程式閘道或 Azure Front Door)防範惡意入站流量。 請務必監控 WAF 的日誌。", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", + "severity": "高", + "text": "在應用服務前面使用 WAF", + "waf": "安全" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", - "text": "對於 ASR,如果 RPO/RTO 和複製輸送量允許,請考慮使用標準 SSD 磁碟", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "確保僅鎖定對 WAF 的訪問,從而無法繞過 WAF。 結合使用訪問限制、服務終結點和專用終結點。", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", + "severity": "高", + "text": "避免繞過 WAF", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", - "text": "存儲帳戶:檢查熱層和/或 GRS 必填", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "在應用服務配置中將最低 TLS 策略設置為 1.2。", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", + "severity": "中等", + "text": "將最低 TLS 策略設置為 1.2", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "text": "磁碟 - 驗證高級 SSD 磁碟在任何地方的使用方式:例如,非生產磁碟可以交換到標準 SSD 或按需高級 SSD", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "將應用服務配置為僅使用 HTTPS。 這會導致應用服務從 HTTP 重定向到 HTTPS。 強烈建議在代碼或 WAF 中使用 HTTP 嚴格傳輸安全性 (HSTS),這會通知瀏覽器只能使用 HTTPS 訪問網站。", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", + "severity": "高", + "text": "僅使用 HTTPS", + "waf": "安全" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", - "text": "創建預算以管理成本並創建警報,自動通知利益相關者支出異常和超支風險。", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "不要在 CORS 配置中使用通配符,因為這允許所有源訪問服務(從而破壞 CORS 的目的)。具體而言,僅允許您希望能夠訪問服務的源。", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", + "severity": "高", + "text": "不得將通配符用於 CORS", + "waf": "安全" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", - "text": "將成本數據匯出到存儲帳戶以進行其他數據分析。", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "不得在生產環境中啟用遠端調試,因為這會在服務上打開其他埠,從而增加攻擊面。請注意,該服務會在 48 小時後自動轉為遠端調試。", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", + "severity": "高", + "text": "關閉遠端調試", + "waf": "安全" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", - "text": "通過在不使用資源時暫停資源來控制專用 SQL 池的成本。", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "啟用 Defender for App Service。 這(除其他威脅外)檢測與已知惡意IP位址的通信。 在操作過程中查看 Defender for App Service 中的建議。", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", + "severity": "中等", + "text": "啟用 Defender for Cloud - Defender for App Service", + "waf": "安全" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", - "text": "啟用無伺服器 Apache Spark 自動暫停功能,並相應地設置超時值。", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure 在其網路上提供 DDoS 基本保護,可以通過智慧 DDoS 標準功能進行改進,該功能可以瞭解正常的流量模式並檢測異常行為。DDoS 標準適用於虛擬網路,因此必須為應用前面的網路資源(例如應用程式閘道或 NVA)配置它。", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", + "severity": "中等", + "text": "在 WAF VNet 上啟用 DDOS 保護標準", + "waf": "安全" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", - "text": "創建多個不同大小的 Apache Spark 池定義。", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "如果使用 Azure 容器註冊表中儲存的映像,請使用其專用終結點和應用設置“WEBSITE_PULL_IMAGE_OVER_VNET”通過虛擬網络從 Azure 容器註冊表拉取這些映射。", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", + "severity": "中等", + "text": "通過虛擬網路拉取容器", + "waf": "安全" }, { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", - "text": "使用預購計劃購買為期一年的 Azure Synapse 提交單元 (SCU),以節省 Azure Synapse Analytics 成本。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "按照參與的滲透測試規則對 Web 應用程式進行滲透測試。", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", + "severity": "中等", + "text": "進行滲透測試", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", - "text": "將現成 VM 用於可中斷作業:這些 VM 可以以折扣價競標和購買,為非關鍵工作負載提供經濟高效的解決方案。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "部署根據 DevSecOps 實踐驗證和掃描漏洞的受信任代碼。", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", + "severity": "中等", + "text": "部署經過驗證的代碼", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", - "text": "合理調整所有 VM 的大小", - "waf": "成本" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "使用最新版本的受支援平臺、程式設計語言、協定和框架。", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", + "severity": "高", + "text": "使用最新的平臺、語言、協定和框架", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", - "text": "將 VM 大小與規範化大小和最新大小交換", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "成本" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", + "severity": "中等", + "text": "在多個區域中部署 Azure 登陸區域連接資源,以便可以快速支援多區域應用程式登陸區域和災難恢復方案。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "調整 VM 大小 - 從低於 5% 的監視使用率開始,然後工作到 40%", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "成本" + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", + "severity": "中等", + "text": "使用一個 Entra 租戶來管理 Azure 資源,除非對多租戶有明確的法規或業務要求。", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "waf": "操作" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "text": "容器化應用程式可以提高 VM 密度並節省擴展成本", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "成本" + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", + "severity": "低", + "text": "使用多租戶自動化方法管理您的 Microsoft Entra ID 租戶。", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "waf": "操作" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", "severity": "高", - "text": "熟悉 Key Vault 的最佳實踐,例如隔離建議、訪問控制、數據保護、備份和日誌記錄。", - "waf": "可靠性" + "text": "使用具有相同 ID 的 Azure Lighthouse 進行多租戶管理。", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "waf": "操作" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Key Vault", - "severity": "中等", - "text": "Key Vault 是一項託管服務,Microsoft 將處理區域內和區域之間的故障轉移。熟悉 Key Vault 的可用性和冗餘。", - "waf": "可靠性" + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", + "severity": "高", + "text": "如果向合作夥伴授予管理租戶的許可權,請使用 Azure Lighthouse。", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "成本" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication", - "service": "Key Vault", - "severity": "中等", - "text": "密鑰保管庫的內容將在區域內複製到至少 150 英里外的次要區域,但要在同一地理位置內,以保持金鑰和機密的高持久性。熟悉 Key Vault 的數據複製。", - "waf": "可靠性" + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", + "severity": "高", + "text": "實施與您的雲操作模型相一致的 RBAC 模型。跨管理組和訂閱確定範圍和分配。", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions", - "service": "Key Vault", + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", "severity": "中等", - "text": "在故障轉移期間,無法訪問策略或防火牆配置和設置。在故障轉移期間,金鑰保管庫將處於只讀模式。熟悉 Key Vault 的故障轉移指南。", - "waf": "可靠性" + "text": "僅對所有帳戶類型使用身份驗證類型 Work or school account。避免使用 Microsoft 帳戶", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations", - "service": "Key Vault", + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", "severity": "中等", - "text": "備份金鑰保管庫物件(例如機密、金鑰或證書)時,備份操作會將該物件下載為加密的 blob。無法在 Azure 外部解密此 blob。若要從此 blob 獲取可用數據,必須將 blob 還原到同一 Azure 訂閱和 Azure 地理位置中的金鑰保管庫中。熟悉 Key Vault 的備份和還原指南。", - "waf": "可靠性" + "text": "僅使用組來分配許可權。如果組管理系統已就位,請將本地組添加到僅 Entra ID 組。", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", "severity": "高", - "text": "如果要防止意外或惡意刪除機密,請在密鑰保管庫上配置軟刪除和清除保護功能。", - "waf": "可靠性" + "text": "對 Azure 環境具有許可權的任何使用者強制實施 Microsoft Entra ID 條件訪問策略。", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "Key Vault", - "severity": "低", - "text": "Key Vault 的軟刪除資源將保留 90 個日曆日的固定期限。熟悉 Key Vault 的軟刪除指南。", - "waf": "可靠性" + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", + "severity": "高", + "text": "對有權訪問 Azure 環境的任何使用者強制實施多重身份驗證。", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "低", - "text": "瞭解 Key Vault 的備份限制。Key Vault 不支援備份超過 500 個金鑰、機密或證書對象的過去版本。嘗試備份金鑰、金鑰或證書物件可能會導致錯誤。無法刪除金鑰、金鑰或證書的早期版本。", - "waf": "可靠性" + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", + "severity": "中等", + "text": "強制實施 Microsoft Entra ID Privileged Identity Management (PIM) 以建立零長期訪問和最低許可權。", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04", - "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations", - "service": "Key Vault", - "severity": "低", - "text": "Key Vault 目前不提供在單個操作中備份整個 Key Vault 的方法,並且必須單獨備份密鑰、機密和證書。熟悉 Key Vault 的備份和還原指南。", - "waf": "可靠性" + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", + "severity": "中等", + "text": "如果計劃從 Active Directory 域服務切換到 Entra 域服務,請評估所有工作負載的相容性。", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection", - "service": "Key Vault", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "中等", - "text": "使用金鑰進行加密時,建議使用清除保護,以防止數據丟失。清除保護是一種可選的 Key Vault 行為,預設情況下未啟用。只有在啟用軟刪除後,才能啟用清除保護。可以通過 CLI、PowerShell 或 Portal 打開它。", + "text": "使用 Microsoft Entra 域服務時,請使用副本集。副本集將提高託管域的復原能力,並允許您部署到其他區域。", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", "waf": "可靠性" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Key Vault", - "graph": "resources| where type =~ 'microsoft.keyvault/vaults' | extend compliant = (properties.enableRbacAuthorization == true) | distinct id, compliant", - "guid": "d0642c1c-312b-4116-94ab-439e1c836819", - "link": "https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli", - "service": "Key Vault", + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "severity": "中等", - "text": "建議使用 RBAC 來控制對 Key Vault 的訪問。熟悉 Key Vault 的訪問控制指南。", + "text": "將 Microsoft Entra ID 紀錄與平臺中心的 Azure Monitor 集成。Azure Monitor 允許 Azure 中日誌和監視數據的單一事實來源,為組織提供雲原生選項來滿足日誌收集和保留的要求。", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "App Gateway", - "severity": "中等", - "text": "確保使用的是應用程式閘道 v2 SKU", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", + "severity": "高", + "text": "實施緊急訪問或不受限帳戶,以防止租戶範圍的帳戶鎖定。默認情況下,MFA 將於 2024 年 10 月為所有用戶開啟。我們建議更新這些帳戶以使用密鑰 (FIDO2) 或為 MFA 配置基於證書的身份驗證。", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", "waf": "安全" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", "severity": "中等", - "text": "確保將標準 SKU 用於 Azure 負載均衡器", + "text": "請勿將本地同步帳戶用於 Microsoft Entra ID 角色分配,除非你的方案特別需要它。", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", "waf": "安全" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", "severity": "中等", - "text": "確保您的負載均衡器前端IP位址是區域冗餘的(除非您需要可用區前端)。", + "text": "使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對應用程式的訪問許可權時,請將其作為平臺資源進行管理,因為每個租戶只能有一個實例。", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "App Gateway", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", "severity": "中等", - "text": "應用程式閘道 v2 應部署在IP前綴等於或大於 /24 的子網中", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "對於需要最大靈活性的網路方案,請使用中心輻射型網路拓撲。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "description": "一般來說,反向代理(尤其是 WAF)的管理更接近應用程式而不是網路,因此它們與應用程式屬於同一訂閱。如果應用程式閘道和 WAF 由一個團隊管理,則將其集中在連接訂閱中可能是可以的。", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", - "severity": "中等", - "text": "部署 Azure 應用程式閘道 v2 或合作夥伴 NVA,用於在登陸區虛擬網路中代理入站 HTTP(S) 連接,以及它們所保護的應用。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "安全" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", + "severity": "高", + "text": "在中心虛擬網路中部署共用網路服務,包括 ExpressRoute 閘道、VPN 閘道和 Azure 防火牆或合作夥伴 NVA。如有必要,還要部署 DNS 服務。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "成本" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", - "severity": "中等", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "VNet", + "severity": "高", "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", - "service": "App Gateway", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "severity": "中等", - "text": "配置自動縮放,最小實例數為 2。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "部署合作夥伴網路技術或 NVA 時,請遵循合作夥伴供應商的指導。", "waf": "可靠性" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", - "service": "App Gateway", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", + "severity": "低", + "text": "如果需要在中心輻射型方案中在 ExpressRoute 和 VPN 閘道之間傳輸,請使用 Azure 路由伺服器。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "低", + "text": "如果使用路由伺服器,請對路由伺服器子網使用 /27 前置綴。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", "severity": "中等", - "text": "跨可用區部署應用程式閘道", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "對於跨 Azure 區域具有多個中心輻射型拓撲的網路體系結構,請在中心 VNet 之間使用全域虛擬網路對等互連將區域相互連接。", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "waf": "性能" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", + "severity": "中等", + "text": "使用適用於網路的 Azure Monitor 監視 Azure 上網路的端到端狀態。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "操作" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", + "severity": "中等", + "text": "如果一個區域中的分支網路超過 400 個,請部署一個額外的中心以繞過 VNet 對等互連限制 (500) 和可通過 ExpressRoute 播發的最大前綴數 (1000)。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", "waf": "可靠性" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "中等", - "text": "使用 Front Door 和應用程式閘道幫助保護 HTTP/S 應用時,請在 Front Door 中使用 WAF 策略。鎖定應用程式閘道以僅接收來自 Front Door 的流量。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "text": "將每個路由表的路由數限制為 400。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "可靠性" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", + "severity": "高", + "text": "配置 VNet 對等互連時,請使用「允許流量流向遠端虛擬網路」設置。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "可靠性" + }, + { + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", + "severity": "高", + "text": "將標準負載均衡器 SKU 與區域冗餘部署配合使用,選擇標準 SKU 負載均衡器可通過可用性區域和區域復原能力增強可靠性,確保部署能夠承受區域和區域故障。與 Basic 不同,它支援全域負載平衡並提供 SLA。", + "waf": "可靠性" }, { - "ammp": true, - "arm-service": "microsoft.network/trafficManagerProfiles", - "checklist": "Azure Application Delivery Networking", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancers", "severity": "高", - "text": "使用流量管理器交付跨 HTTP/S 以外的協定的全域應用。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "確保負載均衡器後端池至少包含兩個實例,在後端部署至少包含兩個實例的 Azure 負載均衡器可以防止單點故障並支援可伸縮性。", "waf": "可靠性" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", - "severity": "低", - "text": "如果使用者只需要存取內部應用程式,是否考慮將 Microsoft Entra ID 應用程式代理作為 Azure 虛擬桌面 (AVD) 的替代方案?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", + "severity": "中等", + "text": "使用 ExpressRoute Direct 時,請配置 MACsec,以便在組織路由器和 MSEE 之間的第二層加密流量。該圖顯示了這種加密流程。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "安全" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", "severity": "中等", - "text": "要減少網路中為傳入連接打開的防火牆埠數,請考慮使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式的安全且經過身份驗證的訪問。", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "text": "對於無法使用MACsec的情況(例如,不使用ExpressRoute Direct),請使用 VPN 閘道通過 ExpressRoute 專用對等互連建立 IPsec 隧道。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "安全" }, { - "ammp": true, - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", "severity": "高", - "text": "使用 Azure NAT 閘道而不是負載均衡器出站規則來提高 SNAT 可伸縮性", - "waf": "可靠性" + "text": "確保 Azure 區域和本地位置之間沒有使用重疊的 IP 位址空間。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "安全" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "App Gateway", - "severity": "高", - "text": "啟用 Azure 應用程式閘道 WAF 機器人保護規則集。機器人規則檢測好的機器人和壞的機器人。", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", + "severity": "中等", + "text": "使用私有互聯網的位址分配範圍 (RFC 1918) 中的IP位址。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "安全" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "App Gateway", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "severity": "高", - "text": "確保 Azure 應用程式閘道 WAF 策略中是否啟用了請求正文檢查功能。", - "waf": "安全" + "text": "確保IP位址空間不會浪費,不要創建不必要的大型虛擬網路(例如/16)。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "性能" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "App Gateway", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", "severity": "高", - "text": "在檢測模式下優化工作負載的 Azure 應用程式閘道 WAF。減少誤報檢測。", - "waf": "安全" + "text": "不要對生產和災難恢復網站使用重疊的IP位址範圍。", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "可靠性" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "App Gateway", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", "severity": "高", - "text": "在「防護」模式下部署應用程式閘道的 WAF 策略。", - "waf": "安全" + "text": "使用標準 SKU 和區域冗餘 IP(如果適用),Azure 中的公共 IP 位址可以是標準 SKU,以非區域、區域或區域冗餘的形式提供。區域冗餘IP可跨所有區域訪問,可抵禦任何單個區域故障,從而提供更高的彈性。", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "App Gateway", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", "severity": "中等", - "text": "向 Azure 應用程式閘道 WAF 添加速率限制。Rate limit 會阻止客戶端在短時間內意外或故意發送大量流量。", - "waf": "安全" + "text": "對於只需要在 Azure 中進行名稱解析的環境,請使用 Azure 專用 DNS 進行解析,並使用委託區域進行名稱解析(例如“azure.contoso.com”)。", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "操作" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "App Gateway", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", "severity": "中等", - "text": "對 Azure 應用程式閘道 WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可針對可能使基礎設施不堪重負的極大量請求提供保護。", + "text": "對於需要跨 Azure 和本地進行名稱解析且沒有 Active Directory 等現有企業 DNS 服務的環境,請使用 Azure DNS 專用解析程式將 DNS 請求路由到 Azure 或本地 DNS 伺服器。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "App Gateway", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", "severity": "低", - "text": "如果您不希望收到來自所有地理區域的流量,請使用地理篩選條件來阻止來自非預期國家/地區的流量。", - "waf": "安全" + "text": "需要並部署自己的 DNS 的特殊工作負載(例如 Red Hat OpenShift)應使用其首選的 DNS 解決方案。", + "training": "https://learn.microsoft.com/training/courses/az-700t00", + "waf": "操作" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "App Gateway", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", + "severity": "高", + "text": "為 Azure DNS 啟用自動註冊,以自動管理虛擬網路中部署的虛擬機的 DNS 記錄的生命週期。", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "操作" + }, + { + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", "severity": "中等", - "text": "在使用 Azure 應用程式閘道 WAF 對流量進行異地篩選時,指定未知 (ZZ) 位置。避免在IP位址無法進行異地匹配時意外阻止合法請求。", - "waf": "安全" + "text": "實施一個計劃,用於管理多個 Azure 區域之間的 DNS 解析以及服務故障轉移到另一個區域時", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "App Gateway", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", "severity": "中等", - "text": "使用最新的 Azure 應用程式閘道 WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。", + "text": "使用 Azure Bastion 安全地連接到您的網路。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "App Gateway", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", "severity": "中等", - "text": "添加診斷設置以保存 Azure 應用程式閘道 WAF 紀錄。", - "waf": "操作" + "text": "在子網 /26 或更大的子網中使用 Azure Bastion。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "App Gateway", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", "severity": "中等", - "text": "將 Azure 應用程式閘道 WAF 紀錄發送到 Microsoft Sentinel。", - "waf": "操作" + "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為到登陸區域的入站 HTTP/S 連接提供全域保護。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "App Gateway", - "severity": "中等", - "text": "將 Azure 應用程式閘道 WAF 設定定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。", - "waf": "操作" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "低", + "text": "使用 Azure Front Door 和 Azure 應用程式閘道幫助保護 HTTP/S 應用時,請使用 Azure Front Door 中的 WAF 策略。鎖定 Azure 應用程式閘道以僅接收來自 Azure Front Door 的流量。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "App Gateway", - "severity": "中等", - "text": "使用 WAF 策略而不是舊版 WAF 配置。", - "waf": "操作" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", + "severity": "高", + "text": "當入站 HTTP/S 連接需要 WAF 和其他反向代理時,請將它們部署在登陸區虛擬網路中,並與它們保護並公開給 Internet 的應用程式一起部署。", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "App Gateway", - "severity": "中等", - "text": "篩選後端中的入站流量,使其僅接受來自應用程式閘道子網的連接,例如使用NSG的連接。", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "高", + "text": "使用 Azure DDoS 網路或 IP 保護計劃來幫助保護虛擬網路中的公共 IP 位址終結點。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "App Gateway", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", "severity": "高", - "text": "您應該對到後端伺服器的流量進行加密。", + "text": "規劃如何在即將到來的重大更改之前管理您的網路出站流量配置和策略。2025 年 9 月 30 日,新部署的預設出站訪問將停用,僅允許顯式訪問配置。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "可靠性" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "高", + "text": "添加診斷設置以保存所有受保護的公有IP位址(DDoS IP或網路保護)的 DDoS 相關日誌。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "App Gateway", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", "severity": "高", - "text": "您應該使用 Web 應用程式防火牆。", + "text": "確保有一個策略分配來拒絕直接連接到虛擬機的公有IP位址。 如果特定 VM 上需要公共 IP,請使用排除項。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "App Gateway", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "中等", - "text": "將 HTTP 重定向到 HTTPS", - "waf": "安全" + "text": "使用 ExpressRoute 作為與 Azure 的主要連接。 使用 VPN 作為備份連接的源。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "性能" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "App Gateway", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "description": "您可以使用 AS 路徑預置和連接權重來影響從 Azure 到本地的流量,並使用您自己的路由器中的所有 BGP 屬性來影響從本地到 Azure 的流量。", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", "severity": "中等", - "text": "使用閘道託管的 Cookie 將流量從使用者工作階段定向到同一伺服器進行處理", - "waf": "操作" + "text": "使用多個 ExpressRoute 線路或多個本地位置時,請使用 BGP 屬性來優化路由。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "App Gateway", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", + "severity": "中等", + "text": "根據頻寬和性能要求為 ExpressRoute/VPN 閘道選擇正確的 SKU。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "性能" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", "severity": "高", - "text": "在計劃內服務更新期間啟用連接耗盡,以防止後端池的現有成員失去連接", - "waf": "安全" + "text": "確保僅在達到與成本相稱的頻寬時才使用無限數據 ExpressRoute 線路。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "成本" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "App Gateway", - "severity": "低", - "text": "創建自訂錯誤頁面以顯示個人化的用戶體驗", - "waf": "操作" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", + "severity": "高", + "text": "如果你的線路對等互連位置支援本地 SKU 的 Azure 區域,請利用 ExpressRoute 的本地 SKU 來降低線路的成本。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "成本" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "App Gateway", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", "severity": "中等", - "text": "編輯 HTTP 請求和回應標頭,以便更輕鬆地在用戶端和伺服器之間進行路由和資訊交換", - "waf": "安全" + "text": "在支援的 Azure 區域中部署區域冗餘 ExpressRoute 閘道。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "App Gateway", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "中等", - "text": "配置 Front Door 以優化全域 Web 流量路由和頂級最終使用者性能,並通過快速全域故障轉移實現可靠性", + "text": "對於需要高於 10 Gbps 的頻寬或專用 10/100 Gbps 埠的方案,請使用 ExpressRoute Direct。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "性能" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", "severity": "中等", - "text": "使用傳輸層負載均衡", + "text": "當需要低延遲,或者從本地到 Azure 的輸送量必須大於 10 Gbps 時,請啟用 FastPath 以從數據路徑繞過 ExpressRoute 閘道。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "性能" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", "severity": "中等", - "text": "為單個閘道上的多個 Web 應用程式配置基於主機名稱或功能變數名稱的路由", - "waf": "安全" + "text": "使用區域冗餘 VPN 閘道將分支或遠端位置連接到 Azure(如果可用)。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", "severity": "中等", - "text": "集中 SSL 證書管理以減少後端伺服器場的加密和解密開銷", - "waf": "安全" + "text": "在本地使用冗餘 VPN 設備(主動/主動或主動/被動)。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", - "severity": "低", - "text": "使用應用程式閘道實現對 WebSocket 和 HTTP/2 協定的本機支援", - "waf": "安全" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", + "severity": "高", + "text": "如果使用 ExpressRoute Direct,請考慮使用連接到本地 Azure 區域的 ExpressRoute 本地線路以節省成本。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "成本" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", - "severity": "高", - "text": "為 Azure Cache for Redis 啟用區域冗餘。Azure Cache for Redis 支持高級層和企業層中的區域冗餘配置。區域冗餘緩存可以將其節點放置在同一區域的不同 Azure 可用性區域中。它消除了作為單點故障的數據中心或可用區中斷,並提高了緩存的整體可用性。", - "waf": "可靠性" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", + "severity": "中等", + "text": "當需要流量隔離或專用頻寬時(例如用於分離生產和非生產環境),請使用不同的 ExpressRoute 線路。它將幫助您確保隔離的路由域並減輕嘈雜的鄰居風險。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "安全" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", "severity": "中等", - "text": "為 Azure Cache for Redis 實例配置數據持久性。由於緩存數據存儲在記憶體中,因此多個節點的罕見和計劃外故障可能會導致所有數據被丟棄。為了避免完全丟失數據,Redis 持久性允許您定期拍攝記憶體中數據的快照,並將其存儲到存儲帳戶中。", - "waf": "可靠性" + "text": "使用內置的 Express Route Insights 監控 ExpressRoute 的可用性和利用率。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "操作" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", "severity": "中等", - "text": "使用異地冗餘存儲帳戶保留 Azure Cache for Redis 數據,或在異地冗餘不可用的情況下使用區域冗餘", + "text": "使用連接監視器進行跨網路的連接監控,尤其是本地和 Azure 之間的連接。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "操作" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", + "severity": "中等", + "text": "使用來自不同對等互連位置的 ExpressRoute 線路以實現冗餘。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "可靠性" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", "severity": "中等", - "text": "為高級 Azure Cache for Redis 實例配置被動異地複製。異地複製是一種用於連結兩個或多個 Azure Cache for Redis 實例的機制,通常跨越兩個 Azure 區域。異地複製主要用於跨區域災難恢復。兩個高級層緩存實例通過異地複製進行連接,從而提供對主緩存的讀取和寫入,並將數據複製到輔助緩存。", + "text": "如果僅使用單個 ExpressRoute 線路,請使用網站到網站 VPN 作為 ExpressRoute 的故障轉移。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "可靠性" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", "severity": "高", - "text": "根據您的業務和 SLO 要求選擇正確的功能託管計劃", + "text": "如果您在 GatewaySubnet 中使用路由表,請確保傳播閘道路由。", "waf": "可靠性" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", "severity": "高", - "text": "利用區域適用的可用區(不適用於消耗層)", + "text": "如果使用 ExpressRoute,則本地路由應該是動態的:如果連接失敗,它應收斂到線路的剩餘連接。理想情況下,負載應在兩個連接之間共用,即主動/主動,但也支持主動/被動。", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "可靠性" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", "severity": "中等", - "text": "考慮為關鍵工作負載制定跨區域災難恢復策略", + "text": "確保 ExpressRoute 線路的兩個物理連結連接到網路中的兩個不同的邊緣設備。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "可靠性" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", - "severity": "高", - "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", + "severity": "中等", + "text": "確保在客戶或供應商邊緣路由設備上啟用和配置雙向轉發檢測 (BFD)。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "可靠性" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "Azure Functions", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", "severity": "高", - "text": "確保為應用服務計劃上運行的所有函數應用啟用“始終開啟”", + "text": "將 ExpressRoute 閘道連接到來自不同對等互連位置的兩條或多條線路,以獲得更高的復原能力。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "可靠性" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", "severity": "中等", - "text": "將函數應用與其自己的存儲帳戶配對。盡量不要重用函數應用的存儲帳戶,除非它們緊密耦合", - "waf": "可靠性" + "text": "為 ExpressRoute 虛擬網路閘道配置診斷日誌和警報。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "操作" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", "severity": "中等", - "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護函數應用代碼", - "waf": "操作" + "text": "不要使用 ExpressRoute 線路進行 VNet 到 VNet 通信。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", "severity": "低", - "text": "如果 AKS Windows 工作負載需要,可以使用 HostProcess 容器", - "waf": "可靠性" + "text": "不要將 Azure 流量發送到混合位置進行檢查。 相反,請遵循“Azure 中的流量保留在 Azure 中”的原則,以便通過 Microsoft 主幹網络進行 Azure 中資源的通信。", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", - "severity": "低", - "text": "如果運行事件驅動的工作負載,請使用KEDA", - "waf": "性能" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", + "severity": "高", + "text": "使用 Azure 防火牆來管理到 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西向流量篩選(如果組織需要)。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", + "severity": "中等", + "text": "創建全域 Azure 防火牆策略以管理全球網路環境中的安全狀況,並將其分配給所有 Azure 防火牆實例。通過 Azure 基於角色的訪問控制將增量防火牆策略委派給本地安全團隊,從而允許精細策略以滿足特定區域的要求。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", "severity": "低", - "text": "使用 Dapr 簡化微服務開發", - "waf": "操作" + "text": "如果組織希望使用此類解決方案來幫助保護出站連接,請在 Firewall Manager 中配置受支援的合作夥伴 SaaS 安全提供者。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", + "severity": "高", + "text": "使用應用程式規則篩選目標主機名上的出站流量,以瞭解支持的協定。 使用基於 FQDN 的網路規則和帶有 DNS 代理的 Azure 防火牆,通過其他協議篩選到 Internet 的出口流量。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "severity": "高", + "text": "使用 Azure 防火牆高級版啟用其他安全功能。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", + "severity": "高", + "text": "將 Azure 防火牆威脅情報模式配置為 Alert 和 Deny 以獲得額外的保護。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", + "severity": "高", + "text": "將 Azure 防火牆 IDPS 模式配置為 Deny 以獲得額外保護。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", "severity": "高", - "text": "使用 SLA 支援的 AKS 產品/服務", - "waf": "可靠性" + "text": "對於 VNet 中未連接到虛擬 WAN 的子網,請附加路由表,以便將 Internet 流量重定向到 Azure 防火牆或網路虛擬設備。", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "低", - "text": "在容器和部署定義中使用中斷預算", - "waf": "可靠性" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", + "severity": "中等", + "text": "添加診斷設置,以使用特定於資源的目標表保存所有 Azure 防火牆部署的日誌。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "操作" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", "severity": "高", - "text": "如果使用專用註冊表,請配置區域複製以將映像存儲在多個區域中", - "waf": "可靠性" + "text": "從 Azure 防火牆經典規則(如果存在)遷移到防火牆策略。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", - "severity": "低", - "text": "使用外部應用(如 kubecost)將成本分配給不同的使用者", - "waf": "成本" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", + "severity": "高", + "text": "對 Azure 防火牆子網使用 /26 前置綴。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", - "severity": "低", - "text": "使用縮減模式刪除/取消分配節點", - "waf": "成本" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", + "severity": "中等", + "text": "根據規則的使用頻率,將防火牆策略中的規則排列到規則集合組和規則集合中。", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", "severity": "中等", - "text": "需要時,請在 AKS 群集上使用多實例分組 GPU", - "waf": "成本" + "text": "使用IP組或IP前置綴來減少IP表規則的數量。", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", - "severity": "低", - "text": "如果運行開發/測試群集,請使用 NodePool Start/Stop", - "waf": "成本" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", + "severity": "中等", + "text": "請勿使用通配符作為DNAT的源IP,例如*或任何,您應該為傳入的DNAT指定源IP。", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", "severity": "中等", - "text": "使用適用於 Kubernetes 的 Azure Policy 確保群集符合性", - "waf": "安全" + "text": "通過監控 SNAT 埠使用方式、評估 NAT 閘道設置並確保無縫故障轉移,防止 SNAT 埠耗盡。如果埠計數接近限制,則表明 SNAT 耗儘可能即將耗盡。", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", - "severity": "中等", - "text": "使用使用者/系統節點池將應用程式與控制平面分開", - "waf": "安全" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", + "severity": "高", + "text": "如果使用的是 Azure 防火牆高級版,請啟用 TLS 檢查。", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", "severity": "低", - "text": "向系統節點池添加污點以使其專用", - "waf": "安全" + "text": "使用 Web 類別允許或拒絕對特定主題的出站訪問。", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", "severity": "中等", - "text": "對映像使用專用註冊表,例如 ACR", - "waf": "安全" + "text": "作為 TLS 檢查的一部分,請規劃從 Azure 應用程式閘道接收流量進行檢查。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "性能" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", "severity": "中等", - "text": "掃描映像以查找漏洞", + "text": "啟用 Azure 防火牆 DNS 代理配置。", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "severity": "高", - "text": "定義應用分離要求(命名空間/節點池/集群)", - "waf": "安全" + "text": "將 Azure 防火牆與 Azure Monitor 集成,並啟用診斷日誌記錄來存儲和分析防火牆日誌和指標。", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", - "severity": "中等", - "text": "使用 CSI 機密存儲驅動程式將機密存儲在 Azure Key Vault 中", - "waf": "安全" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "低", + "text": "為防火牆規則實施備份", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "severity": "高", - "text": "如果將服務主體用於群集,請定期刷新憑據(如每季度)", + "text": "跨多個可用性區域部署 Azure 防火牆。Azure 防火牆根據其部署提供不同的 SLA;在單個可用區或跨多個可用區,從而可能提高可靠性和性能。", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "可靠性" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", + "severity": "高", + "text": "在 Azure 防火牆 VNet 上配置 DDoS 防護,將 DDoS 防護計劃與託管 Azure 防火牆的虛擬網路相關聯,以提供針對 DDoS 攻擊的增強緩解。Azure 防火牆管理器集成了防火牆基礎結構和 DDoS 防護計劃的創建。", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", + "severity": "高", + "text": "不要中斷注入虛擬網路的 Azure PaaS 服務的控制平面通信,例如使用 0.0.0.0/0 路由或阻止控制平面流量的 NSG 規則。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", "severity": "中等", - "text": "如果需要,請添加金鑰管理服務 etcd 加密", + "text": "通過專用終結點和 ExpressRoute 專用對等互連從本地訪問 Azure PaaS 服務。此方法可避免通過公共 Internet 傳輸。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", - "severity": "低", - "text": "如果需要,請考慮使用適用於 AKS 的機密計算", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", + "severity": "高", + "text": "默認情況下,不要在所有子網上啟用虛擬網路服務終端節點。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "severity": "中等", - "text": "考慮使用 Defender for Containers", + "text": "使用 FQDN 而不是 Azure 防火牆或 NVA 中的 IP 位址篩選到 Azure PaaS 服務的出口流量,以防止數據外洩。如果使用專用連結,則可以阻止所有 FQDN,否則僅允許所需的 PaaS 服務。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", "severity": "高", - "text": "使用託管標識而不是服務主體", + "text": "至少為您的閘道子網使用 /27 前置綴。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", - "severity": "中等", - "text": "將身份驗證與 AAD(使用託管集成)集成", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", + "severity": "高", + "text": "不要依賴使用 VirtualNetwork 服務標記的 NSG 入站預設規則來限制連接。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", "severity": "中等", - "text": "限制對管理員 kubeconfig (get-credentials --admin) 的訪問", + "text": "使用 NSG 説明保護跨子網的流量,以及跨平台的東西向流量(登陸區域之間的流量)。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", "severity": "中等", - "text": "將授權與 AAD RBAC 集成", + "text": "使用 NSG 和應用程式安全組對登陸區域內的流量進行微分段,並避免使用中央 NVA 來篩選流量。", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", - "severity": "高", - "text": "在 Kubernetes 中使用命名空間限制 RBAC 許可權", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", + "severity": "中等", + "text": "啟用 VNet 流日誌並將其饋送到流量分析中,以深入了解內部和外部流量流。", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", "severity": "中等", - "text": "對於 Pod Identity Access Management,請使用 Azure AD 工作負載標識(預覽版)", - "waf": "安全" + "text": "由於規則數限制為 1000 個,因此每個 NSG 實施的 NSG 規則不要超過 900 個。", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", "severity": "中等", - "text": "對於 AKS 非互動式登錄名,請使用 kubelogin(預覽版)", - "waf": "安全" + "text": "如果您的方案在虛擬 WAN 路由設計清單中明確描述,請使用虛擬 WAN。", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", "severity": "中等", - "text": "禁用 AKS 本地帳戶", - "waf": "安全" + "text": "使用每個 Azure 區域的虛擬 WAN 中心,透過通用的全球 Azure 虛擬 WAN 跨 Azure 區域將多個登陸區域連接在一起。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "性能" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "低", - "text": "如果需要,請配置 Just-in-time 群集訪問", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", + "severity": "中等", + "text": "對於出站 Internet 流量保護和篩選,請在安全中心部署 Azure 防火牆。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "低", - "text": "如果需要,為 AKS 配置 AAD 條件訪問", - "waf": "安全" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", + "severity": "中等", + "text": "確保您的虛擬 WAN 網路架構與已確定的架構方案保持一致。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", - "severity": "低", - "text": "如果 Windows AKS 工作負載需要,請配置 gMSA", - "waf": "安全" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", + "severity": "中等", + "text": "使用適用於虛擬 WAN 的 Azure Monitor Insights 來監視虛擬 WAN 的端到端拓撲、狀態和關鍵指標。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", "severity": "中等", - "text": "為了獲得更精細的控制,請考慮使用託管的 Kubelet 身份", - "waf": "安全" + "text": "不要在虛擬 WAN 中禁用分支到分支流量,除非應明確阻止這些流。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", "severity": "中等", - "text": "如果使用 AGIC,請勿跨集群共用 AppGW", + "text": "使用 AS-Path 作為中心路由首選項,因為它比 ExpressRoute 或 VPN 更靈活。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", - "severity": "高", - "text": "不要使用 AKS HTTP 路由載入項,而是將託管 NGINX 入口與應用程式路由載入項一起使用。", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", + "severity": "中等", + "text": "在虛擬 WAN 中配置基於標籤的傳播,否則虛擬中心之間的連接將受到影響。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", - "severity": "中等", - "text": "對於 Windows 工作負載,請使用加速網路", - "waf": "性能" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", + "severity": "高", + "text": "為虛擬中心分配至少 /23 前置綴,以確保有足夠的IP空間可用。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "高", - "text": "使用標準 ALB(而不是基本 ALB)", - "waf": "可靠性" + "text": "戰略性地利用 Azure Policy,使用策略計劃對相關策略進行分組,為您的環境定義控制措施。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "中等", - "text": "如果使用 Azure CNI,請考慮對 NodePool 使用不同的子網", + "text": "將法規和合規性要求映射到 Azure Policy 定義和 Azure 角色分配。", + "training": "https://learn.microsoft.com/training/modules/governance-security/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "中等", - "text": "使用專用終結點(首選)或虛擬網路服務終結點從群集訪問 PaaS 服務", + "text": "在中間根管理組建立 Azure Policy 定義,以便可以在繼承的範圍內分配這些定義。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "高", - "text": "選擇最適合你要求的 CNI 網路外掛程式(建議使用 Azure CNI)", - "waf": "可靠性" + "text": "如果需要,在最高適當的級別管理策略分配,並在最低級別管理排除項。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "高", - "text": "如果使用 Azure CNI,請根據每個節點的最大 Pod 數相應地調整子網的大小", - "waf": "性能" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "低", + "text": "使用 Azure Policy 控制使用者可以在訂閱/管理組級別預配哪些服務。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "高", - "text": "如果使用 Azure CNI,請檢查每個節點的最大 Pod 數(預設為 30)", - "waf": "性能" + "text": "盡可能使用內置策略,以最大程度地減少運營開銷。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "對於內部應用,組織通常會在其防火牆中打開整個AKS子網。這也會打開對節點的網路訪問,並可能打開對 Pod 的訪問(如果使用 Azure CNI)。如果 LoadBalancer IP 位於不同的子網中,則只有此子網可供應用用戶端使用。另一個原因是,如果 AKS 子網中的 IP 位址是稀缺資源,則將其 IP 位址用於服務會降低群集的最大可伸縮性。", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", - "severity": "低", - "text": "如果使用專用IP LoadBalancer服務,請使用專用子網(而不是 AKS 子網)", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "description": "通過將 Resource Policy Contributor 角色分配給特定範圍,您可以將策略管理委派給相關團隊。例如,中央IT團隊可以監督管理組級別的策略,而應用程式團隊則處理其訂閱的策略,從而在遵守組織標準的情況下實現分散式治理。", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", + "severity": "中等", + "text": "在特定範圍內分配內置的 Resource Policy Contributor 角色,以啟用應用程式級監管。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "高", - "text": "相應調整服務 IP 位址範圍的大小(這將限制群集的可伸縮性)", - "waf": "可靠性" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "中等", + "text": "限制在根管理組範圍內進行的 Azure Policy 分配的數量,以避免通過繼承範圍內的排除項進行管理。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", - "severity": "低", - "text": "如果需要,請添加您自己的 CNI 外掛程式", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", + "severity": "中等", + "text": "如果存在任何數據主權要求,則應部署 Azure 策略來強制實施這些要求。", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", - "severity": "低", - "text": "如果需要,請在 AKS 中配置每個節點的公共 IP", - "waf": "性能" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", + "severity": "中等", + "text": "對於 Sovereign Landing Zone,請部署主權策略基線並在正確的管理組級別進行分配。", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", "severity": "中等", - "text": "使用入口控制器公開基於 Web 的應用,而不是使用 LoadBalancer 類型的服務公開它們", - "waf": "可靠性" + "text": "對於 Sovereign Landing Zone,將 Sovereign Control 目標記錄到策略映射。", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", - "severity": "低", - "text": "使用 Azure NAT 閘道作為 outboundType 來縮放出口流量", - "waf": "可靠性" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", + "severity": "中等", + "text": "對於 Sovereign Landing Zone,請確保已制定管理“主權控制目標到策略映射”的流程。", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "severity": "中等", - "text": "使用IP的動態分配來避免 Azure CNI IP 耗盡", + "text": "使用單個監視器日誌工作區集中管理平臺,除非 Azure 基於角色的訪問控制 (Azure RBAC)、數據主權要求或數據保留策略要求單獨的工作區。", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "操作" + }, + { + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", + "severity": "中等", + "text": "決定是對所有區域使用單個 Azure Monitor 日誌工作區,還是創建多個工作區以涵蓋不同的地理區域。每種方法都有優點和缺點,包括潛在的跨區域網路費用", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", "severity": "高", - "text": "如果安全要求要求,請使用 AzFW/NVA 篩選出口流量", - "waf": "安全" + "text": "如果您的日誌保留要求超過 12 年,請將日誌匯出到 Azure 存儲。將不可變存儲與一次寫入、多次讀取策略結合使用,使數據在使用者指定的時間間隔內不可擦除且不可修改。", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "service": "VM", "severity": "中等", - "text": "如果使用公共 API 終端節點,請限制可以存取它的 IP 位址", - "waf": "安全" + "text": "使用 Azure Policy 監視 OS 等級的虛擬機 (VM) 配置偏移。通過策略啟用 Azure Automanage 計算機配置審核功能可幫助應用程式團隊工作負載輕鬆立即使用功能。", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", - "severity": "高", - "text": "如果要求要求,請使用私有集群", - "waf": "安全" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "service": "VM", + "severity": "中等", + "text": "使用 Azure 更新管理員作為 Azure 中 Windows 和 Linux VM 的修補機制。", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", "severity": "中等", - "text": "對於 Windows 2019 和 2022 AKS 節點,可以使用 Calico 網路策略", - "waf": "安全" + "text": "使用 Azure Update Manager 作為使用 Azure Arc 的 Azure 外部 Windows 和 Linux VM 的修補機制。", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", - "severity": "高", - "text": "啟用 Kubernetes 網路策略選項 (Calico/Azure)", - "waf": "安全" + "arm-service": "microsoft.network/networkWatchers", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", + "severity": "中等", + "text": "使用網路觀察程序主動監控流量。", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "高", - "text": "使用 Kubernetes 網路策略提高集群內安全性", - "waf": "安全" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Monitor", + "severity": "中等", + "text": "使用 Azure Monitor 紀錄獲取見解和報告。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "高", - "text": "將 WAF 用於 Web 工作負載(UI 或 API)", - "waf": "安全" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", + "severity": "中等", + "text": "使用 Azure Monitor 警報生成操作警報。", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", "severity": "中等", - "text": "在 AKS 虛擬網路中使用 DDoS 標準", - "waf": "安全" + "text": "通過 Azure 自動化帳戶使用更改和清單跟蹤時,請確保已選擇受支持的區域,以便將 Log Analytics 工作區和自動化帳戶連結在一起。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", "severity": "低", - "text": "如果需要,請添加公司 HTTP 代理", - "waf": "安全" + "text": "使用Azure備份時,請使用正確的備份類型(GRS,ZRS和LRS)進行備份,因為預設設置是GRS。", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "VM", "severity": "中等", - "text": "考慮使用服務網格進行高級微服務通信管理", + "text": "使用 Azure 來賓策略通過 VM 擴展自動部署軟體配置,並強制實施合規的基線 VM 配置。", "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", - "severity": "高", - "text": "設定有關最關鍵指標的警報(請參閱容器見解以獲取建議)", - "waf": "操作" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "description": "使用 Azure Policy 的來賓配置功能來審核和修正電腦設置(例如,操作系統、應用程式、環境),以確保資源與預期配置保持一致,並且更新管理可以對 VM 強制實施修補程式管理。", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "VM", + "severity": "中等", + "text": "通過 Azure Policy 監視 VM 安全配置偏移。", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", - "severity": "低", - "text": "定期查看 Azure 顧問,瞭解有關群集的建議", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", + "severity": "中等", + "text": "將 Azure Site Recovery 用於 Azure 到 Azure 虛擬機的災難恢復方案。這使您能夠跨區域複製工作負載。", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", - "severity": "低", - "text": "啟用 AKS 自動證書輪換", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", + "severity": "中等", + "text": "使用 Azure 原生備份功能或與 Azure 相容的第三方備份解決方案。", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", "severity": "高", - "text": "定期(例如,每季度)升級 kubernetes 版本,或使用 AKS 自動升級功能", + "text": "添加診斷設置以保存來自應用程式交付服務(如 Azure Front Door 和 Azure 應用程式閘道)的 WAF 日誌。定期查看日誌以檢查是否存在攻擊和誤報檢測。", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", - "severity": "高", - "text": "如果您不使用 node-image 升級,請使用 kured 進行 Linux 節點升級", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", + "severity": "中等", + "text": "將 WAF 日誌從應用程式交付服務(如 Azure Front Door 和 Azure 應用程式閘道)發送到 Microsoft Sentinel。檢測攻擊並將 WAF 遙測集成到整個 Azure 環境中。", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", "waf": "操作" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", "severity": "高", - "text": "定期(例如,每周)升級群集節點映像的常規過程", - "waf": "操作" + "text": "使用 Azure Key Vault 儲存機密和憑據。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", - "severity": "低", - "text": "考慮使用 gitops 將應用程式或集群配置部署到多個集群", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", + "severity": "中等", + "text": "對不同的應用程式和區域使用不同的 Azure Key Vault,以避免事務規模限制並限制對機密的訪問。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", - "severity": "低", - "text": "請考慮在專用群集上使用 AKS 命令調用", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中等", + "text": "預配 Azure Key Vault 並啟用軟刪除和清除策略,以允許對已刪除的物件進行保留保護。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", - "service": "AKS", - "severity": "低", - "text": "對於計劃的事件,請考慮使用 Node Auto Drain", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中等", + "text": "通過將永久刪除密鑰、機密和證書的授權限制為專門的自定義 Microsoft Entra ID 角色,遵循最低許可權模型。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", - "severity": "高", - "text": "開發自己的治理實踐,以確保節點 RG(又名“基礎設施 RG”)中的操作員不會執行任何更改", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中等", + "text": "與公共證書頒發機構一起自動執行證書管理和續訂流程,以簡化管理。", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "低", - "text": "使用自定義節點 RG(又名“Infra RG”)名稱", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中等", + "text": "建立金鑰和證書輪換的自動化流程。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "中等", - "text": "請勿在 YAML 清單中使用已棄用的 Kubernetes API", - "waf": "操作" + "text": "在保管庫上啟用防火牆和虛擬網路服務終結點或專用終結點,以控制對密鑰保管庫的訪問。", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", - "severity": "低", - "text": "污染 Windows 節點", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", + "severity": "中等", + "text": "使用平臺中心的 Azure Monitor Log Analytics 工作區來審核 Key Vault 的每個實例中的密鑰、證書和機密使用方式。", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", - "severity": "低", - "text": "使 Windows 容器修補程式級別與主機修補程式級別保持同步", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中等", + "text": "委託 Key Vault 實例化和特權訪問,並使用 Azure Policy 強制實施一致的合規配置。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "通過群集級別的診斷設置", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", - "severity": "低", - "text": "將主日誌(又名 API 紀錄)發送到 Azure Monitor 或首選日誌管理解決方案", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "91163418-2ba5-4275-8694-4008be7d7e48", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中等", + "text": "每個區域每個環境的每個應用程式使用 Azure Key Vault。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", - "severity": "低", - "text": "如果需要,請使用 nodePool 快照", - "waf": "成本" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", + "severity": "中等", + "text": "如果您想使用自己的金鑰,則可能並非所有考慮的服務都支援此功能。實施相關的緩解措施,以便不一致不會妨礙預期的結果。選擇適當的區域對和災難恢復區域,以最大限度地減少延遲。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", - "severity": "低", - "text": "考慮將現成節點池用於對時間敏感的工作負載", - "waf": "操作" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", + "severity": "中等", + "text": "對於主權登陸區域,請使用 Azure Key Vault 託管 HSM 來儲存機密和憑據。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "低", - "text": "考慮用於快速突發的 AKS 虛擬節點", - "waf": "操作" + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", + "severity": "中等", + "text": "使用 Microsoft Entra ID 報告功能生成訪問控制審核報告。", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", "severity": "高", - "text": "使用 Container Insights(或 Prometheus 等其他工具)監控集群指標", - "waf": "操作" + "text": "為所有訂閱啟用Defender Cloud安全態勢管理。", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", "severity": "高", - "text": "使用 Container Insights(或 Telegraf/ElasticSearch 等其他工具)存儲和分析集群日誌", - "waf": "操作" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", - "severity": "中等", - "text": "監控節點的 CPU 和記憶體利用率", - "waf": "操作" + "text": "為所有訂閱上的伺服器啟用Defender雲工作負載保護計劃。", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "中等", - "text": "如果使用 Azure CNI,請監視每個節點消耗的 Pod IP 的百分比", - "waf": "操作" + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", + "severity": "高", + "text": "在所有訂閱上為 Azure 資源啟用 Defender Cloud 工作負載保護計劃。", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "OS 磁碟上的 I/O 是關鍵資源。如果節點中的操作系統在 I/O 上受到限制,這可能會導致不可預知的行為,通常最終導致節點被聲明為 NotReady", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", - "severity": "中等", - "text": "監視節點中的OS磁碟佇列深度", - "waf": "操作" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", + "severity": "高", + "text": "在 IaaS 伺服器上啟用 Endpoint Protection。", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "waf": "安全" }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", + "service": "VM", "severity": "中等", - "text": "如果不對 AzFW/NVA 使用出口篩選,請監視標準 ALB 分配的 SNAT 連接埠", - "waf": "操作" + "text": "通過 Azure Monitor 紀錄和 Defender for Cloud 監視基本作業系統修補偏差。", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "中等", - "text": "訂閱 AKS 群集的資源運行狀況通知", - "waf": "操作" + "text": "將預設資源配置連接到集中式 Azure Monitor Log Analytics 工作區。", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", "severity": "高", - "text": "在 Pod 規範中配置請求和限制", - "waf": "操作" + "text": "使用關聯日誌進行集中威脅檢測 - 將安全數據整合到一個中心位置,以便通過SIEM(安全資訊和事件管理)在各種服務之間關聯數據", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "severity": "中等", - "text": "強制實施命名空間的資源配額", - "waf": "操作" + "text": "對於 Sovereign Landing Zone,請在 Entra ID 租戶上啟用透明度日誌。", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", - "severity": "高", - "text": "確保訂閱具有足夠的配額來橫向擴展節點池", - "waf": "操作" + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", + "severity": "中等", + "text": "對於 Sovereign Landing Zone,請在 Entra ID 租戶上啟用客戶密碼箱。", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "中等", - "text": "使用群集自動縮放程式", - "waf": "性能" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "高", + "text": "啟用到存儲帳戶的安全傳輸。", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", - "severity": "低", - "text": "自定義 AKS 節點池的節點配置", - "waf": "性能" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", + "severity": "高", + "text": "為存儲帳戶啟用容器軟刪除,以恢復已刪除的容器及其內容。", + "waf": "安全" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "中等", - "text": "需要時使用 Horizontal Pod Autoscaler", - "waf": "性能" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", + "severity": "高", + "text": "使用 Key Vault 機密來避免對敏感資訊進行硬編碼,例如憑據(虛擬機用戶密碼)、證書或密鑰。", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", + "waf": "操作" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "description": "更大的節點將帶來更高的性能和功能,例如臨時磁碟和加速網路,但它們會增加爆炸半徑並降低擴展粒度", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", "service": "AKS", - "severity": "高", - "text": "考慮適當的節點大小,不要太大或太小", - "waf": "性能" + "severity": "低", + "text": "如果 AKS Windows 工作負載需要,可以使用 HostProcess 容器", + "waf": "可靠性" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", "service": "AKS", "severity": "低", - "text": "如果可伸縮性需要超過 5000 個節點,請考慮使用其他 AKS 群集", + "text": "如果運行事件驅動的工作負載,請使用KEDA", "waf": "性能" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", "service": "AKS", "severity": "低", - "text": "考慮訂閱 EventGrid Events for AKS 自動化", - "waf": "性能" + "text": "使用 Dapr 簡化微服務開發", + "waf": "操作" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", "service": "AKS", - "severity": "低", - "text": "若要在 AKS 群集上長時間運行操作,請考慮事件終止", - "waf": "性能" + "severity": "高", + "text": "使用 SLA 支援的 AKS 產品/服務", + "waf": "可靠性" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", "service": "AKS", "severity": "低", - "text": "如果需要,請考慮將 Azure 專用主機用於 AKS 節點", - "waf": "性能" + "text": "在容器和部署定義中使用中斷預算", + "waf": "可靠性" }, { - "arm-service": "microsoft.containerservice/managedClusters", + "arm-service": "microsoft.containerregistry/registries", "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", "severity": "高", - "text": "使用臨時OS磁碟", - "waf": "性能" + "text": "如果使用專用註冊表,請配置區域複製以將映像存儲在多個區域中", + "waf": "可靠性" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", "service": "AKS", - "severity": "高", - "text": "對於非臨時磁碟,在運行多個 Pod/節點時,請為節點使用高 IOPS 和更大的 OS 磁碟,因為它需要高性能才能運行多個 Pod,並且會生成具有預設 AKS 日誌輪換閾值的大量日誌", - "waf": "性能" + "severity": "低", + "text": "使用外部應用(如 kubecost)將成本分配給不同的使用者", + "waf": "成本" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", "service": "AKS", "severity": "低", - "text": "對於超高性能存儲選項,請在 AKS 上使用超級磁碟For hyper performance storage option use Ultra Disks on AKS", - "waf": "性能" + "text": "使用縮減模式刪除/取消分配節點", + "waf": "成本" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", "service": "AKS", "severity": "中等", - "text": "避免將狀態保留在群集中,並將數據存儲在外部(AzStorage、AzSQL、Cosmos 等)", - "waf": "性能" + "text": "需要時,請在 AKS 群集上使用多實例分組 GPU", + "waf": "成本" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", "service": "AKS", - "severity": "中等", - "text": "如果使用 AzFiles Standard,出於性能原因,請考慮使用 AzFiles Premium 和/或 ANF", - "waf": "性能" + "severity": "低", + "text": "如果運行開發/測試群集,請使用 NodePool Start/Stop", + "waf": "成本" }, { "arm-service": "microsoft.containerservice/managedClusters", "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", "service": "AKS", "severity": "中等", - "text": "如果使用 Azure 磁碟和可用區,請考慮在區域內為 LRS 磁碟設置節點池,並使用 VolumeBindingMode:WaitForFirstConsumer 在正確的區域中預配存儲,或將 ZRS 磁碟用於跨多個區域的節點池", - "waf": "性能" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", - "service": "AVS", - "severity": "高", - "text": "確保在本機 Azure 的標識訂閱中部署了 ADDS 域控制器", - "waf": "安全" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "75089c20-990d-4927-b105-885576f76fc2", - "service": "AVS", - "severity": "中等", - "text": "確保將 ADDS 網站和服務配置為將來自基於 Azure 的資源(包括 Azure VMware 解決方案)的身份驗證請求保留到 Azure 本地", - "waf": "安全" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", - "service": "AVS", - "severity": "高", - "text": "確保 vCenter 已連接到 ADDS,以啟用基於「指定用戶帳戶」的身份驗證", - "waf": "安全" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", - "service": "AVS", - "severity": "中等", - "text": "確保從 vCenter 到 ADDS 的連接使用安全協定 (LDAPS)", + "text": "使用適用於 Kubernetes 的 Azure Policy 確保群集符合性", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "severity": "中等", - "text": "vCenter IdP 中的 CloudAdmin 帳戶僅用作緊急帳戶 (break-glass)", + "text": "使用使用者/系統節點池將應用程式與控制平面分開", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", - "service": "AVS", - "severity": "高", - "text": "確保 NSX-Manager 與外部身份提供程式 (LDAPS) 集成", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "低", + "text": "向系統節點池添加污點以使其專用", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", "severity": "中等", - "text": "是否已創建 RBAC 模型以在 VMware vSphere 中使用", + "text": "對映像使用專用註冊表,例如 ACR", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", - "service": "AVS", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", "severity": "中等", - "text": "RBAC 許可權應授予 ADDS 組,而不是特定使用者", + "text": "掃描映像以查找漏洞", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", "severity": "高", - "text": "Azure 中 Azure VMware 解決方案資源的 RBAC 許可權僅「鎖定」為一組有限的擁有者", + "text": "定義應用分離要求(命名空間/節點池/集群)", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", - "service": "AVS", - "severity": "高", - "text": "確保所有自定義角色的範圍都具有 CloudAdmin 允許的授權", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", + "severity": "中等", + "text": "使用 CSI 機密存儲驅動程式將機密存儲在 Azure Key Vault 中", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", - "service": "AVS", - "severity": "高", - "text": "是否為手頭的客戶用例選擇了正確的 Azure VMware 解決方案連接模型", - "waf": "性能" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", "severity": "高", - "text": "確保使用「連接監視器」監視從本地到 Azure 的 ExpressRoute 或 VPN 連接", - "waf": "操作" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", - "service": "AVS", - "severity": "中等", - "text": "確保創建從 Azure 本機資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視 Azure VMware 解決方案後端 ExpressRoute 連接", - "waf": "操作" + "text": "如果將服務主體用於群集,請定期刷新憑據(如每季度)", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", "severity": "中等", - "text": "確保創建從本地資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視端到端連接", - "waf": "操作" + "text": "如果需要,請添加金鑰管理服務 etcd 加密", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", - "service": "AVS", - "severity": "高", - "text": "使用路由伺服器時,請確保從路由伺服器到 ExR 閘道再到本地的路由不超過 1000 個(ARS 限制)。", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", + "severity": "低", + "text": "如果需要,請考慮使用適用於 AKS 的機密計算", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", - "service": "AVS", - "severity": "高", - "text": "是否為在 Azure 門戶中管理 Azure VMware 解決方案資源的角色實現了 Privileged Identity Management(不允許長期許可權)", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", + "severity": "中等", + "text": "考慮使用 Defender for Containers", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", "severity": "高", - "text": "應為 Azure VMware 解決方案 PIM 角色實現 Privileged Identity Management 審核報告", + "text": "使用託管標識而不是服務主體", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", "severity": "中等", - "text": "如果使用 Privileged Identity Management,請確保使用有效的 SMTP 記錄創建啟用了 Entra ID 的有效帳戶,以便 Azure VMware 解決方案自動主機更換通知。(需要長期許可)", + "text": "將身份驗證與 AAD(使用託管集成)集成", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", - "service": "AVS", - "severity": "高", - "text": "將 CloudAdmin 帳戶的使用限制為僅緊急訪問", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", + "severity": "中等", + "text": "限制對管理員 kubeconfig (get-credentials --admin) 的訪問", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", "severity": "中等", - "text": "在 vCenter 中創建自定義 RBAC 角色,以在 vCenter 中實施最小特權模型", + "text": "將授權與 AAD RBAC 集成", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", - "service": "AVS", - "severity": "中等", - "text": "是定義為定期輪換 cloudadmin (vCenter) 和管理員 (NSX) 憑據的過程", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", + "severity": "高", + "text": "在 Kubernetes 中使用命名空間限制 RBAC 許可權", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", - "service": "AVS", - "severity": "高", - "text": "使用集中式識別提供者用於在 Azure VMware 解決方案上運行的工作負載 (VM)", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", + "severity": "中等", + "text": "對於 Pod Identity Access Management,請使用 Azure AD 工作負載標識(預覽版)", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", "severity": "中等", - "text": "是否在 NSX-T 中實施了東西向流量篩選", + "text": "對於 AKS 非互動式登錄名,請使用 kubelogin(預覽版)", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", - "service": "AVS", - "severity": "高", - "text": "Azure VMware 解決方案上的工作負載不會直接向 Internet 公開。流量由 Azure 應用程式閘道、Azure 防火牆或第三方解決方案進行篩選和檢查", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", + "severity": "中等", + "text": "禁用 AKS 本地帳戶", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", - "service": "AVS", - "severity": "高", - "text": "對 Azure VMware 解決方案和基於 Azure VMware 解決方案的工作負載的入站 Internet 請求實施審核和日誌記錄", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "低", + "text": "如果需要,請配置 Just-in-time 群集訪問", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", - "service": "AVS", - "severity": "中等", - "text": "對來自 Azure VMware 解決方案或基於 Azure VMware 解決方案的工作負載的出站 Internet 連接實施會話監視,以識別可疑/惡意活動", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "低", + "text": "如果需要,為 AKS 配置 AAD 條件訪問", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "334fdf91-c234-4182-a652-75269440b4be", - "service": "AVS", - "severity": "中等", - "text": "是否在 Azure 的 ExR/VPN 閘道子網上啟用了 DDoS 標準防護", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", + "severity": "低", + "text": "如果 Windows AKS 工作負載需要,請配置 gMSA", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", "severity": "中等", - "text": "使用專用特權訪問工作站 (PAW) 管理 Azure VMware 解決方案、vCenter、NSX Manager 和 HCX Manager", + "text": "為了獲得更精細的控制,請考慮使用託管的 Kubelet 身份", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", "severity": "中等", - "text": "為 Azure VMware 解決方案上運行的工作負載啟用高級威脅檢測(Microsoft Defender for Cloud,又名 ASC)", - "waf": "安全" + "text": "如果使用 AGIC,請勿跨集群共用 AppGW", + "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", + "severity": "高", + "text": "不要使用 AKS HTTP 路由載入項,而是將託管 NGINX 入口與應用程式路由載入項一起使用。", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", "severity": "中等", - "text": "使用適用於伺服器的 Azure ARC 使用 Azure 本機技術正確管理在 Azure VMware 解決方案上運行的工作負載(適用於 Azure VMware 解決方案的 Azure ARC 尚不可用)", - "waf": "安全" + "text": "對於 Windows 工作負載,請使用加速網路", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", - "service": "AVS", - "severity": "低", - "text": "確保 Azure VMware 解決方案上的工作負載在運行時使用足夠的數據加密(如來賓內磁碟加密和 SQL TDE)。(vSAN 靜態加密為預設加密)", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "severity": "高", + "text": "使用標準 ALB(而不是基本 ALB)", + "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", - "service": "AVS", - "severity": "低", - "text": "使用來賓內加密時,請盡可能將加密密鑰存儲在 Azure Key Vault 中", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", + "severity": "中等", + "text": "如果使用 Azure CNI,請考慮對 NodePool 使用不同的子網", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5ac94222-3e13-4810-9230-81a941741583", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", "severity": "中等", - "text": "請考慮對 Azure VMware 解決方案上運行的工作負載使用擴展的安全更新支援(Azure VMware 解決方案符合 ESU 條件)", + "text": "使用專用終結點(首選)或虛擬網路服務終結點從群集訪問 PaaS 服務", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "高", - "text": "確保使用適當的 vSAN 資料冗餘方法(RAID 規範)", + "text": "選擇最適合你要求的 CNI 網路外掛程式(建議使用 Azure CNI)", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "高", - "text": "確保允許失敗策略已到位,以滿足您的 vSAN 儲存需求", - "waf": "可靠性" + "text": "如果使用 Azure CNI,請根據每個節點的最大 Pod 數相應地調整子網的大小", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "高", - "text": "確保已請求足夠的配額,確保已考慮增長和災難恢復要求", + "text": "如果使用 Azure CNI,請檢查每個節點的最大 Pod 數(預設為 30)", + "waf": "性能" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "對於內部應用,組織通常會在其防火牆中打開整個AKS子網。這也會打開對節點的網路訪問,並可能打開對 Pod 的訪問(如果使用 Azure CNI)。如果 LoadBalancer IP 位於不同的子網中,則只有此子網可供應用用戶端使用。另一個原因是,如果 AKS 子網中的 IP 位址是稀缺資源,則將其 IP 位址用於服務會降低群集的最大可伸縮性。", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "severity": "低", + "text": "如果使用專用IP LoadBalancer服務,請使用專用子網(而不是 AKS 子網)", + "waf": "安全" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", + "severity": "高", + "text": "相應調整服務 IP 位址範圍的大小(這將限制群集的可伸縮性)", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "service": "AVS", - "severity": "中等", - "text": "確保瞭解對 ESXi 的訪問限制,其中存在可能影響第三方解決方案的訪問限制。", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", + "severity": "低", + "text": "如果需要,請添加您自己的 CNI 外掛程式", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "service": "AVS", - "severity": "中等", - "text": "確保您制定了有關ESXi主機密度和效率的策略,並牢記請求新節點的提前期", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", + "severity": "低", + "text": "如果需要,請在 AKS 中配置每個節點的公共 IP", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", "severity": "中等", - "text": "確保 Azure VMware 解決方案的良好成本管理流程已到位 - 可以使用 Azure 成本管理", - "waf": "成本" + "text": "使用入口控制器公開基於 Web 的應用,而不是使用 LoadBalancer 類型的服務公開它們", + "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", "severity": "低", - "text": "Azure 預留實例是否用於優化使用 Azure VMware 解決方案的成本", - "waf": "成本" + "text": "使用 Azure NAT 閘道作為 outboundType 來縮放出口流量", + "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", + "severity": "中等", + "text": "使用IP的動態分配來避免 Azure CNI IP 耗盡", + "waf": "可靠性" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", + "severity": "高", + "text": "如果安全要求要求,請使用 AzFW/NVA 篩選出口流量", + "waf": "安全" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", "severity": "中等", - "text": "使用其他 Azure 本機服務時,請考慮使用 Azure 專用連結", + "text": "如果使用公共 API 終端節點,請限制可以存取它的 IP 位址", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", "severity": "高", - "text": "確保所有必需的資源都駐留在同一個 Azure 可用性區域中", - "waf": "性能" + "text": "如果要求要求,請使用私有集群", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "中等", - "text": "為 Azure VMware 解決方案來賓 VM 工作負載啟用 Microsoft Defender for Cloud", + "text": "對於 Windows 2019 和 2022 AKS 節點,可以使用 Calico 網路策略", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "service": "AVS", - "severity": "中等", - "text": "使用已啟用 Azure Arc 的伺服器管理 Azure VMware 解決方案來賓 VM 工作負載", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", + "severity": "高", + "text": "啟用 Kubernetes 網路策略選項 (Calico/Azure)", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "高", - "text": "在 Azure VMware 解決方案上啟用診斷和指標日誌記錄", - "waf": "操作" + "text": "使用 Kubernetes 網路策略提高集群內安全性", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", - "service": "AVS", - "severity": "中等", - "text": "將Log Analytics代理部署到 Azure VMware 解決方案來賓 VM 工作負載", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", + "severity": "高", + "text": "將 WAF 用於 Web 工作負載(UI 或 API)", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", "severity": "中等", - "text": "確保已針對 Azure VMware 解決方案 VM 工作負載記錄並實施了備份策略和解決方案", - "waf": "操作" + "text": "在 AKS 虛擬網路中使用 DDoS 標準", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", - "service": "AVS", - "severity": "中等", - "text": "使用 Microsoft Defender for Cloud 對 Azure VMware 解決方案上運行的工作負載進行合規性監視", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", + "severity": "低", + "text": "如果需要,請添加公司 HTTP 代理", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", "severity": "中等", - "text": "是否將適用的合規性基線添加到 Microsoft Defender for Cloud", + "text": "考慮使用服務網格進行高級微服務通信管理", "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", "severity": "高", - "text": "在選擇要用於 Azure VMware 解決方案部署的 Azure 區域時是否評估了數據駐留", - "waf": "安全" + "text": "設定有關最關鍵指標的警報(請參閱容器見解以獲取建議)", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "service": "AVS", - "severity": "高", - "text": "數據處理影響(服務提供者/服務消費者模型)是否清晰且有據可查", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", + "severity": "低", + "text": "定期查看 Azure 顧問,瞭解有關群集的建議", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", - "service": "AVS", - "severity": "中等", - "text": "僅當出於合規性原因需要時,才考慮將CMK(客戶管理的密鑰)用於 vSAN。", - "waf": "安全" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", + "severity": "低", + "text": "啟用 AKS 自動證書輪換", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", "severity": "高", - "text": "創建儀錶板以啟用核心 Azure VMware 解決方案監視見解", + "text": "定期(例如,每季度)升級 kubernetes 版本,或使用 AKS 自動升級功能", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", "severity": "高", - "text": "針對 Azure VMware 解決方案性能(CPU >80%、平均記憶體 >80%、vSAN >70%)自動警報的關鍵閾值創建警告警報", + "text": "如果您不使用 node-image 升級,請使用 kured 進行 Linux 節點升級", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", "severity": "高", - "text": "確保創建嚴重警示以監控 vSAN 消耗量是否低於 75%,因為這是 VMware 的支援閾值", + "text": "定期(例如,每周)升級群集節點映像的常規過程", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", + "severity": "低", + "text": "考慮使用 gitops 將應用程式或集群配置部署到多個集群", + "waf": "操作" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", + "severity": "低", + "text": "請考慮在專用群集上使用 AKS 命令調用", + "waf": "操作" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", + "severity": "低", + "text": "對於計劃的事件,請考慮使用 Node Auto Drain", + "waf": "操作" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", "severity": "高", - "text": "確保為 Azure 服務運行狀況警報和通知配置警報", + "text": "開發自己的治理實踐,以確保節點 RG(又名“基礎設施 RG”)中的操作員不會執行任何更改", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "低", + "text": "使用自定義節點 RG(又名“Infra RG”)名稱", + "waf": "操作" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", "severity": "中等", - "text": "將 Azure VMware 解決方案記錄設定為發送到 Azure 儲存帳戶或 Azure EventHub 進行處理", + "text": "請勿在 YAML 清單中使用已棄用的 Kubernetes API", + "waf": "操作" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", + "severity": "低", + "text": "污染 Windows 節點", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", "severity": "低", - "text": "如果需要深入瞭解 VMware vSphere:解決方案中是否使用了 vRealize Operations 和/或 vRealize Network Insights?", + "text": "使 Windows 容器修補程式級別與主機修補程式級別保持同步", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", - "severity": "高", - "text": "確保虛擬機的 vSAN 儲存策略不是預設存儲策略,因為此策略應用厚置備", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "通過群集級別的診斷設置", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", + "severity": "低", + "text": "將主日誌(又名 API 紀錄)發送到 Azure Monitor 或首選日誌管理解決方案", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", - "service": "AVS", - "severity": "中等", - "text": "確保未將 vSphere 內容庫放置在 vSAN 上,因為 vSAN 是有限的資源", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", + "severity": "低", + "text": "如果需要,請使用 nodePool 快照", + "waf": "成本" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", - "service": "AVS", - "severity": "中等", - "text": "確保備份解決方案的數據存儲庫存儲在 vSAN 儲存之外。在 Azure 本機或磁碟池支持的數據存儲中", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", + "severity": "低", + "text": "考慮將現成節點池用於對時間敏感的工作負載", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", - "service": "AVS", - "severity": "中等", - "text": "確保使用 Azure Arc for Servers 進行混合管理,確保在 Azure VMware 解決方案上運行的工作負載(Arc for Azure VMware 解決方案處於預覽狀態)", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "低", + "text": "考慮用於快速突發的 AKS 虛擬節點", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", - "service": "AVS", - "severity": "中等", - "text": "確保使用 Azure Log Analytics 和 Azure Monitor 監視在 Azure VMware 解決方案上運行的工作負載", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "高", + "text": "使用 Container Insights(或 Prometheus 等其他工具)監控集群指標", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", - "service": "AVS", - "severity": "中等", - "text": "在現有更新管理工具或 Azure 更新管理中包括在 Azure VMware 解決方案上運行的工作負載", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "高", + "text": "使用 Container Insights(或 Telegraf/ElasticSearch 等其他工具)存儲和分析集群日誌", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", "severity": "中等", - "text": "使用 Azure Policy 在 Azure 管理、監視和安全解決方案中加入 Azure VMware 解決方案工作負載", + "text": "監控節點的 CPU 和記憶體利用率", "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "中等", - "text": "確保在 Azure VMware 解決方案上運行的工作負載已載入 Microsoft Defender for Cloud", - "waf": "安全" + "text": "如果使用 Azure CNI,請監視每個節點消耗的 Pod IP 的百分比", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "OS 磁碟上的 I/O 是關鍵資源。如果節點中的操作系統在 I/O 上受到限制,這可能會導致不可預知的行為,通常最終導致節點被聲明為 NotReady", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", "severity": "中等", - "text": "確保備份不存儲在 vSAN 上,因為 vSAN 是有限的資源", - "waf": "可靠性" + "text": "監視節點中的OS磁碟佇列深度", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "severity": "中等", - "text": "是否考慮了所有災難恢復解決方案,並決定了最適合您業務的解決方案?[SRM/JetStream/Zerto/Veeam/...]", - "waf": "可靠性" + "text": "如果不對 AzFW/NVA 使用出口篩選,請監視標準 ALB 分配的 SNAT 連接埠", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", "severity": "中等", - "text": "當災難恢復技術是本機 Azure IaaS 時,請使用 Azure Site Recovery", - "waf": "可靠性" + "text": "訂閱 AKS 群集的資源運行狀況通知", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "高", - "text": "將自動恢復計劃與任一災難解決方案結合使用,盡可能避免手動任務", - "waf": "可靠性" + "text": "在 Pod 規範中配置請求和限制", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "中等", - "text": "使用地緣政治區域對作為輔助災難恢復環境", - "waf": "可靠性" + "text": "強制實施命名空間的資源配額", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", "severity": "高", - "text": "在區域之間使用 2 個不同的地址空間,例如:10.0.0.0/16 和 192.168.0.0/16 用於不同的區域", - "waf": "可靠性" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "service": "AVS", - "severity": "中等", - "text": "ExpressRoute Global Reach 是用於主 Azure VMware 解決方案私有雲和輔助 Azure VMware 解決方案私有雲之間的連接,還是通過網路虛擬設備完成路由?", - "waf": "可靠性" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "service": "AVS", - "severity": "中等", - "text": "是否考慮了所有備份解決方案,並決定了最適合您業務的解決方案?[ MABS/CommVault/Metallic.io/Veeam/ .", - "waf": "可靠性" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "service": "AVS", - "severity": "中等", - "text": "將備份解決方案部署在與 Azure VMware 解決方案私有雲相同的區域中", - "waf": "可靠性" + "text": "確保訂閱具有足夠的配額來橫向擴展節點池", + "waf": "操作" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "中等", - "text": "在 vSan 外部的 Azure 本機組件上部署備份解決方案", - "waf": "可靠性" + "text": "使用群集自動縮放程式", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", "severity": "低", - "text": "是否已制定請求還原由 Azure 平臺管理的 VMware 元件的流程?", - "waf": "可靠性" + "text": "自定義 AKS 節點池的節點配置", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "service": "AVS", - "severity": "低", - "text": "對於手動部署,必須記錄所有配置和部署", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "中等", + "text": "需要時使用 Horizontal Pod Autoscaler", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "service": "AVS", - "severity": "低", - "text": "對於手動部署,請考慮實施資源鎖,以防止對 Azure VMware 解決方案私有雲執行意外操作", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "更大的節點將帶來更高的性能和功能,例如臨時磁碟和加速網路,但它們會增加爆炸半徑並降低擴展粒度", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", + "severity": "高", + "text": "考慮適當的節點大小,不要太大或太小", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", "severity": "低", - "text": "對於自動化部署,請部署最小的私有雲並根據需要進行擴展", - "waf": "操作" + "text": "如果可伸縮性需要超過 5000 個節點,請考慮使用其他 AKS 群集", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", "severity": "低", - "text": "對於自動部署,請在開始部署之前請求或預留配額", - "waf": "操作" + "text": "考慮訂閱 EventGrid Events for AKS 自動化", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", "severity": "低", - "text": "對於自動部署,請確保通過自動化或 Azure Policy 創建相關資源鎖,以便進行適當的治理", - "waf": "操作" + "text": "若要在 AKS 群集上長時間運行操作,請考慮事件終止", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", "severity": "低", - "text": "為 ExR 授權金鑰實現人類可理解的名稱,以便輕鬆識別密鑰的目的/用途", - "waf": "操作" + "text": "如果需要,請考慮將 Azure 專用主機用於 AKS 節點", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "service": "AVS", - "severity": "低", - "text": "當使用單獨的服務原則部署 Azure VMware 解決方案和 ExpressRoute 時,請使用 Key Vault 儲存機密和授權密鑰", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "高", + "text": "使用臨時OS磁碟", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "service": "AVS", - "severity": "低", - "text": "當需要在 Azure VMware 解決方案中/上部署許多資源時,定義用於在 IaC 中序列化操作的資源依賴項,因為 Azure VMware 解決方案僅支援有限數量的並行操作。", - "waf": "操作" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", + "severity": "高", + "text": "對於非臨時磁碟,在運行多個 Pod/節點時,請為節點使用高 IOPS 和更大的 OS 磁碟,因為它需要高性能才能運行多個 Pod,並且會生成具有預設 AKS 日誌輪換閾值的大量日誌", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", "severity": "低", - "text": "使用單個 Tier-1 閘道執行 NSX-T 分段的自動配置時,請使用 Azure 門戶 API 而不是 NSX-Manager API", - "waf": "操作" + "text": "對於超高性能存儲選項,請在 AKS 上使用超級磁碟For hyper performance storage option use Ultra Disks on AKS", + "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", "severity": "中等", - "text": "打算使用自動橫向擴展時,請務必為運行 Azure VMware 解決方案的訂閱申請足夠的 Azure VMware 解決方案配額", + "text": "避免將狀態保留在群集中,並將數據存儲在外部(AzStorage、AzSQL、Cosmos 等)", "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", "severity": "中等", - "text": "打算使用自動縮減時,請務必在執行此操作之前考慮存儲策略要求", + "text": "如果使用 AzFiles Standard,出於性能原因,請考慮使用 AzFiles Premium 和/或 ANF", "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "service": "AVS", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", "severity": "中等", - "text": "擴展操作始終需要在單個 SDDC 中序列化,因為一次只能執行一個擴展操作(即使使用多個集群也是如此)", + "text": "如果使用 Azure 磁碟和可用區,請考慮在區域內為 LRS 磁碟設置節點池,並使用 VolumeBindingMode:WaitForFirstConsumer 在正確的區域中預配存儲,或將 ZRS 磁碟用於跨多個區域的節點池", "waf": "性能" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", "severity": "中等", - "text": "考慮並驗證體系結構中使用的第三方解決方案的縮放操作(支援與否)", - "waf": "性能" + "text": "利用 Azure 數據工廠的 FTA 復原能力手冊", + "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "高", + "text": "在支援可用區的區域中使用區域冗餘管道", + "waf": "可靠性" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", "severity": "中等", - "text": "在自動化中為環境定義和強制實施橫向擴展/橫向擴展最大限制", - "waf": "性能" + "text": "使用 DevOps 透過 Github/Azure DevOps 集成備份 ARM 範本", + "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "service": "AVS", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "中等", - "text": "實施監控規則以監控自動擴展操作,並監控成功和失敗,以啟用適當的(自動化)回應", - "waf": "操作" + "text": "請確保在另一個區域中複製自承載集成運行時 VM", + "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", - "severity": "高", - "text": "使用 MON 時,請注意同時配置的 VM 的限制(HCX 的 MON 限制 [400 - 標準,1000 - 大型設備])", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "中等", + "text": "請確保在姊妹區域中複製或複製您的網路。必須在另一個區域創建 Vnet 的副本", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", - "severity": "高", - "text": "使用 MON 時,不能在超過 100 個網路分機上啟用 MON", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "description": "如果ADF管道使用Key Vault,則無需執行任何操作即可複製Key Vault。Key Vault 是一項託管服務,Microsoft 會為你處理它", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", + "severity": "低", + "text": "如果使用 Keyvault 集成,請使用 Keyvault 的 SLA 來瞭解可用性", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure 事件中心提供靜態數據加密。如果使用自己的金鑰,則仍使用 Microsoft 管理的金鑰對數據進行加密,但此外,Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "service": "Event Hubs", + "severity": "低", + "text": "需要時,在靜態數據加密中使用客戶管理的金鑰選項", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "安全" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure 事件中心命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施,可以將事件中心命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。如果事件中心命名空間需要最低版本的 TLS,則使用舊版本發出的任何請求都將失敗。", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "service": "Event Hubs", + "severity": "中等", + "text": "對請求強制實施傳輸層安全性 (TLS) 的最低要求版本", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "安全" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "創建事件中心命名空間時,會自動為命名空間創建名為 RootManageSharedAccessKey 的策略規則。此策略具有整個命名空間的管理許可權。建議您將此規則視為管理根帳戶,不要在應用程式中使用它。建議將 AAD 用作 RBAC 的身份驗證提供程式。", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", "severity": "中等", - "text": "如果使用 VPN 連接進行遷移,請相應地調整 MTU 大小。", - "waf": "性能" + "text": "避免在不必要的情況下使用root帳戶", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure 資源的託管標識可以使用 Azure AD 憑據從 Azure 虛擬機 (VM)、函數應用、虛擬機規模集和其他服務中運行的應用程式授權訪問事件中心資源。通過將 Azure 資源的託管標識與 Azure AD 身份驗證結合使用,可以避免將憑據存儲在雲中運行的應用程式中。", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", "severity": "中等", - "text": "對於連接到 Azure(500Mbps 或更低)的低連接區域,請考慮部署 HCX WAN 優化設備", - "waf": "性能" + "text": "如果可能,應用程式應使用託管標識向 Azure 事件中心進行身份驗證。如果沒有,請考慮在 Azure Key Vault 或等效服務中擁有存儲憑據(SAS、服務主體憑據)", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "創建許可權時,請對用戶端對 Azure 事件中心的訪問提供精細控制。Azure 事件中心中的許可權可以而且應該限定為單個資源級別,例如消費者組、事件中心實體、事件中心命名空間等。", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", + "severity": "高", + "text": "使用最低特權數據平面 RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "安全" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure 事件中心資源日誌包括操作日誌、虛擬網路和 Kafka 日誌。運行時審核日誌捕獲事件中心中所有數據平面訪問操作(例如發送或接收事件)的聚合診斷資訊。", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", "severity": "中等", - "text": "確保從本地裝置啟動遷移,而不是從雲端裝置啟動遷移(不要執行反向遷移)", - "waf": "可靠性" + "text": "啟用記錄以進行安全調查。使用 Azure Monitor 捕獲指標和日誌,例如資源日誌、運行時審核日誌和 Kafka 紀錄", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "默認情況下,Azure 事件中心具有公共IP位址,並且可通過Internet訪問。專用終結點允許虛擬網路和 Azure 事件中心之間的流量遍歷 Microsoft 主幹網路。除此之外,如果未使用公共終結點,則應禁用這些終結點。", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", "severity": "中等", - "text": "使用 Azure Netapp Files 擴展 Azure VMware 解決方案的儲存時,請考慮將其用作 VMware 資料儲存庫,而不是直接附加到 VM 。", - "waf": "可靠性" + "text": "請考慮使用專用終結點訪問 Azure 事件中心,並在適用時禁用公用網路訪問。", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "使用IP防火牆,可以將公共終結點進一步限製為僅一組IPv4位址或 CIDR(無類別域間路由)表示法的IPv4位址範圍。", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", "severity": "中等", - "text": "確保將專用 ExpressRoute 閘道用於外部資料儲存解決方案", - "waf": "可靠性" + "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 事件中心命名空間", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "安全" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", "severity": "中等", - "text": "確保在用於外部數據存儲解決方案的 ExpressRoute 閘道上啟用了 FastPath", + "text": "利用 FTA 彈性手冊", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "對於從門戶創建的新 EH 命名空間,在啟用區域的區域中具有高級、專用或標準 SKU,將自動啟用此功能。EH 元數據和事件數據本身都是跨區域複製的", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "service": "Event Hubs", "severity": "高", - "text": "如果使用延伸群集,請確保供應商支援所選的災難恢復解決方案", + "text": "利用可用區(如果區域適用)", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "AVS", - "severity": "高", - "text": "如果使用延伸群集,請確保提供的 SLA 符合您的要求", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "service": "Event Hubs", + "severity": "中等", + "text": "使用高級或專用 SKU 實現可預測的性能", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "AVS", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "啟用內置異地災難恢復功能后,可確保命名空間的整個配置(事件中心、消費者組和設置)從主命名空間持續複製到輔助命名空間,並允許隨時從主命名空間向輔助命名空間進行一次故障轉移。主動/被動功能旨在更輕鬆地從失敗的 Azure 區域中恢復和放棄,而無需更改應用程式配置", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", "severity": "高", - "text": "如果使用延伸群集,請確保兩條 ExpressRoute 線路都連接到連接中心。", + "text": "使用主動被動配置規劃異地災難恢復", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "AVS", - "severity": "高", - "text": "如果使用延伸群集,請確保兩條 ExpressRoute 線路都啟用了 GlobalReach。", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "應用於無法容忍關閉區域中事件數據中斷或丟失的DR配置。對於這些情況,請遵循複製指南,不要使用內置的異地災難恢復功能(主動/被動)。使用「主動/主動」時,在不同區域和命名空間中維護多個事件中心,事件將在中心之間複製", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", + "severity": "中等", + "text": "對於業務關鍵型應用程式,請使用 Active Active 配置", "waf": "可靠性" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "AVS", - "severity": "高", - "text": "是否正確考慮了網站容災設置,並在需要時為您的業務進行了更改。", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", + "severity": "中等", + "text": "設計可復原的事件中心", "waf": "可靠性" }, { @@ -3237,6750 +3970,6605 @@ "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "Azure OpenAI", - "severity": "高", - "text": "遵循 Metaprompting 護欄,實現 realible AI", - "waf": "卓越運營" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", + "severity": "中等", + "text": "如果將客戶管理的 TLS 證書與 Azure Front Door 一起使用,請使用“最新”證書版本。降低手動證書續訂導致中斷的風險。", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", + "severity": "中等", + "text": "將 Azure Front Door 與 WAF 策略結合使用,以交付和幫助保護跨多個 Azure 區域的全球 HTTP/S 應用程式。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", + "service": "Front Door", + "severity": "中等", + "text": "使用 Front Door 和應用程式閘道幫助保護 HTTP/S 應用時,請在 Front Door 中使用 WAF 策略。鎖定應用程式閘道以僅接收來自 Front Door 的流量。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", "severity": "高", - "text": "考慮使用APIM或 AI central 等解決方案的閘道模式,以實現更好的速率限制、負載均衡、身份驗證和日誌記錄", - "waf": "卓越運營" + "text": "在「防護」模式下部署 Front Door 的 WAF 策略,以便 Web 應用程式防火牆採取適當的措施來允許或拒絕流量。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", "severity": "高", - "text": "為您的 AOAI 實例啟用監控", - "waf": "卓越運營" + "text": "避免將 Traffic Manager 放在 Front Door 後面。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", "severity": "高", - "text": "建立警報以通知團隊有關事件的通知,例如由對資源執行的操作(例如重新生成其訂閱金閜)創建的活動日誌中的條目或指標閾值(例如一小時內超過 10 的錯誤數)", - "waf": "卓越運營" + "text": "在 Azure Front Door 和源上使用相同的功能變數名稱。不匹配的主機名可能會導致細微的錯誤。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", - "severity": "高", - "text": "監控令牌使用方式,防止由於容量導致服務中斷", - "waf": "卓越運營" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "低", + "text": "當 Azure Front Door 源組中只有一個源時,禁用運行狀況探測。", + "waf": "性能" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", "severity": "中等", - "text": "觀察已處理的推理令牌、生成的完成令牌等指標,監視速率限制", - "waf": "卓越運營" + "text": "為 Azure Front Door 選擇良好的運行狀況探測終結點。考慮構建運行狀況終端節點來檢查應用程式的所有依賴項。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", "severity": "低", - "text": "如果診斷對你來說還不夠,請考慮在 Azure OpenAI 前面使用閘道(例如 Azure API 管理)來記錄傳入提示和傳出回應(如果允許)", - "waf": "卓越運營" + "text": "將 HEAD 運行狀況探測與 Azure Front Door 配合使用,以減少 Front Door 發送到應用程式的流量。", + "waf": "性能" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "Front Door", "severity": "高", - "text": "使用基礎結構即代碼部署 Azure OpenAI 服務、模型部署和所有相關資源", - "waf": "卓越運營" + "text": "將託管 TLS 證書與 Azure Front Door 配合使用。降低運營成本和因證書續訂而導致的中斷風險。", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", - "severity": "高", - "text": "將 Microsoft Entra 身份驗證與託管標識(而不是 API 金鑰)配合使用", - "waf": "安全" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", + "severity": "中等", + "text": "將 Azure Front Door WAF 配置定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", "severity": "高", - "text": "使用已知的黃金數據集評估系統的性能/準確性,該數據集具有輸入和正確答案。利用 PromptFlow 中的功能進行評估。", - "waf": "卓越運營" + "text": "將端到端 TLS 與 Azure Front Door 配合使用。將 TLS 用於從用戶端到 Front Door 以及從 Front Door 到源的連接。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "Azure OpenAI", - "severity": "高", - "text": "評估預配輸送量模型的使用方式", - "waf": "性能" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", + "severity": "中等", + "text": "將 HTTP 到 HTTPS 重定向與 Azure Front Door 配合使用。通過自動將較舊的用戶端重定向到 HTTPS 請求來支援這些用戶端。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", "severity": "高", - "text": "查看和實施 Azure AI 內容安全性", - "waf": "卓越運營" + "text": "啟用 Azure Front Door WAF。保護您的應用程式免受各種攻擊。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", "severity": "高", - "text": "根據令牌數和每分鐘的回應來定義和評估系統的輸送量,並符合要求", - "waf": "性能" + "text": "通過在檢測模式下配置 WAF 來減少和修復誤報檢測,從而針對工作負載優化 Azure Front Door WAF。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "Azure OpenAI", - "severity": "中等", - "text": "通過限制令牌大小、流式處理選項來改善系統的延遲", - "waf": "性能" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", + "severity": "高", + "text": "在 Azure Front Door WAF 策略中啟用請求正文檢查功能。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", - "severity": "中等", - "text": "估計彈性需求,以根據優先順序確定同步和批量請求分離。對於高優先順序,使用同步方法,對於低優先順序,首選使用佇列的異步批處理", - "waf": "性能" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", + "severity": "高", + "text": "啟用 Azure Front Door WAF 預設規則集。默認規則集檢測和阻止常見攻擊。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", "severity": "高", - "text": "根據消費者的估計需求對代幣消費要求進行基準測試。如果使用的是預設輸送量單元部署,請考慮使用 Azure OpenAI 基準測試工具來幫助驗證輸送量", - "waf": "性能" + "text": "啟用 Azure Front Door WAF 機器人保護規則集。機器人規則檢測好的機器人和壞的機器人。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", "severity": "中等", - "text": "如果您使用的是預設輸送量單位 (PTU),請考慮為溢出請求部署每分鐘令牌 (TPM) 部署。當達到 PTU 限制時,使用閘道將請求路由到 TPM 部署。", - "waf": "性能" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "Azure OpenAI", - "severity": "高", - "text": "為正確的任務選擇正確的模型。選擇在速度、回應質量和輸出複雜性之間做出正確權衡的模型", - "waf": "性能" + "text": "使用最新的 Azure Front Door WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", "severity": "中等", - "text": "有一個性能基線,而不進行微調,以瞭解微調是否提高了模型性能", - "waf": "性能" + "text": "向 Azure Front Door WAF 添加速率限制。Rate limit 會阻止客戶端在短時間內意外或故意發送大量流量。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", - "severity": "低", - "text": "跨區域部署多個 OAI 實例", - "waf": "可靠性" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", + "severity": "中等", + "text": "對 Azure Front Door WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可針對可能使基礎設施不堪重負的極大量請求提供保護。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "Azure OpenAI", - "severity": "高", - "text": "使用閘道模式(如 APIM)實現重試和運行狀況檢查", - "waf": "可靠性" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", + "severity": "低", + "text": "如果您不希望收到來自所有地理區域的流量,請使用地理篩選條件來阻止來自非預期國家/地區的流量。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", "severity": "中等", - "text": "確保為工作負載提供足夠的 TPM 和 RPM 配額", - "waf": "可靠性" + "text": "在使用 Azure Front Door WAF 對流量進行異地篩選時,指定未知 (ZZ) 位置。避免在IP位址無法進行異地匹配時意外阻止合法請求。", + "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", "severity": "中等", - "text": "查看 HAI 工具包指南中的注意事項,並將這些交互實踐應用於 slution", - "waf": "卓越運營" + "text": "通過打開 Diagnostic Settings (診斷設置) 來捕獲日誌和指標。包括資源活動日誌、訪問日誌、運行狀況探測日誌和 WAF 日誌。設置警報。", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", "severity": "中等", - "text": "如果採用微調,則跨區域部署單獨的微調模型", - "waf": "可靠性" + "text": "將 Azure Front Door WAF 日誌發送到 Microsoft Sentinel。", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", + "service": "Front Door", "severity": "中等", - "text": "定期備份和複製關鍵數據,以確保數據丟失或系統故障時的數據可用性和可恢復性。利用 Azure 的備份和災難恢復服務來保護數據。", + "text": "選擇支援您的部署策略的路由方法。加權方法根據配置的權重係數分配流量,支持主動-主動模型。一個基於優先順序的值,將主區域配置為接收所有流量並將流量作為備份發送到輔助區域,支援主動-被動模型。將上述方法與延遲相結合,以便延遲最低的源接收流量。", "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", + "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", + "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", + "service": "Front Door", "severity": "高", - "text": "應選擇 Azure AI 搜索服務層級以具有 SLA", + "text": "通過在一個或多個後端池中擁有多個源來支援冗餘。始終具有應用程式的冗餘實例,並確保每個實例都公開一個終端節點或源。可以將這些源放置在一個或多個後端池中。", "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "Azure OpenAI", - "severity": "低", - "text": "對數據和敏感度進行分類,在生成嵌入之前使用 Microsoft Purview 進行標記,並確保以相同的敏感度和分類處理生成的嵌入", - "waf": "安全" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", + "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", + "service": "Front Door", + "severity": "中等", + "text": "設置將請求轉發到後端的超時。根據終端節點的需要調整超時設置。否則,Azure Front Door 可能會在源發送回應之前關閉連接。如果所有源的超時時間較短,還可以降低 Azure Front Door 的預設超時。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "Azure OpenAI", - "severity": "高", - "text": "使用 SSE/磁碟加密和可選的 BYOK 加密來加密用於 RAG 的數據", - "waf": "安全" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", + "service": "Front Door", + "severity": "中等", + "text": "確定您的應用程式是否需要會話關聯。如果您對可靠性要求較高,建議您關閉會話關聯。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "Azure OpenAI", - "severity": "高", - "text": "確保對跨數據源傳輸的數據實施 TLS,用於檢索增強生成 (RAG) 和 LLM 通信的 AI 搜索", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", + "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", + "service": "Front Door", + "severity": "中等", + "text": "將主機標頭髮送到後端。後端服務應該知道主機名,以便它們可以創建規則以僅接受來自該主機的流量。", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", - "severity": "高", - "text": "使用 RBAC 管理對 Azure OpenAI 服務的訪問。為使用者分配適當的許可權,並根據其角色和職責限制訪問許可權", - "waf": "安全" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", + "severity": "中等", + "text": "對支援快取的終端節點使用緩存。", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", + "guid": "34069d73-e4de-46c5-a36f-625f87575a56", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "低", + "text": "在單個後端池中禁用運行狀況檢查。如果在 Azure Front Door 源組中只配置了一個源,則這些調用是不必要的。僅當終端節點中不能有多個源時,才建議這樣做。", + "waf": "成本" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", + "service": "Front Door", "severity": "中等", - "text": "實施數據加密、遮罩或編輯技術,以在非生產環境中或出於測試或故障排除目的共用數據時隱藏敏感數據或將其替換為混淆值", - "waf": "安全" + "text": "我們建議使用高級層來利用安全報告,而標準 Azure Front Door 配置檔僅在內置分析/報告下提供流量報告。", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", - "service": "Azure OpenAI", - "severity": "高", - "text": "利用 Azure Defender 來檢測和回應安全威脅,並設置監視和警報機制來識別可疑活動或違規行為。利用 Azure Sentinel 進行高級威脅檢測和回應", - "waf": "安全" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", + "service": "Front Door", + "severity": "中等", + "text": "盡可能使用通配符 TLS 證書。", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "中等", - "text": "制定數據保留和處置策略,以遵守合規性法規。對不再需要的數據實施安全刪除方法,並維護數據保留和處置活動的審計跟蹤", - "waf": "安全" + "text": "優化應用程式查詢字串以進行緩存。對於純靜態內容,請忽略查詢字串以最大限度地利用緩存。如果您的應用程式使用查詢字串,請考慮將它們包含在緩存鍵中。在緩存鍵中包含查詢字串可讓 Azure Front Door 根據您的配置提供緩存的回應或其他回應。", + "waf": "性能" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "Azure OpenAI", - "severity": "高", - "text": "使用 Content Safety 實施 Prompt shields 和接地檢測", - "waf": "卓越運營" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", + "service": "Front Door", + "severity": "中等", + "text": "在訪問可下載內容時使用檔壓縮。", + "waf": "性能" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", + "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", + "link": "https://learn.microsoft.com/azure/cdn/tier-migration", + "service": "Front Door", "severity": "高", - "text": "通過實施隱私控制並獲得數據處理活動所需的同意或許可,確保遵守相關的數據保護法規,例如GDPR或HIPAA。", - "waf": "安全" + "text": "如果目前使用的是經典 Azure Front Door,請考慮遷移到標準或高級 SKU,因為經典 Azure Front Door 將於 2027 年 3 月棄用。", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", + "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", + "service": "Front Door", "severity": "中等", - "text": "對員工進行有關數據安全最佳實踐、安全處理數據的重要性以及與數據洩露相關的潛在風險的教育。鼓勵他們勤奮地遵循數據安全協定。", - "waf": "安全" + "text": "考慮將流量管理器負載均衡 Azure Front Door 和第三方 CDN 供應商 CDN 配置檔用於任務關鍵型高可用性方案。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "Azure OpenAI", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", + "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", + "service": "Front Door", "severity": "高", - "text": "將生產數據與開發和測試數據分開。僅在生產中使用真實的敏感數據,並在開發和測試環境中使用匿名或合成數據。", + "text": "將源作為應用服務的 Front Door 一起使用時,請考慮使用訪問限制僅通過 Azure Front Door 鎖定到應用服務的流量。", "waf": "安全" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "Azure OpenAI", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", "severity": "中等", - "text": "如果您具有不同級別的數據敏感度,請考慮為每個級別創建單獨的索引。例如,您可以有一個用於常規數據的索引,另一個用於敏感數據的索引,每個索引都由不同的訪問協定管理", - "waf": "安全" + "text": "遵循 Azure 機器人服務中的可靠性支持建議", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "Azure OpenAI", + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", "severity": "中等", - "text": "通過將敏感數據集放置在服務的不同實例中,進一步實現隔離。每個實例都可以使用其自己的特定 RBAC 策略集進行控制", - "waf": "安全" + "text": "部署具有本地數據駐留和區域合規性的機器人", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "Azure OpenAI", - "severity": "高", - "text": "認識到從敏感資訊生成的嵌入和向量本身就是敏感的。這些數據應得到與源材料相同的保護措施", - "waf": "安全" + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", + "severity": "中等", + "text": "Azure 機器人服務在全域和區域服務的主動-主動模式下運行。發生中斷時,無需檢測錯誤或管理服務。Azure 機器人服務在多區域地理體系結構中自動執行自動故障轉移和自動恢復。對於歐盟機器人區域服務,Azure 機器人服務在歐洲境內提供兩個完整區域,並提供主動/主動複製,以確保冗餘。對於全球機器人服務,所有可用的區域/地理位置都可以作為全球足跡。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", "severity": "高", - "text": "將 RBAC 應用於具有嵌入和向量的數據存儲,並根據角色的訪問要求確定存取範圍", - "waf": "安全" + "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", "severity": "高", - "text": "為 AI 服務配置專用終結點,以限制網路內的服務訪問", - "waf": "安全" + "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", "severity": "高", - "text": "使用 Azure 防火牆和 UDR 強制實施嚴格的入站和出站流量控制,並限制外部集成點", - "waf": "安全" + "text": "考慮為關鍵工作負載制定跨區域災難恢復策略", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", "severity": "高", - "text": "實施網路分段和訪問控制,將 LLM 應用程式的存取限製為僅授權使用者和系統,並防止橫向行動", - "waf": "安全" + "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", "severity": "中等", - "text": "使用提示壓縮工具,如 LLMLingua 或 gprtrim", - "waf": "成本優化" + "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", "severity": "高", - "text": "確保 LLM 應用程式使用的 API 和端點使用身份驗證和授權機制(例如託管標識、API 金鑰或 OAuth)得到適當保護,以防止未經授權的訪問。", - "waf": "安全" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "Azure OpenAI", - "severity": "中等", - "text": "實施強大的最終使用者身份驗證機制,例如多因素身份驗證,以防止對 LLM 應用程式和相關網路資源的未經授權的訪問", - "waf": "安全" + "text": "根據您的業務和 SLO 要求選擇正確的功能託管計劃", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "Azure OpenAI", - "severity": "中等", - "text": "實施網路監控工具,以檢測和分析網路流量中的任何可疑或惡意活動。啟用日誌記錄以捕獲網路事件,並在發生安全事件時促進取證分析", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", + "severity": "高", + "text": "利用區域適用的可用區(不適用於消耗層)", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", "severity": "中等", - "text": "進行安全審計和滲透測試,以識別和解決LLM應用程式的網路基礎設施中的任何網路安全弱點或漏洞", - "waf": "安全" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "Azure OpenAI", - "severity": "低", - "text": "Azure AI 服務已正確標記,以便更好地管理", - "waf": "卓越運營" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "Azure OpenAI", - "severity": "低", - "text": "Azure AI 服務帳戶遵循組織命名約定", - "waf": "卓越運營" + "text": "考慮為關鍵工作負載制定跨區域災難恢復策略", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", "severity": "高", - "text": "應啟用 Azure AI 服務資源中的診斷日誌", - "waf": "卓越運營" + "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "Azure OpenAI", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "service": "Azure Functions", "severity": "高", - "text": "為了安全起見,建議禁用密鑰訪問(本地身份驗證)。 禁用基於密鑰的訪問后,Microsoft Entra ID 將成為唯一的訪問方法,該方法允許保持最小許可權原則和精細控制。", - "waf": "安全" + "text": "確保為應用服務計劃上運行的所有函數應用啟用“始終開啟”", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", - "severity": "高", - "text": "使用 Azure Key Vault 安全地存儲和管理密鑰。避免在 LLM 應用程式的代碼中硬編碼或嵌入敏感密鑰,並使用託管標識從 Azure Key Vault 中安全地檢索它們", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", + "severity": "中等", + "text": "將函數應用與其自己的存儲帳戶配對。盡量不要重用函數應用的存儲帳戶,除非它們緊密耦合", + "waf": "可靠性" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Azure OpenAI", - "severity": "高", - "text": "定期輪換和過期存儲在 Azure Key Vault 中的密鑰,以最大程度地降低未經授權訪問的風險。", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", + "severity": "中等", + "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護函數應用代碼", + "waf": "操作" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "Azure OpenAI", - "severity": "高", - "text": "使用 tiktoken 了解對話模式下令牌優化的令牌大小", - "waf": "成本優化" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Azure Monitor", + "text": "Azure Monitor 中的數據收集規則 -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "Azure OpenAI", - "severity": "高", - "text": "遵循安全編碼做法,以防止常見漏洞,例如注入攻擊、跨網站腳本 (XSS) 或安全配置錯誤", - "waf": "安全" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Azure Backup", + "text": "檢查未找到底層數據源的備份實例", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "Azure OpenAI", - "severity": "高", - "text": "設置一個流程來定期更新和修補 LLM 庫和其他系統元件", - "waf": "安全" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", + "text": "刪除或存檔未關聯的服務(磁碟、網卡、IP 位址等)", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "Azure OpenAI", - "severity": "高", - "text": "遵守 Azure OpenAI 或其他 LLM 的使用條款、策略和指南以及允許的用例", - "waf": "卓越運營" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Azure Backup", + "text": "考慮在網站恢復存儲和非任務關鍵型應用程式的備份之間取得良好的平衡", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "Azure OpenAI", - "severity": "中等", - "text": "了解基礎模型和微調模型的成本差異以及令牌步長", - "waf": "成本優化" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Azure Monitor", + "text": "檢查 40 個不同 Log Analytics 工作區之間的支出和節省機會 - 對非生產工作區使用不同的保留和數據收集 - 創建每日上限以實現意識和層大小調整 - 如果確實設置了每日上限,除了在達到上限時創建警報外,請確保還創建警報規則,以便在達到某個百分比(例如 90%)時收到通知。- 如果可能,考慮工作空間改造 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "Azure OpenAI", - "severity": "高", - "text": "在可能的情況下,批量請求,以最大程度地減少每次調用的開銷,從而降低總體成本。確保優化批量大小", - "waf": "成本優化" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Azure Monitor", + "text": "強制執行清除日誌策略和自動化(如果需要,可以將記錄移至冷存儲)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "Azure OpenAI", - "severity": "中等", - "text": "設置成本跟蹤系統,用於監視模型使用方式,並使用該資訊來説明通知模型選擇和提示大小", - "waf": "成本優化" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", + "text": "檢查磁碟是否確實需要,如果不是:刪除。如果需要,請尋找較低的儲存層或使用備份 -", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "Azure OpenAI", - "severity": "中等", - "text": "為每個模型回應的令牌數設置最大限制。優化大小以確保其足夠大以實現有效的回應", - "waf": "成本優化" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", + "text": "考慮使用自定義規則將未使用的存儲移動到較低層 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "Azure OpenAI", - "severity": "中等", - "text": "查看提供的有關設置 AI 搜索以實現可靠性的指南", - "waf": "卓越運營" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", + "text": "確保 advisor 配置為適合 VM 大小調整", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "Azure OpenAI", - "severity": "中等", - "text": "規劃和管理 AI 搜索向量存儲", - "waf": "卓越運營" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "description": "通過在成本分析系統中搜索計量類別許可證進行檢查", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", + "text": "在所有 Windows VM 上運行腳本 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server - 如果頻繁創建 Windows VM,請考慮實施策略", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "中等", - "text": "應用 LLMOps 實踐來自動化 GenAI 應用程式的生命週期管理", - "waf": "卓越運營" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", + "text": "如果您已經擁有許可證,也可以將其置於 AHUB https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "Azure OpenAI", - "severity": "高", - "text": "評估計費模型的使用方式 - PAYG 與 PTU", - "waf": "成本優化" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", + "text": "使用靈活性選項(不超過 4-5 個系列)整合保留的 VM 系列", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "Azure OpenAI", - "severity": "中等", - "text": "在模型版本之間切換時評估提示和應用程式的品質", - "waf": "卓越運營" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", + "text": "利用 Azure 預留實例:此功能允許將 VM 預留 1 年或 3 年,與 PAYG 價格相比,可顯著節省成本。", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "Azure OpenAI", - "severity": "中等", - "text": "評估、監控和優化您的 GenAI 應用程式的特性,如接地氣、相關性、準確性、連貫性、流暢性、", - "waf": "卓越運營" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", + "text": "只能保留較大的磁碟 => 1 TiB -", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "Azure OpenAI", - "severity": "中等", - "text": "根據不同的搜索參數評估 Azure AI 搜尋結果", - "waf": "卓越運營" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", + "text": "調整大小優化后", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "Azure OpenAI", - "severity": "中等", - "text": "只有在嘗試了其他基本方法(如提示工程和RAG處理數據)時,才將微調模型視為提高準確性的方法", - "waf": "卓越運營" + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Azure SQL", + "text": "檢查是否適用並強制執行策略/更改 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Azure OpenAI", - "severity": "中等", - "text": "使用提示工程技術來提高 LLM 回應的準確性", - "waf": "卓越運營" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", + "text": "虛擬機 + 許可證部分折扣 (ahub + 3YRI) 約為 70% 的折扣", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "Azure OpenAI", - "severity": "中等", - "text": "紅隊您的 GenAI 應用程式", - "waf": "安全" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", + "text": "考慮使用 VMSS 來滿足需求,而不是按比例調整", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "Azure OpenAI", - "severity": "中等", - "text": "為最終使用者提供 LLM 回應的評分選項並跟蹤這些分數。", - "waf": "卓越運營" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", + "text": "使用 AKS 自動縮放程式符合群集使用方式(確保 Pod 要求與縮放程式符合)", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "Azure OpenAI", - "severity": "高", - "text": "考慮配額管理做法", - "waf": "成本優化" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Azure Backup", + "text": "將恢復點移至保管庫存檔(如果適用)(驗證)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "成本" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "Azure OpenAI", - "severity": "中等", - "text": "使用負載均衡器解決方案(如基於APIM的閘道)在服務和區域之間平衡負載和容量", - "waf": "卓越運營" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", + "text": "請考慮盡可能使用帶回退功能的現成 VM。考慮群集的自動終止。", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", - "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Front Door", - "severity": "中等", - "text": "如果將客戶管理的 TLS 證書與 Azure Front Door 一起使用,請使用“最新”證書版本。降低手動證書續訂導致中斷的風險。", - "waf": "操作" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Azure Functions", + "text": "功能 - 重用連接", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", - "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Front Door", - "severity": "中等", - "text": "將 Azure Front Door 與 WAF 策略結合使用,以交付和幫助保護跨多個 Azure 區域的全球 HTTP/S 應用程式。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Azure Functions", + "text": "函數 - 本地快取資料", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", - "service": "Front Door", - "severity": "中等", - "text": "使用 Front Door 和應用程式閘道幫助保護 HTTP/S 應用時,請在 Front Door 中使用 WAF 策略。鎖定應用程式閘道以僅接收來自 Front Door 的流量。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Azure Functions", + "text": "函數 - 冷啟動 - 使用“從包運行”功能。這樣,代碼將下載為單個 zip 檔。例如,這可以顯著改進具有大量節點模組的 Javascript 函數。使用特定於語言的工具來減小包大小,例如,搖樹 Javascript 應用程式。", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", - "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "Front Door", - "severity": "高", - "text": "在「防護」模式下部署 Front Door 的 WAF 策略,以便 Web 應用程式防火牆採取適當的措施來允許或拒絕流量。", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Azure Functions", + "text": "功能 - 保持功能溫暖", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", - "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "Front Door", - "severity": "高", - "text": "避免將 Traffic Manager 放在 Front Door 後面。", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Azure Functions", + "text": "使用具有不同功能的自動縮放時,可能會有一個資源驅動所有資源的所有自動縮放 - 請考慮將其移動到單獨的消耗計劃(並考慮更高的 CPU 計劃)", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", - "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "Front Door", - "severity": "高", - "text": "在 Azure Front Door 和源上使用相同的功能變數名稱。不匹配的主機名可能會導致細微的錯誤。", - "waf": "安全" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Azure Functions", + "text": "給定計劃中的函數應用都縮放在一起,因此縮放的任何問題都可能影響計劃中的所有應用。", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", - "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "低", - "text": "當 Azure Front Door 源組中只有一個源時,禁用運行狀況探測。", - "waf": "性能" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Azure Functions", + "text": "我需要為「等待時間」付費嗎?這個問題通常是在執行異步操作並等待結果的 C# 函數的上下文中提出的,例如 await Task.Delay(1000) 或 await client。GetAsync('http://google.com')。答案是肯定的 - GB 秒計算基於函數的開始和結束時間以及該時間段內的記憶體使用方式。在這段時間內實際發生的CPU活動未計入計算。此規則的一個例外是,如果使用的是持久函數。您無需為在業務流程協調程式函數中等待所花費的時間付費。在可能的情況下應用需求塑造技術(開發環境?)https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "成本" }, { "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "service": "Front Door", - "severity": "中等", - "text": "為 Azure Front Door 選擇良好的運行狀況探測終結點。考慮構建運行狀況終端節點來檢查應用程式的所有依賴項。", - "waf": "可靠性" + "text": "Frontdoor - 關閉預設主頁在應用的應用程式設置中,將 AzureWebJobsDisableHomepage 設置為 true。這將向PoP返回204(無內容),因此僅返回標頭數據。", + "waf": "成本" }, { "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", - "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", "service": "Front Door", - "severity": "低", - "text": "將 HEAD 運行狀況探測與 Azure Front Door 配合使用,以減少 Front Door 發送到應用程式的流量。", - "waf": "性能" + "text": "Frontdoor - 路由到不返回任何內容的內容。設置函數、函數代理,或在 WebApp 中添加返回 200 (OK) 且不發送內容或發送最少內容的路由。這樣做的好處是您可以在調用時註銷。", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", - "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "Front Door", - "severity": "高", - "text": "將託管 TLS 證書與 Azure Front Door 配合使用。降低運營成本和因證書續訂而導致的中斷風險。", - "waf": "操作" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", + "text": "考慮為使用較少的數據存檔層", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", - "service": "Front Door", - "severity": "中等", - "text": "將 Azure Front Door WAF 配置定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。", - "waf": "操作" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", + "text": "檢查大小與層不匹配的磁碟大小(即 513 GiB 磁碟將支付 P30 (1TiB) 並考慮調整大小", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", - "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", - "service": "Front Door", - "severity": "高", - "text": "將端到端 TLS 與 Azure Front Door 配合使用。將 TLS 用於從用戶端到 Front Door 以及從 Front Door 到源的連接。", - "waf": "安全" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", + "text": "盡可能考慮使用標準 SSD,而不是 Premium 或 Ultra", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", - "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", - "service": "Front Door", - "severity": "中等", - "text": "將 HTTP 到 HTTPS 重定向與 Azure Front Door 配合使用。通過自動將較舊的用戶端重定向到 HTTPS 請求來支援這些用戶端。", - "waf": "安全" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", + "text": "對於存儲帳戶,請確保所選層不會增加事務費用(移動到下一層可能會更便宜)", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", - "service": "Front Door", - "severity": "高", - "text": "啟用 Azure Front Door WAF。保護您的應用程式免受各種攻擊。", - "waf": "安全" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", + "text": "對於 ASR,如果 RPO/RTO 和複製輸送量允許,請考慮使用標準 SSD 磁碟", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", - "service": "Front Door", - "severity": "高", - "text": "通過在檢測模式下配置 WAF 來減少和修復誤報檢測,從而針對工作負載優化 Azure Front Door WAF。", - "waf": "安全" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", + "text": "存儲帳戶:檢查熱層和/或 GRS 必填", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "Front Door", - "severity": "高", - "text": "在 Azure Front Door WAF 策略中啟用請求正文檢查功能。", - "waf": "安全" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", + "text": "磁碟 - 驗證高級 SSD 磁碟在任何地方的使用方式:例如,非生產磁碟可以交換到標準 SSD 或按需高級 SSD", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", - "service": "Front Door", - "severity": "高", - "text": "啟用 Azure Front Door WAF 預設規則集。默認規則集檢測和阻止常見攻擊。", - "waf": "安全" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", + "text": "創建預算以管理成本並創建警報,自動通知利益相關者支出異常和超支風險。", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", - "service": "Front Door", - "severity": "高", - "text": "啟用 Azure Front Door WAF 機器人保護規則集。機器人規則檢測好的機器人和壞的機器人。", - "waf": "安全" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", + "text": "將成本數據匯出到存儲帳戶以進行其他數據分析。", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", - "service": "Front Door", - "severity": "中等", - "text": "使用最新的 Azure Front Door WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。", - "waf": "安全" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", + "text": "通過在不使用資源時暫停資源來控制專用 SQL 池的成本。", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", - "service": "Front Door", - "severity": "中等", - "text": "向 Azure Front Door WAF 添加速率限制。Rate limit 會阻止客戶端在短時間內意外或故意發送大量流量。", - "waf": "安全" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", + "text": "啟用無伺服器 Apache Spark 自動暫停功能,並相應地設置超時值。", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", - "service": "Front Door", - "severity": "中等", - "text": "對 Azure Front Door WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可針對可能使基礎設施不堪重負的極大量請求提供保護。", - "waf": "安全" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", + "text": "創建多個不同大小的 Apache Spark 池定義。", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", - "service": "Front Door", - "severity": "低", - "text": "如果您不希望收到來自所有地理區域的流量,請使用地理篩選條件來阻止來自非預期國家/地區的流量。", - "waf": "安全" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", + "text": "使用預購計劃購買為期一年的 Azure Synapse 提交單元 (SCU),以節省 Azure Synapse Analytics 成本。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", - "service": "Front Door", - "severity": "中等", - "text": "在使用 Azure Front Door WAF 對流量進行異地篩選時,指定未知 (ZZ) 位置。避免在IP位址無法進行異地匹配時意外阻止合法請求。", - "waf": "安全" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", + "text": "將現成 VM 用於可中斷作業:這些 VM 可以以折扣價競標和購買,為非關鍵工作負載提供經濟高效的解決方案。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "Front Door", - "severity": "中等", - "text": "通過打開 Diagnostic Settings (診斷設置) 來捕獲日誌和指標。包括資源活動日誌、訪問日誌、運行狀況探測日誌和 WAF 日誌。設置警報。", - "waf": "操作" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", + "text": "合理調整所有 VM 的大小", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "845f5f91-9c21-4674-a725-5ce890850e20", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "Front Door", - "severity": "中等", - "text": "將 Azure Front Door WAF 日誌發送到 Microsoft Sentinel。", - "waf": "操作" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", + "text": "將 VM 大小與規範化大小和最新大小交換", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", - "service": "Front Door", - "severity": "中等", - "text": "選擇支援您的部署策略的路由方法。加權方法根據配置的權重係數分配流量,支持主動-主動模型。一個基於優先順序的值,將主區域配置為接收所有流量並將流量作為備份發送到輔助區域,支援主動-被動模型。將上述方法與延遲相結合,以便延遲最低的源接收流量。", - "waf": "可靠性" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "調整 VM 大小 - 從低於 5% 的監視使用率開始,然後工作到 40%", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", - "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", - "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", - "service": "Front Door", - "severity": "高", - "text": "通過在一個或多個後端池中擁有多個源來支援冗餘。始終具有應用程式的冗餘實例,並確保每個實例都公開一個終端節點或源。可以將這些源放置在一個或多個後端池中。", - "waf": "可靠性" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", + "text": "容器化應用程式可以提高 VM 密度並節省擴展成本", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "成本" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", - "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", - "service": "Front Door", - "severity": "中等", - "text": "設置將請求轉發到後端的超時。根據終端節點的需要調整超時設置。否則,Azure Front Door 可能會在源發送回應之前關閉連接。如果所有源的超時時間較短,還可以降低 Azure Front Door 的預設超時。", - "waf": "可靠性" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "限制使用本地身份驗證方法進行數據平面訪問。相反,請使用 Microsoft Entra ID 作為預設身份驗證方法來控制數據平面訪問。", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "service": "Azure Synapse Analytics", + "severity": "高", + "text": "限制本地使用者對 Synapse 上的 sql 工作負載使用", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", - "service": "Front Door", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "使用 Microsoft Entra ID 作為預設身份驗證方法來控制數據平面訪問。", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", "severity": "中等", - "text": "確定您的應用程式是否需要會話關聯。如果您對可靠性要求較高,建議您關閉會話關聯。", - "waf": "可靠性" + "text": "使用託管標識對服務進行身份驗證", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", - "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", - "service": "Front Door", - "severity": "中等", - "text": "將主機標頭髮送到後端。後端服務應該知道主機名,以便它們可以創建規則以僅接受來自該主機的流量。", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "如果日常管理操作不需要,請禁用或限制任何本地管理員帳戶,以供緊急使用。", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "service": "Azure Synapse Analytics", + "severity": "高", + "text": "分離和限制高許可權/管理使用者,並啟用 MFA 和條件策略", "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse 還包括 Synapse 基於角色的訪問控制 (RBAC) 角色,用於管理 Synapse Studio 的不同方面。利用這些內置角色為使用者、組或其他安全主體分配許可權,以管理誰可以發佈代碼構件並列出或訪問已發佈的代碼構件、在 Apache Spark 池和集成運行時上執行代碼、訪問受憑據保護的連結(數據)服務、監控或取消作業執行、查看作業輸出和執行日誌。", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need", + "service": "Azure Synapse Analytics", "severity": "中等", - "text": "對支援快取的終端節點使用緩存。", - "waf": "成本" + "text": "使用 Azure RBAC 控制對存儲的訪問,使用 Synapse RBAC 控制工作區級別的訪問,具體取決於團隊的角色,以精細化對數據和計算的訪問", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", - "guid": "34069d73-e4de-46c5-a36f-625f87575a56", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "低", - "text": "在單個後端池中禁用運行狀況檢查。如果在 Azure Front Door 源組中只配置了一個源,則這些調用是不必要的。僅當終端節點中不能有多個源時,才建議這樣做。", - "waf": "成本" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext", + "service": "Azure Synapse Analytics", + "severity": "中等", + "text": "在專用 SQL 池中的 SQL 工作負載上實施 RLS、CLS 和數據掩碼,以增加額外的安全層", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", - "service": "Front Door", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "創建 Azure Synapse 工作區時,可以選擇將其關聯到 Microsoft Azure 虛擬網路。與工作區關聯的虛擬網路由 Azure Synapse 管理。此虛擬網路稱為託管工作區虛擬網路。可以在部署工作區時選擇此項", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "中等", - "text": "我們建議使用高級層來利用安全報告,而標準 Azure Front Door 配置檔僅在內置分析/報告下提供流量報告。", - "waf": "操作" + "text": "使用託管 vnet 工作區限制通過公共 Internet 的訪問", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", - "service": "Front Door", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "為了保護任何敏感數據,建議完全禁用對 Workspace 終端節點的公共訪問。通過這樣做,它可以確保所有工作區端點只能使用私有端點訪問。", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16", + "service": "Azure Synapse Analytics", "severity": "中等", - "text": "盡可能使用通配符 TLS 證書。", - "waf": "操作" + "text": "配置專用終結點以連接到外部服務並禁用公有訪問", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "如果需要啟用公有訪問,強烈建議將IP防火牆規則配置為僅允許來自指定公有IP位址清單的入站連接。", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall", + "service": "Azure Synapse Analytics", + "text": "如果啟用公網訪問,強烈建議配置 IP 防火牆規則", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory", + "service": "Azure Synapse Analytics", "severity": "中等", - "text": "優化應用程式查詢字串以進行緩存。對於純靜態內容,請忽略查詢字串以最大限度地利用緩存。如果您的應用程式使用查詢字串,請考慮將它們包含在緩存鍵中。在緩存鍵中包含查詢字串可讓 Azure Front Door 根據您的配置提供緩存的回應或其他回應。", - "waf": "性能" + "text": "如果正在處理不應離開公司網路的敏感數據,請在 vnet 中部署 SHIR VM", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", - "service": "Front Door", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "這隻能在部署工作區時完成,但不支援從 PyPI 等公共存儲庫安裝的 Python 庫。( 在啟用之前考慮限制 )", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection", + "service": "Azure Synapse Analytics", "severity": "中等", - "text": "在訪問可下載內容時使用檔壓縮。", - "waf": "性能" + "text": "開啟資料洩露保護 (DEP)", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", - "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", - "link": "https://learn.microsoft.com/azure/cdn/tier-migration", - "service": "Front Door", - "severity": "高", - "text": "如果目前使用的是經典 Azure Front Door,請考慮遷移到標準或高級 SKU,因為經典 Azure Front Door 將於 2027 年 3 月棄用。", - "waf": "操作" + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "第一層加密由 Microsoft 託管金鑰完成,您可以使用客戶託管金鑰添加第二層加密", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption", + "service": "Azure Synapse Analytics", + "severity": "中等", + "text": "使用客戶管理的 Workspace 金鑰進行靜態數據加密", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", - "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", - "service": "Front Door", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Synapse 利用 TLS 來確保數據在動態中加密。SQL 專用池支援 TLS 1.0、TLS 1.1 和 TLS 1.2 版本進行加密,其中 Microsoft 提供的驅動程式預設使用 TLS 1.2。無伺服器 SQL 池和 Apache Spark 池對所有出站連接使用 TLS 1.2。", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit", + "service": "Azure Synapse Analytics", "severity": "中等", - "text": "考慮將流量管理器負載均衡 Azure Front Door 和第三方 CDN 供應商 CDN 配置檔用於任務關鍵型高可用性方案。", - "waf": "可靠性" + "text": "傳輸中的數據加密", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", - "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", - "service": "Front Door", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "使用 Keyvaults 儲存機密和憑據", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "service": "Azure Synapse Analytics", "severity": "高", - "text": "將源作為應用服務的 Front Door 一起使用時,請考慮使用訪問限制僅通過 Azure Front Door 鎖定到應用服務的流量。", + "text": "將密碼、secert 和密鑰存儲在 Azure Key Vault 中", "waf": "安全" }, { "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "限制使用本地身份驗證方法進行數據平面訪問。相反,請使用 Microsoft Entra ID 作為預設身份驗證方法來控制數據平面訪問。", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "service": "Azure Data Factory", + "severity": "高", + "text": "在必要時限制使用本地使用者", + "waf": "安全" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "託管身份消除了管理憑證的需要。託管標識在連接到支援 Microsoft Entra 身份驗證的資源時為服務實例提供標識。", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity", "service": "Azure Data Factory", "severity": "中等", - "text": "利用 Azure 數據工廠的 FTA 復原能力手冊", - "waf": "可靠性" + "text": "使用託管標識對服務進行身份驗證", + "waf": "安全" }, { "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "如果日常管理操作不需要,請禁用或限制任何本地管理員帳戶,以供緊急使用。", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", "service": "Azure Data Factory", "severity": "高", - "text": "在支援可用區的區域中使用區域冗餘管道", - "waf": "可靠性" + "text": "分離和限制高許可權/管理使用者,並啟用 MFA 和條件策略", + "waf": "安全" }, { "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", "service": "Azure Data Factory", "severity": "中等", - "text": "使用 DevOps 透過 Github/Azure DevOps 集成備份 ARM 範本", - "waf": "可靠性" + "text": "如果正在處理不應離開公司網路的敏感數據,請在 vnet 中部署 SHIR VM", + "waf": "安全" }, { "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "在數據工廠託管的虛擬網路中創建 Azure 集成運行時時,集成運行時將預配託管的虛擬網路。它使用私有終端節點安全地連接到支援的數據存儲。", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", "service": "Azure Data Factory", "severity": "中等", - "text": "請確保在另一個區域中複製自承載集成運行時 VM", - "waf": "可靠性" + "text": "使用託管 vnet IR 限制 Azure Integration Runtime 通過公共 Internet 的訪問", + "waf": "安全" }, { "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "託管專用終結點是在數據工廠託管虛擬網路中創建的專用終結點,用於建立指向 Azure 資源的專用連結。數據工廠代表你管理這些專用終結點。", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints", "service": "Azure Data Factory", "severity": "中等", - "text": "請確保在姊妹區域中複製或複製您的網路。必須在另一個區域創建 Vnet 的副本", - "waf": "可靠性" + "text": "配置託管專用終結點以使用託管 Azure IR 連接到資源", + "waf": "安全" }, { "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "description": "如果ADF管道使用Key Vault,則無需執行任何操作即可複製Key Vault。Key Vault 是一項託管服務,Microsoft 會為你處理它", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "這是預設設置", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", "service": "Azure Data Factory", - "severity": "低", - "text": "如果使用 Keyvault 集成,請使用 Keyvault 的 SLA 來瞭解可用性", - "waf": "可靠性" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "應用與存儲相關的 Microsoft 雲安全基準中的指導", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", "severity": "中等", - "text": "請考慮「存儲的 Azure 安全基線”", + "text": "由 Microsoft 託管金鑰進行的靜態數據加密", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "默認情況下,Azure 儲存具有公共IP位址,並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲,從而消除對公共 Internet 的暴露", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", - "severity": "高", - "text": "考慮將專用終結點用於 Azure 存儲", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "這是預設設置", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "service": "Azure Data Factory", + "severity": "中等", + "text": "由 Microsoft 託管金鑰進行傳輸中的數據加密", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "新創建的存儲帳戶是使用ARM部署模型創建的,因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "指定客戶管理的金鑰時,數據工廠會同時使用工廠系統金鑰和 CMK 來加密客戶數據。缺少其中任何一個都會導致 Deny of Access to data 和 factory。", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key", + "service": "Azure Data Factory", "severity": "中等", - "text": "確保較舊的存儲帳戶未使用“經典部署模型”", + "text": "BYOK 傳輸中的數據加密(客戶管理的金鑰 )", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities", + "service": "Azure Data Factory", "severity": "高", - "text": "為所有存儲帳戶啟用 Microsoft DefenderEnable Defender for all of your storage accounts", + "text": "在 Azure Key Vault 中存儲密碼和機密", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "軟刪除機制允許恢復意外刪除的 Blob。", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "service": "Microsoft Purview", "severity": "中等", - "text": "為 blob 啟用“軟刪除”", + "text": "定義在控制平面和數據平面中管理 Microsoft Purview 的角色和職責", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "為此,請使用 Azure RBAC", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", "severity": "中等", - "text": "禁用 blob 的“軟刪除”", + "text": "定義在 Azure 訂閱(控制平面)中部署和管理 Microsoft Purview 所需的角色和任務", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "容器的軟刪除使你能夠在刪除容器后恢復容器,例如從意外刪除操作中恢復。", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", - "severity": "高", - "text": "為容器啟用“軟刪除”", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "為此,請使用 Microsoft Purview 角色。", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices", + "service": "Microsoft Purview", + "severity": "中等", + "text": "定義使用 Microsoft Purview 執行數據管理和治理所需的角色和任務。(Data Map 和 Data Catalog 的數據平面。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "service": "Microsoft Purview", "severity": "中等", - "text": "禁用容器的“軟刪除”", + "text": "將角色分配給 Microsoft Entra 組,而不是將角色分配給單個使用者。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "通過強制使用者在刪除之前先刪除刪除鎖,防止意外刪除存儲帳戶", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", - "severity": "高", - "text": "在存儲帳戶上啟用資源鎖", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview", + "service": "Microsoft Purview", + "severity": "中等", + "text": "使用 Azure Active Directory 權利管理,通過訪問包將使用者訪問許可權映射到 Microsoft Entra 組。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略,這樣就無法刪除 blob、容器或存儲帳戶。請注意,「不可能」實際上意味著「不可能」;存儲帳戶包含不可變 blob 後,「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "service": "Microsoft Purview", "severity": "高", - "text": "考慮不可變的 blob", + "text": "對 Microsoft Purview 使用者強制實施多重身份驗證,尤其是對於具有特權角色的使用者,例如集合管理員、數據源管理員或數據管護者。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問,以便對所有數據傳輸進行加密、完整性保護,並對伺服器進行身份驗證。", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "service": "Microsoft Purview", "severity": "高", - "text": "需要 HTTPS,即在儲存帳戶上禁用埠 80", + "text": "使用 Microsoft Entra ID 向所有使用者、在 Entra 中註冊的安全組、服務主體和 Microsoft Purview 中集合內的託管標識提供身份驗證和授權", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "在儲存帳戶上配置自定義域(主機名)時,請檢查是否需要 TLS/HTTPS;如果是這樣,可能需要將 Azure CDN 放在存儲帳戶的前面。", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "service": "Microsoft Purview", "severity": "高", - "text": "強制實施 HTTPS(禁用 HTTP)時,請檢查是否未對儲存帳戶使用自定義域 (CNAME)。", + "text": "定義最低許可權模型和降低特權帳戶的暴露", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "當用戶端使用SAS令牌訪問 blob 資料時,要求使用 HTTPS 有助於將憑據丟失的風險降至最低。", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end", + "service": "Microsoft Purview", "severity": "中等", - "text": "將共享訪問簽名 (SAS) 令牌限製為僅 HTTPS 連接", + "text": "使用專用連結服務啟用端到端網路隔離。(Microsoft Purview 數據映射)", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "在可能的情況下,AAD 令牌應優先於共用訪問簽名", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", - "severity": "高", - "text": "使用 Azure Active Directory (Azure AD) 令牌進行 blob 訪問", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access", + "service": "Microsoft Purview", + "severity": "中等", + "text": "使用 Microsoft Purview Firewall 禁用公共訪問。(Microsoft Purview 數據映射)", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "將角色分配給使用者、組或應用程式時,請僅向該安全主體授予他們執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "severity": "中等", - "text": "IaM 許可權中的最低特權", + "text": "為部署了 Azure 數據源專用終結點、Microsoft Purview 專用終結點和自承載運行時 VM 的子網部署網路安全組 (NSG) 規則。(Microsoft Purview 數據映射)", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "使用者委派 SAS 使用 Azure Active Directory (Azure AD) 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS,但比服務 SAS 具有安全優勢。", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "高", - "text": "使用 SAS 時,首選「使用者委派 SAS」,而不是基於存儲帳戶密鑰的 SAS。", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Microsoft Purview", + "severity": "中等", + "text": "使用網路虛擬設備管理的專用終結點(例如用於網路檢查和網路篩選的 Azure 防火牆)實現 Microsoft Purview。(Microsoft Purview 數據映射)", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "存儲帳戶金鑰(“共用金鑰”)幾乎沒有審核功能。雖然可以監控誰/何時獲取密鑰副本,但一旦密鑰掌握在多個人手中,就不可能將使用方式歸因於特定使用者。僅依靠 AAD 身份驗證可以更輕鬆地將存儲存取許可權綁定到使用者。", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", - "severity": "高", - "text": "請考慮禁用存儲帳戶密鑰,以便僅支援 AAD 訪問(和使用者委派 SAS)。", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "此專用終結點也是門戶專用終結點的先決條件。需要 Microsoft Purview 門戶專用終結點才能使用專用網路啟用與 Microsoft Purview 治理門戶的連接。Microsoft Purview 可以使用引入專用終結點掃描 Azure 或本地環境中的數據源。使用私有終端節點的限制 https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network", + "service": "Microsoft Purview", + "severity": "中等", + "text": "為 Microsoft Purview 帳戶部署專用終結點以添加另一層安全性,以便僅允許源自虛擬網路中的用戶端調用訪問 Microsoft Purview 帳戶", "waf": "安全" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "使用活動日誌數據來標識查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”(即存儲帳戶密鑰、訪問策略等)。", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", - "severity": "高", - "text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作", + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access。審查限制:https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "service": "Microsoft Purview", + "severity": "中等", + "text": "使用 Microsoft Purview 防火牆阻止公共訪問", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "通過金鑰過期策略,您可以設置帳戶訪問金鑰輪換的提醒。如果指定的時間間隔已過且鍵尚未旋轉,則會顯示提醒。", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups", + "service": "Microsoft Purview", "severity": "中等", - "text": "使用存儲帳戶密鑰時,請考慮啟用“金鑰過期策略”", + "text": "使用網路安全組篩選進出 Azure 虛擬網路中 Azure 資源的網路流量", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS 過期策略指定 SAS 有效的建議時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時,他們會看到警告。", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "service": "Microsoft Purview", + "severity": "高", + "text": "如果您的敏感數據無法離開本地 VNet 的邊界,強烈建議在企業 VNet 中使用 SHIR VM 來提取元數據", + "waf": "安全" + }, + { + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "元數據被提取並存儲在 Microsoft Purview 數據映射中,如果您沒有將託管存儲帳戶用於 Purview 帳戶,則所有人都可以訪問元數據,因此請實施適當的 RBAC 並將數據存取許可權限限為僅預期使用者。適用於 2023 年 12 月 15 日之後部署的帳戶(或使用 API 版本 2023-05-01-preview 及更高版本部署的帳戶)", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "service": "Microsoft Purview", "severity": "中等", - "text": "考慮配置 SAS 過期策略", + "text": "使用 Azure RBAC 將儲存帳戶(不受 MS 管理)的訪問許可權限限為僅目標使用者。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "存儲存取策略提供了撤銷服務 SAS 許可權的選項,而無需重新生成儲存帳戶密鑰。", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "service": "Microsoft Purview", "severity": "中等", - "text": "考慮將 SAS 連結到儲存存取策略", + "text": "靜態數據由 Microsoft 託管金鑰加密", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "service": "Microsoft Purview", "severity": "中等", - "text": "請考慮配置應用程式的原始程式碼儲存庫,以檢測簽入的連接字串和存儲帳戶密鑰。", + "text": "傳輸中的數據由TLS 1.3 加密", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "理想情況下,應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點,請考慮在 Azure KeyVault 或等效服務中使用存儲憑據(連接字串、存儲帳戶密鑰、SAS、服務主體憑據)。", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "service": "Microsoft Purview", "severity": "高", - "text": "請考慮將連接字串儲存在 Azure KeyVault 中(在無法實現託管標識的情況下)", + "text": "如果不使用託管標識或沒有需要密碼的方法,請始終使用 Azure Key Vault 來存儲所有憑據", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣,即使 SAS 遭到入侵,它也只能在很短的時間內有效。如果無法引用存儲訪問策略,則此做法尤為重要。近期過期時間還通過限制可上傳到 blob 的時間來限制可寫入 blob 的數據量。", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", - "severity": "高", - "text": "爭取縮短臨時 SAS 的有效期", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "service": "Microsoft Purview", + "severity": "中等", + "text": "通過應用資源鎖來防止意外刪除 Microsoft Purview 帳戶", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "創建 SAS 時,請盡可能具體和嚴格。首選單個資源和操作的 SAS,而不是提供更廣泛訪問許可權的 SAS。", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access", + "service": "Microsoft Purview", "severity": "中等", - "text": "將窄範圍應用於SAS", + "text": "為 Microsoft Entra 租戶、Azure 訂閱和 Microsoft Purview 帳戶規劃不受限策略,以防止租戶範圍的帳戶鎖定。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "service": "Microsoft Purview", "severity": "中等", - "text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址", + "text": "與 Microsoft 365 和 Microsoft Defender for Cloud 集成", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "SAS 無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型,驗證用戶端是否惡意上傳了大量內容可能是有意義的。", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "低", - "text": "請考慮在用戶端使用SAS上傳檔后檢查上傳的數據。", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "將管理員帳戶與普通用戶帳戶分開。", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "service": "Azure Databricks", + "severity": "高", + "text": "定義最低許可權模型和降低特權帳戶的暴露", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "使用「本地使用者帳戶」通過 SFTP 訪問 Blob 儲存時,“通常”RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更嚴格。遺憾的是,截至 2023 年初,本地使用者是 SFTP 端點當前支援的唯一身份管理形式", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure Databricks 支援 Microsoft Entra ID 條件訪問,它允許管理員控制允許使用者登錄 Azure Databricks 的位置和時間。條件訪問策略可以限制登錄到您的公司網路,或者可以要求多重身份驗證 (MFA)。", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on", + "service": "Azure Databricks", "severity": "高", - "text": "SFTP:限制 SFTP 訪問的「本地使用者」數量,並審核一段時間內是否需要訪問。", + "text": "配置單點登錄和統一登錄。啟用多重身份驗證。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "客戶可以使用令牌管理 API 或 UI 控制件來啟用或禁用用於 REST API 身份驗證的個人存取權杖 (PAT)、限制允許使用 PAT 的使用者、設置新令牌的最長生命週期以及管理現有令牌。高度安全的客戶通常會為工作區的新令牌預置最長令牌生命週期。此功能需要 Premium 定價層。", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens", + "service": "Azure Databricks", "severity": "中等", - "text": "SFTP:SFTP 端點不支持類似 POSIX 的 ACL。", + "text": "使用 Token 管理。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "存儲支援 CORS(跨域資源分享),即一種 HTTP 功能,使來自不同域的 Web 應用程式能夠放寬同源策略。啟用 CORS 時,請將 CorsRules 保留為最低許可權。", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "如果你的 Databricks 管理員也是 Databricks 平臺的普通使用者(例如,有一名首席數據工程師管理平臺並執行數據工程工作),Databricks 建議為管理任務創建一個單獨的帳戶。請務必注意,作為 Azure RBAC 模型的一部分,被授予對已部署的 Azure Databricks 工作區的資源組的參與者或更高許可權的使用者在登錄到該工作區時會自動成為管理員。因此,上述相同注意事項也應適用於 Azure 門戶使用者。", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "service": "Azure Databricks", "severity": "高", - "text": "避免過於寬泛的 CORS 策略", + "text": "將管理員帳戶與普通用戶帳戶分開", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "靜態數據始終在伺服器端加密,此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰(預設)或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰,或者完全在用戶端處理加密來實現。因此,完全不依賴 Azure 存儲來保證機密性。", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", - "severity": "高", - "text": "確定應如何加密靜態數據。了解數據的線程模型。", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "SCIM(跨域身份管理系統)允許您將使用者和組從 Microsoft Entra ID 同步到 Azure Databricks。此方法有三個主要好處:1. 刪除使用者時,該用戶會自動從 Databricks 中刪除。2. 使用者也可以通過 SCIM 暫時禁用。客戶已將此功能用於客戶認為帳戶可能已洩露並需要調查 3.組會自動同步 有關如何為 Azure Databricks 配置 SCIM 的詳細說明,請參閱文檔。此功能需要 Premium 定價層", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/", + "service": "Azure Databricks", + "severity": "中等", + "text": "使用者和組的 SCIM 同步。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "使用集群策略或較舊的集群 ACL,管理員可以定義組織內的哪些使用者或組能夠創建集群。集群 ACL 允許您指定哪些使用者可以將筆記本附加到給定集群。請注意,如果用戶共用已附加到標準模式集群的筆記本,則接收者也將能夠在該集群上執行代碼。這不適用於強制實施用戶隔離的群集:SQL 倉庫、與表 ACL 的高併發性群集以及與憑據直通群集的高併發性。使用 Unity Catalog 的客戶還可以啟用單使用者集群來強制實施隔離集群。", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "service": "Azure Databricks", "severity": "中等", - "text": "確定應使用哪種/是否應使用平臺加密。", + "text": "限制集群創建許可權。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "請務必注意,即使客戶使用 Azure Key Vault 儲存其機密,仍需要在 Azure Databricks 中定義訪問控制。這是因為使用相同的服務標識來檢索 Azure Databricks 工作區的所有用戶的機密。", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "service": "Azure Databricks", + "severity": "高", + "text": "在 Azure Key Vault 中存儲密碼和機密", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "具有用戶隔離的集群包括強制執行,以便每個使用者在集群主機上以不同的非特權用戶帳戶運行。語言也僅限於可以以隔離方式實現的語言(SQL 和 Python),並且 Spark API 必須位於我們認為隔離安全的允許清單中。", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "service": "Azure Databricks", "severity": "中等", - "text": "確定應使用哪種/是否應使用用戶端加密。", + "text": "使用支援用戶隔離的集群。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Blob Storage Review", - "description": "利用 Resource Graph 資源管理器(資源 | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)查找允許匿名 blob 訪問的存儲帳戶。", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", - "severity": "高", - "text": "考慮是否需要公共 blob 訪問,或者是否可以對某些存儲帳戶禁用公共 blob 訪問。", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "將生產工作負載綁定到單個用戶帳戶違反了安全最佳實踐,因此我們建議在 Databricks 中配置服務主體。服務原則將管理員和使用者操作與工作負載分開,並防止工作負載在使用者離開組織時受到影響。使用 Databricks,可以將作業配置為作為服務主體運行,併為服務主體生成個人訪問令牌。", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/", + "service": "Azure Databricks", + "severity": "中等", + "text": "使用服務主體運行生產作業。對工作區級別 (ACL)、帳戶級別 (RBAC) 和數據級別 (Unity catalog) 安全控制使用適當的存取控制", "waf": "安全" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "默認情況下,DBFS 是一個文件系統,可供給定工作區的所有使用者訪問,並且可以通過 API 訪問。這不一定是一個主要的數據洩露問題,因為您可以使用IP訪問清單或專用網路訪問來限制通過 DBFS API 或 Databricks cli 訪問資料的訪問。但是,隨著 Azure Databricks 使用量的增長和更多使用者加入工作區,這些使用者將有權訪問存儲在 DBFS 中的任何數據,從而產生不需要的信息共用的可能性。Databricks 建議我們的客戶不要將生產數據存儲在 DBFS 中。", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "service": "Azure Databricks", "severity": "高", - "text": "使 2 個副本具有 99.9% 的讀取操作可用性", - "waf": "可靠性" + "text": "避免將生產數據存儲在 DBFS 中。", + "waf": "安全" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "對於你管理的存儲帳戶,你有責任確保根據你的要求保護存儲帳戶。範例可能包括:使用客戶管理的密鑰進行加密、使用存儲防火牆限制對受信任網路的訪問、不允許匿名公共訪問", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", "severity": "中等", - "text": "使 3 個副本具有 99.9% 的讀/寫操作可用性", - "waf": "可靠性" + "text": "加密存儲並限制訪問。", + "waf": "安全" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", - "severity": "高", - "text": "通過啟用讀取和/或寫入副本來利用可用區", - "waf": "可靠性" + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "為存儲在 Azure Databricks 控制平面中的選定數據(例如筆記本、機密、Databricks SQL 查詢和 Databricks SQL 查詢歷史記錄)以及用於 DBFS 的根存儲帳戶添加客戶管理的密鑰。Azure Databricks 需要訪問此密鑰才能進行持續操作。可以撤銷對金鑰的訪問許可權,以防止 Azure Databricks 存取控制平面(或我們的備份)中的加密數據。這就像一個核選項,工作區停止運行,但它為極端情況提供了緊急控制。此功能需要 Premium 定價層。", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys", + "service": "Azure Databricks", + "severity": "中等", + "text": "為託管服務和工作區存儲添加客戶管理的金鑰", + "waf": "安全" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "配置IP訪問清單,通過檢查使用者或API用戶端是否來自已知的良好IP位址範圍(如 VPN 或辦公網路),來限制可在帳戶控制台和工作區級別向 Databricks 進行身份驗證的IP位址。如果使用者移動到錯誤的IP位址(例如,從 VPN 斷開連接時),已建立的使用者會話將不起作用。", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list", + "service": "Azure Databricks", "severity": "中等", - "text": "對於區域冗餘,請在2個或更多區域中為搜索手動創建服務,因為它不提供跨地理區域複製搜索索引的自動方法", - "waf": "可靠性" + "text": "啟用IP存取清單以限制對某些IP位址的訪問。", + "waf": "安全" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "description": "Azure 專用連結提供從一個 Azure 環境到另一個 Azure 環境的專用網路路由。專用連結既可以在 Azure Databricks 使用者和控制平面之間配置,也可以在控制平面和數據平面之間配置。在 Databricks 使用者和控制平面之間,專用連結提供了強大的控制措施來限制入站請求的來源。如果公司已通過 Azure 環境路由流量,則可以使用專用連結,以便使用者與 Azure Databricks 控制平面之間的通信不會遍歷公共 IP 位址。此功能需要 Premium 定價層。使用 Azure 專用連結從 Azure Databricks 連接到 Azure 資源。專用鏈接不僅確保", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link", + "service": "Azure Databricks", "severity": "中等", - "text": "若要跨多個服務同步數據,請使用索引器更新多個服務上的內容,或使用 REST API 推送多個服務上的內容更新", - "waf": "可靠性" + "text": "配置和使用 Azure 專用連結訪問 Azure 資源。", + "waf": "安全" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", + "severity": "高", + "text": "確保在本機 Azure 的標識訂閱中部署了 ADDS 域控制器", + "waf": "安全" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", "severity": "中等", - "text": "使用 Azure 流量管理器協調請求", - "waf": "可靠性" + "text": "確保將 ADDS 網站和服務配置為將來自基於 Azure 的資源(包括 Azure VMware 解決方案)的身份驗證請求保留到 Azure 本地", + "waf": "安全" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", "severity": "高", - "text": "備份和還原 Azure 認知搜索索引。使用此範例代碼將索引定義和快照備份到一系列 Json 檔", - "waf": "可靠性" + "text": "確保 vCenter 已連接到 ADDS,以啟用基於「指定用戶帳戶」的身份驗證", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", - "severity": "低", - "text": "有關最佳實踐,請參閱基線高可用性區域冗餘 Web 應用程式體系結構", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", + "severity": "中等", + "text": "確保從 vCenter 到 ADDS 的連接使用安全協定 (LDAPS)", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", "severity": "中等", - "text": "使用高級層和標準層。這些層支援暫存槽和自動備份。", - "waf": "可靠性" + "text": "vCenter IdP 中的 CloudAdmin 帳戶僅用作緊急帳戶 (break-glass)", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", "severity": "高", - "text": "利用區域適用的可用性區域(需要高級 v2 或 v3 層)", - "waf": "可靠性" + "text": "確保 NSX-Manager 與外部身份提供程式 (LDAPS) 集成", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", "severity": "中等", - "text": "實施健康檢查", - "waf": "可靠性" + "text": "是否已創建 RBAC 模型以在 VMware vSphere 中使用", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup", - "service": "App Services", - "severity": "高", - "text": "請參閱 Azure 應用服務的備份和還原最佳做法", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", + "severity": "中等", + "text": "RBAC 許可權應授予 ADDS 組,而不是特定使用者", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", "severity": "高", - "text": "實現 Azure 應用服務可靠性最佳做法", - "waf": "可靠性" + "text": "Azure 中 Azure VMware 解決方案資源的 RBAC 許可權僅「鎖定」為一組有限的擁有者", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", - "severity": "低", - "text": "熟悉如何在災難期間將應用服務應用移動到另一個區域", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", + "severity": "高", + "text": "確保所有自定義角色的範圍都具有 CloudAdmin 允許的授權", + "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", "severity": "高", - "text": "熟悉 Azure 應用服務中的可靠性支援", - "waf": "可靠性" + "text": "是否為手頭的客戶用例選擇了正確的 Azure VMware 解決方案連接模型", + "waf": "性能" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", - "severity": "中等", - "text": "確保為在應用服務計劃上運行的函數應用啟用“Always On”", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", + "severity": "高", + "text": "確保使用「連接監視器」監視從本地到 Azure 的 ExpressRoute 或 VPN 連接", + "waf": "操作" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", "severity": "中等", - "text": "使用運行狀況檢查監視應用服務實例", - "waf": "可靠性" + "text": "確保創建從 Azure 本機資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視 Azure VMware 解決方案後端 ExpressRoute 連接", + "waf": "操作" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", "severity": "中等", - "text": "使用 Application Insights 可用性測試監視 Web 應用或網站的可用性和回應能力", - "waf": "可靠性" + "text": "確保創建從本地資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視端到端連接", + "waf": "操作" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", - "severity": "低", - "text": "使用 Application Insights 標準測試監視 Web 應用或網站的可用性和回應能力", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", + "severity": "高", + "text": "使用路由伺服器時,請確保從路由伺服器到 ExR 閘道再到本地的路由不超過 1000 個(ARS 限制)。", + "waf": "操作" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "使用 Azure Key Vault 儲存應用程式所需的任何機密。 Key Vault 為儲存機密提供安全且經過審核的環境,並通過 Key Vault SDK 或應用服務 Key Vault 引用與應用服務很好地集成。", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", "severity": "高", - "text": "使用 Key Vault 儲存機密", + "text": "是否為在 Azure 門戶中管理 Azure VMware 解決方案資源的角色實現了 Privileged Identity Management(不允許長期許可權)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "使用託管標識通過 Key Vault SDK 或透過應用服務 Key Vault 引用連接到 Key Vault。", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", "severity": "高", - "text": "使用託管標識連接到 Key VaultUse Managed Identity to connect to Key Vault", + "text": "應為 Azure VMware 解決方案 PIM 角色實現 Privileged Identity Management 審核報告", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "將應用服務 TLS 證書存儲在 Key Vault 中。", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", - "severity": "高", - "text": "使用 Key Vault 儲存 TLS 證書。", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", + "severity": "中等", + "text": "如果使用 Privileged Identity Management,請確保使用有效的 SMTP 記錄創建啟用了 Entra ID 的有效帳戶,以便 Azure VMware 解決方案自動主機更換通知。(需要長期許可)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "處理敏感信息的系統應隔離。 為此,請使用單獨的應用服務計劃或應用服務環境,並考慮使用不同的訂閱或管理組。", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", - "severity": "中等", - "text": "隔離處理敏感信息的系統", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", + "severity": "高", + "text": "將 CloudAdmin 帳戶的使用限制為僅緊急訪問", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "應用服務上的本地磁碟未加密,敏感數據不應存儲在這些磁碟上。 (例如:D:\\\\Local 和 %TMP%)。", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", "severity": "中等", - "text": "不要將敏感數據存儲在本地磁碟上", + "text": "在 vCenter 中創建自定義 RBAC 角色,以在 vCenter 中實施最小特權模型", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "對於經過身份驗證的 Web 應用程式,請使用成熟的標識提供者,例如 Azure AD 或 Azure AD B2C。 利用所選的應用程式框架與此提供程式整合,或使用應用服務身份驗證/授權功能。", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", "severity": "中等", - "text": "使用已建立的身份提供程式進行身份驗證", + "text": "是定義為定期輪換 cloudadmin (vCenter) 和管理員 (NSX) 憑據的過程", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "將代碼從受控且受信任的環境(例如管理良好且安全的 DevOps 部署管道)部署到應用服務。這樣可以避免未經版本控制和驗證從惡意主機部署的代碼。", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", "severity": "高", - "text": "從受信任的環境部署", + "text": "使用集中式識別提供者用於在 Azure VMware 解決方案上運行的工作負載 (VM)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "禁用 FTP/FTPS 和 WebDeploy/SCM 的基本身份驗證。 這將禁止訪問這些服務,並強制使用 Azure AD 安全終結點進行部署。 請注意,還可以使用 Azure AD 憑據打開 SCM 網站。", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", - "severity": "高", - "text": "禁用基本身份驗證", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", + "severity": "中等", + "text": "是否在 NSX-T 中實施了東西向流量篩選", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "如果可能,請使用託管標識連接到 Azure AD 受保護的資源。 如果無法做到這一點,請將機密存儲在 Key Vault 中,並改用託管標識連接到 Key Vault。", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", "severity": "高", - "text": "使用託管標識連接到資源", + "text": "Azure VMware 解決方案上的工作負載不會直接向 Internet 公開。流量由 Azure 應用程式閘道、Azure 防火牆或第三方解決方案進行篩選和檢查", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "如果使用 Azure 容器註冊表中儲存的映像,請使用託管標識拉取這些映像。", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", "severity": "高", - "text": "使用託管標識拉取容器", + "text": "對 Azure VMware 解決方案和基於 Azure VMware 解決方案的工作負載的入站 Internet 請求實施審核和日誌記錄", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "通過配置應用服務的診斷設置,可以將所有遙測數據發送到Log Analytics,作為日誌記錄和監視的中心目標。這允許你監視應用服務的運行時活動,例如 HTTP 日誌、應用程式日誌、平臺日誌等。", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", "severity": "中等", - "text": "將應用服務運行時日誌發送到Log Analytics", + "text": "對來自 Azure VMware 解決方案或基於 Azure VMware 解決方案的工作負載的出站 Internet 連接實施會話監視,以識別可疑/惡意活動", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "設置診斷設置,將活動日誌發送到Log Analytics,作為日誌記錄和監視的中心目標。這樣,你就可以監視應用服務資源本身上的控制平面活動。", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", "severity": "中等", - "text": "將應用服務活動日誌發送到Log Analytics", + "text": "是否在 Azure 的 ExR/VPN 閘道子網上啟用了 DDoS 標準防護", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "使用區域 VNet 集成、網路安全組和 UDR 的組合來控制出站網路訪問。 流量應路由到 NVA,例如 Azure 防火牆。 確保監控防火牆的日誌。", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", "severity": "中等", - "text": "應控制出站網路訪問", + "text": "使用專用特權訪問工作站 (PAW) 管理 Azure VMware 解決方案、vCenter、NSX Manager 和 HCX Manager", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "可以使用 VNet 集成並使用 VNet NAT 閘道或 NVA(如 Azure 防火牆)來提供穩定的出站 IP。 這允許接收方根據需要根據IP列出允許清單。 請注意,對於與 Azure 服務的通信,通常不需要依賴於 IP 位址,應改用服務終結點等機制。 (此外,在接收端使用專用終結點可避免發生 SNAT,並提供穩定的出站 IP 範圍。", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", - "severity": "低", - "text": "確保與互聯網位址的出站通信具有穩定的IP", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", + "severity": "中等", + "text": "為 Azure VMware 解決方案上運行的工作負載啟用高級威脅檢測(Microsoft Defender for Cloud,又名 ASC)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "使用應用服務訪問限制、服務終結點或專用終結點的組合來控制入站網路訪問。對於 Web 應用本身和 SCM 網站,可能需要和配置不同的訪問限制。", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "高", - "text": "應控制入站網路訪問", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", + "severity": "中等", + "text": "使用適用於伺服器的 Azure ARC 使用 Azure 本機技術正確管理在 Azure VMware 解決方案上運行的工作負載(適用於 Azure VMware 解決方案的 Azure ARC 尚不可用)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "使用 Web 應用程式防火牆(如應用程式閘道或 Azure Front Door)防範惡意入站流量。 請務必監控 WAF 的日誌。", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", - "severity": "高", - "text": "在應用服務前面使用 WAF", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", + "severity": "低", + "text": "確保 Azure VMware 解決方案上的工作負載在運行時使用足夠的數據加密(如來賓內磁碟加密和 SQL TDE)。(vSAN 靜態加密為預設加密)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "確保僅鎖定對 WAF 的訪問,從而無法繞過 WAF。 結合使用訪問限制、服務終結點和專用終結點。", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "高", - "text": "避免繞過 WAF", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", + "severity": "低", + "text": "使用來賓內加密時,請盡可能將加密密鑰存儲在 Azure Key Vault 中", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "在應用服務配置中將最低 TLS 策略設置為 1.2。", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", "severity": "中等", - "text": "將最低 TLS 策略設置為 1.2", + "text": "請考慮對 Azure VMware 解決方案上運行的工作負載使用擴展的安全更新支援(Azure VMware 解決方案符合 ESU 條件)", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "將應用服務配置為僅使用 HTTPS。 這會導致應用服務從 HTTP 重定向到 HTTPS。 強烈建議在代碼或 WAF 中使用 HTTP 嚴格傳輸安全性 (HSTS),這會通知瀏覽器只能使用 HTTPS 訪問網站。", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", "severity": "高", - "text": "僅使用 HTTPS", - "waf": "安全" + "text": "確保使用適當的 vSAN 資料冗餘方法(RAID 規範)", + "waf": "可靠性" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "不要在 CORS 配置中使用通配符,因為這允許所有源訪問服務(從而破壞 CORS 的目的)。具體而言,僅允許您希望能夠訪問服務的源。", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", "severity": "高", - "text": "不得將通配符用於 CORS", - "waf": "安全" + "text": "確保允許失敗策略已到位,以滿足您的 vSAN 儲存需求", + "waf": "可靠性" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "不得在生產環境中啟用遠端調試,因為這會在服務上打開其他埠,從而增加攻擊面。請注意,該服務會在 48 小時後自動轉為遠端調試。", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", "severity": "高", - "text": "關閉遠端調試", - "waf": "安全" + "text": "確保已請求足夠的配額,確保已考慮增長和災難恢復要求", + "waf": "可靠性" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "啟用 Defender for App Service。 這(除其他威脅外)檢測與已知惡意IP位址的通信。 在操作過程中查看 Defender for App Service 中的建議。", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", "severity": "中等", - "text": "啟用 Defender for Cloud - Defender for App Service", - "waf": "安全" + "text": "確保瞭解對 ESXi 的訪問限制,其中存在可能影響第三方解決方案的訪問限制。", + "waf": "操作" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure 在其網路上提供 DDoS 基本保護,可以通過智慧 DDoS 標準功能進行改進,該功能可以瞭解正常的流量模式並檢測異常行為。DDoS 標準適用於虛擬網路,因此必須為應用前面的網路資源(例如應用程式閘道或 NVA)配置它。", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", "severity": "中等", - "text": "在 WAF VNet 上啟用 DDOS 保護標準", - "waf": "安全" + "text": "確保您制定了有關ESXi主機密度和效率的策略,並牢記請求新節點的提前期", + "waf": "操作" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "如果使用 Azure 容器註冊表中儲存的映像,請使用其專用終結點和應用設置“WEBSITE_PULL_IMAGE_OVER_VNET”通過虛擬網络從 Azure 容器註冊表拉取這些映射。", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", "severity": "中等", - "text": "通過虛擬網路拉取容器", - "waf": "安全" + "text": "確保 Azure VMware 解決方案的良好成本管理流程已到位 - 可以使用 Azure 成本管理", + "waf": "成本" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "按照參與的滲透測試規則對 Web 應用程式進行滲透測試。", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", - "severity": "中等", - "text": "進行滲透測試", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", + "severity": "低", + "text": "Azure 預留實例是否用於優化使用 Azure VMware 解決方案的成本", + "waf": "成本" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "部署根據 DevSecOps 實踐驗證和掃描漏洞的受信任代碼。", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", "severity": "中等", - "text": "部署經過驗證的代碼", + "text": "使用其他 Azure 本機服務時,請考慮使用 Azure 專用連結", "waf": "安全" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "使用最新版本的受支援平臺、程式設計語言、協定和框架。", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", "severity": "高", - "text": "使用最新的平臺、語言、協定和框架", - "waf": "安全" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", - "severity": "中等", - "text": "在多個區域中部署 Azure 登陸區域連接資源,以便可以快速支援多區域應用程式登陸區域和災難恢復方案。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "可靠性" + "text": "確保所有必需的資源都駐留在同一個 Azure 可用性區域中", + "waf": "性能" }, { - "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "service": "AVS", "severity": "中等", - "text": "使用一個 Entra 租戶來管理 Azure 資源,除非對多租戶有明確的法規或業務要求。", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", - "waf": "操作" + "text": "為 Azure VMware 解決方案來賓 VM 工作負載啟用 Microsoft Defender for Cloud", + "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Entra", - "severity": "低", - "text": "使用多租戶自動化方法管理您的 Microsoft Entra ID 租戶。", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", - "waf": "操作" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "service": "AVS", + "severity": "中等", + "text": "使用已啟用 Azure Arc 的伺服器管理 Azure VMware 解決方案來賓 VM 工作負載", + "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "service": "AVS", "severity": "高", - "text": "使用具有相同 ID 的 Azure Lighthouse 進行多租戶管理。", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", + "text": "在 Azure VMware 解決方案上啟用診斷和指標日誌記錄", "waf": "操作" }, { - "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", - "severity": "高", - "text": "如果向合作夥伴授予管理租戶的許可權,請使用 Azure Lighthouse。", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "成本" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "service": "AVS", + "severity": "中等", + "text": "將Log Analytics代理部署到 Azure VMware 解決方案來賓 VM 工作負載", + "waf": "操作" }, { - "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", - "severity": "高", - "text": "實施與您的雲操作模型相一致的 RBAC 模型。跨管理組和訂閱確定範圍和分配。", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "service": "AVS", + "severity": "中等", + "text": "確保已針對 Azure VMware 解決方案 VM 工作負載記錄並實施了備份策略和解決方案", + "waf": "操作" }, { - "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "service": "AVS", "severity": "中等", - "text": "僅對所有帳戶類型使用身份驗證類型 Work or school account。避免使用 Microsoft 帳戶", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "text": "使用 Microsoft Defender for Cloud 對 Azure VMware 解決方案上運行的工作負載進行合規性監視", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "service": "AVS", "severity": "中等", - "text": "僅使用組來分配許可權。如果組管理系統已就位,請將本地組添加到僅 Entra ID 組。", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "是否將適用的合規性基線添加到 Microsoft Defender for Cloud", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "service": "AVS", "severity": "高", - "text": "對 Azure 環境具有許可權的任何使用者強制實施 Microsoft Entra ID 條件訪問策略。", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "text": "在選擇要用於 Azure VMware 解決方案部署的 Azure 區域時是否評估了數據駐留", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "service": "AVS", "severity": "高", - "text": "對有權訪問 Azure 環境的任何使用者強制實施多重身份驗證。", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "text": "數據處理影響(服務提供者/服務消費者模型)是否清晰且有據可查", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "service": "AVS", "severity": "中等", - "text": "強制實施 Microsoft Entra ID Privileged Identity Management (PIM) 以建立零長期訪問和最低許可權。", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "僅當出於合規性原因需要時,才考慮將CMK(客戶管理的密鑰)用於 vSAN。", "waf": "安全" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", - "severity": "中等", - "text": "如果計劃從 Active Directory 域服務切換到 Entra 域服務,請評估所有工作負載的相容性。", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "service": "AVS", + "severity": "高", + "text": "創建儀錶板以啟用核心 Azure VMware 解決方案監視見解", + "waf": "操作" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", - "severity": "中等", - "text": "使用 Microsoft Entra 域服務時,請使用副本集。副本集將提高託管域的復原能力,並允許您部署到其他區域。", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "service": "AVS", + "severity": "高", + "text": "針對 Azure VMware 解決方案性能(CPU >80%、平均記憶體 >80%、vSAN >70%)自動警報的關鍵閾值創建警告警報", + "waf": "操作" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", - "severity": "中等", - "text": "將 Microsoft Entra ID 紀錄與平臺中心的 Azure Monitor 集成。Azure Monitor 允許 Azure 中日誌和監視數據的單一事實來源,為組織提供雲原生選項來滿足日誌收集和保留的要求。", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "service": "AVS", + "severity": "高", + "text": "確保創建嚴重警示以監控 vSAN 消耗量是否低於 75%,因為這是 VMware 的支援閾值", + "waf": "操作" }, { - "ammp": true, - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "service": "AVS", "severity": "高", - "text": "實施緊急訪問或不受限帳戶,以防止租戶範圍的帳戶鎖定。默認情況下,MFA 將於 2024 年 10 月為所有用戶開啟。我們建議更新這些帳戶以使用密鑰 (FIDO2) 或為 MFA 配置基於證書的身份驗證。", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", - "waf": "安全" + "text": "確保為 Azure 服務運行狀況警報和通知配置警報", + "waf": "操作" }, { - "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "service": "AVS", "severity": "中等", - "text": "請勿將本地同步帳戶用於 Microsoft Entra ID 角色分配,除非你的方案特別需要它。", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", - "waf": "安全" + "text": "將 Azure VMware 解決方案記錄設定為發送到 Azure 儲存帳戶或 Azure EventHub 進行處理", + "waf": "操作" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", + "severity": "低", + "text": "如果需要深入瞭解 VMware vSphere:解決方案中是否使用了 vRealize Operations 和/或 vRealize Network Insights?", + "waf": "操作" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", + "severity": "高", + "text": "確保虛擬機的 vSAN 儲存策略不是預設存儲策略,因為此策略應用厚置備", + "waf": "操作" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", "severity": "中等", - "text": "使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對應用程式的訪問許可權時,請將其作為平臺資源進行管理,因為每個租戶只能有一個實例。", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "安全" + "text": "確保未將 vSphere 內容庫放置在 vSAN 上,因為 vSAN 是有限的資源", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", "severity": "中等", - "text": "對於需要最大靈活性的網路方案,請使用中心輻射型網路拓撲。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "安全" + "text": "確保備份解決方案的數據存儲庫存儲在 vSAN 儲存之外。在 Azure 本機或磁碟池支持的數據存儲中", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", - "severity": "高", - "text": "在中心虛擬網路中部署共用網路服務,包括 ExpressRoute 閘道、VPN 閘道和 Azure 防火牆或合作夥伴 NVA。如有必要,還要部署 DNS 服務。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "成本" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", + "severity": "中等", + "text": "確保使用 Azure Arc for Servers 進行混合管理,確保在 Azure VMware 解決方案上運行的工作負載(Arc for Azure VMware 解決方案處於預覽狀態)", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "VNet", - "severity": "高", - "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", + "severity": "中等", + "text": "確保使用 Azure Log Analytics 和 Azure Monitor 監視在 Azure VMware 解決方案上運行的工作負載", + "waf": "操作" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", "severity": "中等", - "text": "部署合作夥伴網路技術或 NVA 時,請遵循合作夥伴供應商的指導。", - "waf": "可靠性" + "text": "在現有更新管理工具或 Azure 更新管理中包括在 Azure VMware 解決方案上運行的工作負載", + "waf": "操作" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", - "severity": "低", - "text": "如果需要在中心輻射型方案中在 ExpressRoute 和 VPN 閘道之間傳輸,請使用 Azure 路由伺服器。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", + "severity": "中等", + "text": "使用 Azure Policy 在 Azure 管理、監視和安全解決方案中加入 Azure VMware 解決方案工作負載", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/virtualHubs", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", - "severity": "低", - "text": "如果使用路由伺服器,請對路由伺服器子網使用 /27 前置綴。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", + "severity": "中等", + "text": "確保在 Azure VMware 解決方案上運行的工作負載已載入 Microsoft Defender for Cloud", "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", "severity": "中等", - "text": "對於跨 Azure 區域具有多個中心輻射型拓撲的網路體系結構,請在中心 VNet 之間使用全域虛擬網路對等互連將區域相互連接。", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", - "waf": "性能" + "text": "確保備份不存儲在 vSAN 上,因為 vSAN 是有限的資源", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", "severity": "中等", - "text": "使用適用於網路的 Azure Monitor 監視 Azure 上網路的端到端狀態。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "操作" + "text": "是否考慮了所有災難恢復解決方案,並決定了最適合您業務的解決方案?[SRM/JetStream/Zerto/Veeam/...]", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", "severity": "中等", - "text": "如果一個區域中的分支網路超過 400 個,請部署一個額外的中心以繞過 VNet 對等互連限制 (500) 和可通過 ExpressRoute 播發的最大前綴數 (1000)。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "當災難恢復技術是本機 Azure IaaS 時,請使用 Azure Site Recovery", "waf": "可靠性" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", + "severity": "高", + "text": "將自動恢復計劃與任一災難解決方案結合使用,盡可能避免手動任務", + "waf": "可靠性" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", "severity": "中等", - "text": "將每個路由表的路由數限制為 400。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "使用地緣政治區域對作為輔助災難恢復環境", "waf": "可靠性" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "service": "AVS", "severity": "高", - "text": "配置 VNet 對等互連時,請使用「允許流量流向遠端虛擬網路」設置。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "在區域之間使用 2 個不同的地址空間,例如:10.0.0.0/16 和 192.168.0.0/16 用於不同的區域", "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "severity": "高", - "text": "將標準負載均衡器 SKU 與區域冗餘部署配合使用,選擇標準 SKU 負載均衡器可通過可用性區域和區域復原能力增強可靠性,確保部署能夠承受區域和區域故障。與 Basic 不同,它支援全域負載平衡並提供 SLA。", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "service": "AVS", + "severity": "中等", + "text": "ExpressRoute Global Reach 是用於主 Azure VMware 解決方案私有雲和輔助 Azure VMware 解決方案私有雲之間的連接,還是通過網路虛擬設備完成路由?", "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancers", - "severity": "高", - "text": "確保負載均衡器後端池至少包含兩個實例,在後端部署至少包含兩個實例的 Azure 負載均衡器可以防止單點故障並支援可伸縮性。", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "service": "AVS", + "severity": "中等", + "text": "是否考慮了所有備份解決方案,並決定了最適合您業務的解決方案?[ MABS/CommVault/Metallic.io/Veeam/ .", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "service": "AVS", "severity": "中等", - "text": "使用 ExpressRoute Direct 時,請配置 MACsec,以便在組織路由器和 MSEE 之間的第二層加密流量。該圖顯示了這種加密流程。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "安全" + "text": "將備份解決方案部署在與 Azure VMware 解決方案私有雲相同的區域中", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "service": "AVS", "severity": "中等", - "text": "對於無法使用MACsec的情況(例如,不使用ExpressRoute Direct),請使用 VPN 閘道通過 ExpressRoute 專用對等互連建立 IPsec 隧道。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "安全" + "text": "在 vSan 外部的 Azure 本機組件上部署備份解決方案", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", - "severity": "高", - "text": "確保 Azure 區域和本地位置之間沒有使用重疊的 IP 位址空間。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "service": "AVS", + "severity": "低", + "text": "是否已制定請求還原由 Azure 平臺管理的 VMware 元件的流程?", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", - "severity": "中等", - "text": "使用私有互聯網的位址分配範圍 (RFC 1918) 中的IP位址。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "service": "AVS", + "severity": "低", + "text": "對於手動部署,必須記錄所有配置和部署", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", - "severity": "高", - "text": "確保IP位址空間不會浪費,不要創建不必要的大型虛擬網路(例如/16)。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "性能" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "service": "AVS", + "severity": "低", + "text": "對於手動部署,請考慮實施資源鎖,以防止對 Azure VMware 解決方案私有雲執行意外操作", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", - "severity": "高", - "text": "不要對生產和災難恢復網站使用重疊的IP位址範圍。", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "service": "AVS", + "severity": "低", + "text": "對於自動化部署,請部署最小的私有雲並根據需要進行擴展", + "waf": "操作" }, { - "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", - "severity": "高", - "text": "使用標準 SKU 和區域冗餘 IP(如果適用),Azure 中的公共 IP 位址可以是標準 SKU,以非區域、區域或區域冗餘的形式提供。區域冗餘IP可跨所有區域訪問,可抵禦任何單個區域故障,從而提供更高的彈性。", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "service": "AVS", + "severity": "低", + "text": "對於自動部署,請在開始部署之前請求或預留配額", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", - "severity": "中等", - "text": "對於只需要在 Azure 中進行名稱解析的環境,請使用 Azure 專用 DNS 進行解析,並使用委託區域進行名稱解析(例如“azure.contoso.com”)。", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "service": "AVS", + "severity": "低", + "text": "對於自動部署,請確保通過自動化或 Azure Policy 創建相關資源鎖,以便進行適當的治理", "waf": "操作" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", - "severity": "中等", - "text": "對於需要跨 Azure 和本地進行名稱解析且沒有 Active Directory 等現有企業 DNS 服務的環境,請使用 Azure DNS 專用解析程式將 DNS 請求路由到 Azure 或本地 DNS 伺服器。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "service": "AVS", + "severity": "低", + "text": "為 ExR 授權金鑰實現人類可理解的名稱,以便輕鬆識別密鑰的目的/用途", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "service": "AVS", "severity": "低", - "text": "需要並部署自己的 DNS 的特殊工作負載(例如 Red Hat OpenShift)應使用其首選的 DNS 解決方案。", - "training": "https://learn.microsoft.com/training/courses/az-700t00", + "text": "當使用單獨的服務原則部署 Azure VMware 解決方案和 ExpressRoute 時,請使用 Key Vault 儲存機密和授權密鑰", "waf": "操作" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", - "severity": "高", - "text": "為 Azure DNS 啟用自動註冊,以自動管理虛擬網路中部署的虛擬機的 DNS 記錄的生命週期。", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "service": "AVS", + "severity": "低", + "text": "當需要在 Azure VMware 解決方案中/上部署許多資源時,定義用於在 IaC 中序列化操作的資源依賴項,因為 Azure VMware 解決方案僅支援有限數量的並行操作。", "waf": "操作" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", - "severity": "中等", - "text": "實施一個計劃,用於管理多個 Azure 區域之間的 DNS 解析以及服務故障轉移到另一個區域時", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "可靠性" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "service": "AVS", + "severity": "低", + "text": "使用單個 Tier-1 閘道執行 NSX-T 分段的自動配置時,請使用 Azure 門戶 API 而不是 NSX-Manager API", + "waf": "操作" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "service": "AVS", "severity": "中等", - "text": "使用 Azure Bastion 安全地連接到您的網路。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "安全" + "text": "打算使用自動橫向擴展時,請務必為運行 Azure VMware 解決方案的訂閱申請足夠的 Azure VMware 解決方案配額", + "waf": "性能" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "service": "AVS", "severity": "中等", - "text": "在子網 /26 或更大的子網中使用 Azure Bastion。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "安全" + "text": "打算使用自動縮減時,請務必在執行此操作之前考慮存儲策略要求", + "waf": "性能" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "service": "AVS", "severity": "中等", - "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為到登陸區域的入站 HTTP/S 連接提供全域保護。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "安全" + "text": "擴展操作始終需要在單個 SDDC 中序列化,因為一次只能執行一個擴展操作(即使使用多個集群也是如此)", + "waf": "性能" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "低", - "text": "使用 Azure Front Door 和 Azure 應用程式閘道幫助保護 HTTP/S 應用時,請使用 Azure Front Door 中的 WAF 策略。鎖定 Azure 應用程式閘道以僅接收來自 Azure Front Door 的流量。", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "service": "AVS", + "severity": "中等", + "text": "考慮並驗證體系結構中使用的第三方解決方案的縮放操作(支援與否)", + "waf": "性能" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "高", - "text": "當入站 HTTP/S 連接需要 WAF 和其他反向代理時,請將它們部署在登陸區虛擬網路中,並與它們保護並公開給 Internet 的應用程式一起部署。", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "service": "AVS", + "severity": "中等", + "text": "在自動化中為環境定義和強制實施橫向擴展/橫向擴展最大限制", + "waf": "性能" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "高", - "text": "使用 Azure DDoS 網路或 IP 保護計劃來幫助保護虛擬網路中的公共 IP 位址終結點。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "service": "AVS", + "severity": "中等", + "text": "實施監控規則以監控自動擴展操作,並監控成功和失敗,以啟用適當的(自動化)回應", + "waf": "操作" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "severity": "高", - "text": "規劃如何在即將到來的重大更改之前管理您的網路出站流量配置和策略。2025 年 9 月 30 日,新部署的預設出站訪問將停用,僅允許顯式訪問配置。", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "text": "使用 MON 時,請注意同時配置的 VM 的限制(HCX 的 MON 限制 [400 - 標準,1000 - 大型設備])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "waf": "可靠性" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "高", - "text": "添加診斷設置以保存所有受保護的公有IP位址(DDoS IP或網路保護)的 DDoS 相關日誌。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" - }, - { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "AVS", "severity": "高", - "text": "確保有一個策略分配來拒絕直接連接到虛擬機的公有IP位址。 如果特定 VM 上需要公共 IP,請使用排除項。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "安全" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", - "severity": "中等", - "text": "使用 ExpressRoute 作為與 Azure 的主要連接。 使用 VPN 作為備份連接的源。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "性能" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "description": "您可以使用 AS 路徑預置和連接權重來影響從 Azure 到本地的流量,並使用您自己的路由器中的所有 BGP 屬性來影響從本地到 Azure 的流量。", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", - "severity": "中等", - "text": "使用多個 ExpressRoute 線路或多個本地位置時,請使用 BGP 屬性來優化路由。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "使用 MON 時,不能在超過 100 個網路分機上啟用 MON", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", + "service": "AVS", "severity": "中等", - "text": "根據頻寬和性能要求為 ExpressRoute/VPN 閘道選擇正確的 SKU。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "如果使用 VPN 連接進行遷移,請相應地調整 MTU 大小。", "waf": "性能" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", - "severity": "高", - "text": "確保僅在達到與成本相稱的頻寬時才使用無限數據 ExpressRoute 線路。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "成本" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", - "severity": "高", - "text": "如果你的線路對等互連位置支援本地 SKU 的 Azure 區域,請利用 ExpressRoute 的本地 SKU 來降低線路的成本。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "成本" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", + "service": "AVS", + "severity": "中等", + "text": "對於連接到 Azure(500Mbps 或更低)的低連接區域,請考慮部署 HCX WAN 優化設備", + "waf": "性能" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", + "service": "AVS", "severity": "中等", - "text": "在支援的 Azure 區域中部署區域冗餘 ExpressRoute 閘道。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "確保從本地裝置啟動遷移,而不是從雲端裝置啟動遷移(不要執行反向遷移)", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "AVS", "severity": "中等", - "text": "對於需要高於 10 Gbps 的頻寬或專用 10/100 Gbps 埠的方案,請使用 ExpressRoute Direct。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "性能" + "text": "使用 Azure Netapp Files 擴展 Azure VMware 解決方案的儲存時,請考慮將其用作 VMware 資料儲存庫,而不是直接附加到 VM 。", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "AVS", "severity": "中等", - "text": "當需要低延遲,或者從本地到 Azure 的輸送量必須大於 10 Gbps 時,請啟用 FastPath 以從數據路徑繞過 ExpressRoute 閘道。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "性能" + "text": "確保將專用 ExpressRoute 閘道用於外部資料儲存解決方案", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "AVS", "severity": "中等", - "text": "使用區域冗餘 VPN 閘道將分支或遠端位置連接到 Azure(如果可用)。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "text": "確保在用於外部數據存儲解決方案的 ExpressRoute 閘道上啟用了 FastPath", "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", - "severity": "中等", - "text": "在本地使用冗餘 VPN 設備(主動/主動或主動/被動)。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "AVS", + "severity": "高", + "text": "如果使用延伸群集,請確保供應商支援所選的災難恢復解決方案", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "AVS", "severity": "高", - "text": "如果使用 ExpressRoute Direct,請考慮使用連接到本地 Azure 區域的 ExpressRoute 本地線路以節省成本。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "成本" + "text": "如果使用延伸群集,請確保提供的 SLA 符合您的要求", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", - "severity": "中等", - "text": "當需要流量隔離或專用頻寬時(例如用於分離生產和非生產環境),請使用不同的 ExpressRoute 線路。它將幫助您確保隔離的路由域並減輕嘈雜的鄰居風險。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "安全" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "AVS", + "severity": "高", + "text": "如果使用延伸群集,請確保兩條 ExpressRoute 線路都連接到連接中心。", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", - "severity": "中等", - "text": "使用內置的 Express Route Insights 監控 ExpressRoute 的可用性和利用率。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "操作" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "AVS", + "severity": "高", + "text": "如果使用延伸群集,請確保兩條 ExpressRoute 線路都啟用了 GlobalReach。", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", - "severity": "中等", - "text": "使用連接監視器進行跨網路的連接監控,尤其是本地和 Azure 之間的連接。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "操作" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "AVS", + "severity": "高", + "text": "是否正確考慮了網站容災設置,並在需要時為您的業務進行了更改。", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", "severity": "中等", - "text": "使用來自不同對等互連位置的 ExpressRoute 線路以實現冗餘。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "使用長期可撤銷令牌,緩存令牌並使用 Microsoft 標識庫以靜默方式獲取令牌", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", "severity": "中等", - "text": "如果僅使用單個 ExpressRoute 線路,請使用網站到網站 VPN 作為 ExpressRoute 的故障轉移。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "text": "請確保登錄使用者流已備份並具有復原能力。請確保用於登錄使用者的代碼已備份且可恢復。與外部進程的彈性介面", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", - "severity": "高", - "text": "如果您在 GatewaySubnet 中使用路由表,請確保傳播閘道路由。", - "waf": "可靠性" + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", + "severity": "中等", + "text": "自訂品牌資產應託管在CDN上", + "waf": "性能" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", - "severity": "高", - "text": "如果使用 ExpressRoute,則本地路由應該是動態的:如果連接失敗,它應收斂到線路的剩餘連接。理想情況下,負載應在兩個連接之間共用,即主動/主動,但也支持主動/被動。", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", + "severity": "低", + "text": "擁有多個標識提供者(即使用您的 Microsoft、Google、Facebook 帳戶登錄)", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "中等", - "text": "確保 ExpressRoute 線路的兩個物理連結連接到網路中的兩個不同的邊緣設備。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "遵循 VM 規則,實現 VM 級別的高可用性(高級磁碟,一個區域中的兩個或更多磁碟,位於不同的可用性區域)", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "中等", - "text": "確保在客戶或供應商邊緣路由設備上啟用和配置雙向轉發檢測 (BFD)。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "不要複製!複製可能會產生目錄同步問題", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", - "severity": "高", - "text": "將 ExpressRoute 閘道連接到來自不同對等互連位置的兩條或多條線路,以獲得更高的復原能力。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", + "severity": "中等", + "text": "對多區域具有主動-主動", "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "中等", - "text": "為 ExpressRoute 虛擬網路閘道配置診斷日誌和警報。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "操作" + "text": "將 Azure AD 域服務標記添加到其他區域和位置", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "中等", - "text": "不要使用 ExpressRoute 線路進行 VNet 到 VNet 通信。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "性能" + "text": "將副本集用於DR", + "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", - "severity": "低", - "text": "不要將 Azure 流量發送到混合位置進行檢查。 相反,請遵循“Azure 中的流量保留在 Azure 中”的原則,以便通過 Microsoft 主幹網络進行 Azure 中資源的通信。", - "waf": "性能" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "應用與存儲相關的 Microsoft 雲安全基準中的指導", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", + "severity": "中等", + "text": "請考慮「存儲的 Azure 安全基線”", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "默認情況下,Azure 儲存具有公共IP位址,並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲,從而消除對公共 Internet 的暴露", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", "severity": "高", - "text": "使用 Azure 防火牆來管理到 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西向流量篩選(如果組織需要)。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "考慮將專用終結點用於 Azure 存儲", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "新創建的存儲帳戶是使用ARM部署模型創建的,因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", "severity": "中等", - "text": "創建全域 Azure 防火牆策略以管理全球網路環境中的安全狀況,並將其分配給所有 Azure 防火牆實例。通過 Azure 基於角色的訪問控制將增量防火牆策略委派給本地安全團隊,從而允許精細策略以滿足特定區域的要求。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "確保較舊的存儲帳戶未使用“經典部署模型”", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", - "severity": "低", - "text": "如果組織希望使用此類解決方案來幫助保護出站連接,請在 Firewall Manager 中配置受支援的合作夥伴 SaaS 安全提供者。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", + "severity": "高", + "text": "為所有存儲帳戶啟用 Microsoft DefenderEnable Defender for all of your storage accounts", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", - "severity": "高", - "text": "使用應用程式規則篩選目標主機名上的出站流量,以瞭解支持的協定。 使用基於 FQDN 的網路規則和帶有 DNS 代理的 Azure 防火牆,通過其他協議篩選到 Internet 的出口流量。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "軟刪除機制允許恢復意外刪除的 Blob。", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", + "severity": "中等", + "text": "為 blob 啟用“軟刪除”", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", - "severity": "高", - "text": "使用 Azure 防火牆高級版啟用其他安全功能。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", + "severity": "中等", + "text": "禁用 blob 的“軟刪除”", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "容器的軟刪除使你能夠在刪除容器后恢復容器,例如從意外刪除操作中恢復。", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "severity": "高", - "text": "將 Azure 防火牆威脅情報模式配置為 Alert 和 Deny 以獲得額外的保護。", + "text": "為容器啟用“軟刪除”", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", - "severity": "高", - "text": "將 Azure 防火牆 IDPS 模式配置為 Deny 以獲得額外保護。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "中等", + "text": "禁用容器的“軟刪除”", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "通過強制使用者在刪除之前先刪除刪除鎖,防止意外刪除存儲帳戶", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "severity": "高", - "text": "對於 VNet 中未連接到虛擬 WAN 的子網,請附加路由表,以便將 Internet 流量重定向到 Azure 防火牆或網路虛擬設備。", + "text": "在存儲帳戶上啟用資源鎖", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", - "severity": "中等", - "text": "添加診斷設置,以使用特定於資源的目標表保存所有 Azure 防火牆部署的日誌。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "操作" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略,這樣就無法刪除 blob、容器或存儲帳戶。請注意,「不可能」實際上意味著「不可能」;存儲帳戶包含不可變 blob 後,「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", + "severity": "高", + "text": "考慮不可變的 blob", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", - "severity": "重要", - "text": "從 Azure 防火牆經典規則(如果存在)遷移到防火牆策略。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "操作" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問,以便對所有數據傳輸進行加密、完整性保護,並對伺服器進行身份驗證。", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "高", + "text": "需要 HTTPS,即在儲存帳戶上禁用埠 80", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "在儲存帳戶上配置自定義域(主機名)時,請檢查是否需要 TLS/HTTPS;如果是這樣,可能需要將 Azure CDN 放在存儲帳戶的前面。", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", "severity": "高", - "text": "對 Azure 防火牆子網使用 /26 前置綴。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", + "text": "強制實施 HTTPS(禁用 HTTP)時,請檢查是否未對儲存帳戶使用自定義域 (CNAME)。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "當用戶端使用SAS令牌訪問 blob 資料時,要求使用 HTTPS 有助於將憑據丟失的風險降至最低。", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "severity": "中等", - "text": "根據規則的使用頻率,將防火牆策略中的規則排列到規則集合組和規則集合中。", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "性能" + "text": "將共享訪問簽名 (SAS) 令牌限製為僅 HTTPS 連接", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", - "severity": "中等", - "text": "使用IP組或IP前置綴來減少IP表規則的數量。", - "waf": "性能" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "在可能的情況下,AAD 令牌應優先於共用訪問簽名", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "高", + "text": "使用 Azure Active Directory (Azure AD) 令牌進行 blob 訪問", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "將角色分配給使用者、組或應用程式時,請僅向該安全主體授予他們執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "中等", - "text": "請勿使用通配符作為DNAT的源IP,例如*或任何,您應該為傳入的DNAT指定源IP。", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "性能" + "text": "IaM 許可權中的最低特權", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", - "severity": "中等", - "text": "通過監控 SNAT 埠使用方式、評估 NAT 閘道設置並確保無縫故障轉移,防止 SNAT 埠耗盡。如果埠計數接近限制,則表明 SNAT 耗儘可能即將耗盡。", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "性能" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "使用者委派 SAS 使用 Azure Active Directory (Azure AD) 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS,但比服務 SAS 具有安全優勢。", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", + "severity": "高", + "text": "使用 SAS 時,首選「使用者委派 SAS」,而不是基於存儲帳戶密鑰的 SAS。", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "存儲帳戶金鑰(“共用金鑰”)幾乎沒有審核功能。雖然可以監控誰/何時獲取密鑰副本,但一旦密鑰掌握在多個人手中,就不可能將使用方式歸因於特定使用者。僅依靠 AAD 身份驗證可以更輕鬆地將存儲存取許可權綁定到使用者。", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", "severity": "高", - "text": "如果使用的是 Azure 防火牆高級版,請啟用 TLS 檢查。", - "waf": "性能" + "text": "請考慮禁用存儲帳戶密鑰,以便僅支援 AAD 訪問(和使用者委派 SAS)。", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", - "severity": "低", - "text": "使用 Web 類別允許或拒絕對特定主題的出站訪問。", - "waf": "性能" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "使用活動日誌數據來標識查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”(即存儲帳戶密鑰、訪問策略等)。", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "高", + "text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "通過金鑰過期策略,您可以設置帳戶訪問金鑰輪換的提醒。如果指定的時間間隔已過且鍵尚未旋轉,則會顯示提醒。", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "中等", - "text": "作為 TLS 檢查的一部分,請規劃從 Azure 應用程式閘道接收流量進行檢查。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "性能" + "text": "使用存儲帳戶密鑰時,請考慮啟用“金鑰過期策略”", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS 過期策略指定 SAS 有效的建議時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時,他們會看到警告。", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "severity": "中等", - "text": "啟用 Azure 防火牆 DNS 代理配置。", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "text": "考慮配置 SAS 過期策略", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", - "severity": "高", - "text": "將 Azure 防火牆與 Azure Monitor 集成,並啟用診斷日誌記錄來存儲和分析防火牆日誌和指標。", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "操作" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "存儲存取策略提供了撤銷服務 SAS 許可權的選項,而無需重新生成儲存帳戶密鑰。", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", + "severity": "中等", + "text": "考慮將 SAS 連結到儲存存取策略", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", - "severity": "低", - "text": "為防火牆規則實施備份", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "操作" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", + "severity": "中等", + "text": "請考慮配置應用程式的原始程式碼儲存庫,以檢測簽入的連接字串和存儲帳戶密鑰。", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "理想情況下,應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點,請考慮在 Azure KeyVault 或等效服務中使用存儲憑據(連接字串、存儲帳戶密鑰、SAS、服務主體憑據)。", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", "severity": "高", - "text": "跨多個可用性區域部署 Azure 防火牆。Azure 防火牆根據其部署提供不同的 SLA;在單個可用區或跨多個可用區,從而可能提高可靠性和性能。", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "可靠性" + "text": "請考慮將連接字串儲存在 Azure KeyVault 中(在無法實現託管標識的情況下)", + "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣,即使 SAS 遭到入侵,它也只能在很短的時間內有效。如果無法引用存儲訪問策略,則此做法尤為重要。近期過期時間還通過限制可上傳到 blob 的時間來限制可寫入 blob 的數據量。", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "高", - "text": "在 Azure 防火牆 VNet 上配置 DDoS 防護,將 DDoS 防護計劃與託管 Azure 防火牆的虛擬網路相關聯,以提供針對 DDoS 攻擊的增強緩解。Azure 防火牆管理器集成了防火牆基礎結構和 DDoS 防護計劃的創建。", - "waf": "可靠性" + "text": "爭取縮短臨時 SAS 的有效期", + "waf": "安全" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", - "severity": "高", - "text": "不要中斷注入虛擬網路的 Azure PaaS 服務的控制平面通信,例如使用 0.0.0.0/0 路由或阻止控制平面流量的 NSG 規則。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "創建 SAS 時,請盡可能具體和嚴格。首選單個資源和操作的 SAS,而不是提供更廣泛訪問許可權的 SAS。", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "中等", + "text": "將窄範圍應用於SAS", "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", "severity": "中等", - "text": "通過專用終結點和 ExpressRoute 專用對等互連從本地訪問 Azure PaaS 服務。此方法可避免通過公共 Internet 傳輸。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址", "waf": "安全" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "SAS 無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型,驗證用戶端是否惡意上傳了大量內容可能是有意義的。", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "低", + "text": "請考慮在用戶端使用SAS上傳檔后檢查上傳的數據。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "使用「本地使用者帳戶」通過 SFTP 訪問 Blob 儲存時,“通常”RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更嚴格。遺憾的是,截至 2023 年初,本地使用者是 SFTP 端點當前支援的唯一身份管理形式", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "severity": "高", - "text": "默認情況下,不要在所有子網上啟用虛擬網路服務終端節點。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "SFTP:限制 SFTP 訪問的「本地使用者」數量,並審核一段時間內是否需要訪問。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "severity": "中等", - "text": "使用 FQDN 而不是 Azure 防火牆或 NVA 中的 IP 位址篩選到 Azure PaaS 服務的出口流量,以防止數據外洩。如果使用專用連結,則可以阻止所有 FQDN,否則僅允許所需的 PaaS 服務。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", + "text": "SFTP:SFTP 端點不支持類似 POSIX 的 ACL。", "waf": "安全" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "存儲支援 CORS(跨域資源分享),即一種 HTTP 功能,使來自不同域的 Web 應用程式能夠放寬同源策略。啟用 CORS 時,請將 CorsRules 保留為最低許可權。", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", "severity": "高", - "text": "至少為您的閘道子網使用 /27 前置綴。", + "text": "避免過於寬泛的 CORS 策略", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "靜態數據始終在伺服器端加密,此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰(預設)或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰,或者完全在用戶端處理加密來實現。因此,完全不依賴 Azure 存儲來保證機密性。", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", "severity": "高", - "text": "不要依賴使用 VirtualNetwork 服務標記的 NSG 入站預設規則來限制連接。", + "text": "確定應如何加密靜態數據。了解數據的線程模型。", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", + "severity": "中等", + "text": "確定應使用哪種/是否應使用平臺加密。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", "severity": "中等", - "text": "使用 NSG 説明保護跨子網的流量,以及跨平台的東西向流量(登陸區域之間的流量)。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "text": "確定應使用哪種/是否應使用用戶端加密。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", - "severity": "中等", - "text": "使用 NSG 和應用程式安全組對登陸區域內的流量進行微分段,並避免使用中央 NVA 來篩選流量。", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Blob Storage Review", + "description": "利用 Resource Graph 資源管理器(資源 | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)查找允許匿名 blob 訪問的存儲帳戶。", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", + "severity": "高", + "text": "考慮是否需要公共 blob 訪問,或者是否可以對某些存儲帳戶禁用公共 blob 訪問。", "waf": "安全" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", - "severity": "中等", - "text": "啟用 VNet 流日誌並將其饋送到流量分析中,以深入了解內部和外部流量流。", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "安全" + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", + "severity": "高", + "text": "為 Azure Cache for Redis 啟用區域冗餘。Azure Cache for Redis 支持高級層和企業層中的區域冗餘配置。區域冗餘緩存可以將其節點放置在同一區域的不同 Azure 可用性區域中。它消除了作為單點故障的數據中心或可用區中斷,並提高了緩存的整體可用性。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", "severity": "中等", - "text": "由於規則數限制為 1000 個,因此每個 NSG 實施的 NSG 規則不要超過 900 個。", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "text": "為 Azure Cache for Redis 實例配置數據持久性。由於緩存數據存儲在記憶體中,因此多個節點的罕見和計劃外故障可能會導致所有數據被丟棄。為了避免完全丟失數據,Redis 持久性允許您定期拍攝記憶體中數據的快照,並將其存儲到存儲帳戶中。", "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", "severity": "中等", - "text": "如果您的方案在虛擬 WAN 路由設計清單中明確描述,請使用虛擬 WAN。", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", - "waf": "操作" + "text": "使用異地冗餘存儲帳戶保留 Azure Cache for Redis 數據,或在異地冗餘不可用的情況下使用區域冗餘", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "severity": "中等", - "text": "使用每個 Azure 區域的虛擬 WAN 中心,透過通用的全球 Azure 虛擬 WAN 跨 Azure 區域將多個登陸區域連接在一起。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "性能" + "text": "為高級 Azure Cache for Redis 實例配置被動異地複製。異地複製是一種用於連結兩個或多個 Azure Cache for Redis 實例的機制,通常跨越兩個 Azure 區域。異地複製主要用於跨區域災難恢復。兩個高級層緩存實例通過異地複製進行連接,從而提供對主緩存的讀取和寫入,並將數據複製到輔助緩存。", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", - "severity": "中等", - "text": "對於出站 Internet 流量保護和篩選,請在安全中心部署 Azure 防火牆。", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "安全" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", + "severity": "高", + "text": "使 2 個副本具有 99.9% 的讀取操作可用性", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "中等", - "text": "確保您的虛擬 WAN 網路架構與已確定的架構方案保持一致。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "使 3 個副本具有 99.9% 的讀/寫操作可用性", "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", - "severity": "中等", - "text": "使用適用於虛擬 WAN 的 Azure Monitor Insights 來監視虛擬 WAN 的端到端拓撲、狀態和關鍵指標。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "操作" + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", + "severity": "高", + "text": "通過啟用讀取和/或寫入副本來利用可用區", + "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "severity": "中等", - "text": "不要在虛擬 WAN 中禁用分支到分支流量,除非應明確阻止這些流。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "對於區域冗餘,請在2個或更多區域中為搜索手動創建服務,因為它不提供跨地理區域複製搜索索引的自動方法", "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", "severity": "中等", - "text": "使用 AS-Path 作為中心路由首選項,因為它比 ExpressRoute 或 VPN 更靈活。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "若要跨多個服務同步數據,請使用索引器更新多個服務上的內容,或使用 REST API 推送多個服務上的內容更新", "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", "severity": "中等", - "text": "在虛擬 WAN 中配置基於標籤的傳播,否則虛擬中心之間的連接將受到影響。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "使用 Azure 流量管理器協調請求", "waf": "可靠性" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", "severity": "高", - "text": "為虛擬中心分配至少 /23 前置綴,以確保有足夠的IP空間可用。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "text": "備份和還原 Azure 認知搜索索引。使用此範例代碼將索引定義和快照備份到一系列 Json 檔", "waf": "可靠性" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "應用與存儲相關的 Microsoft 雲安全基準中的指導", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Azure Storage", + "severity": "中等", + "text": "請考慮「存儲的 Azure 安全基線”", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "默認情況下,Azure 儲存具有公共IP位址,並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲,從而消除對公共 Internet 的暴露", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Azure Storage", "severity": "高", - "text": "戰略性地利用 Azure Policy,使用策略計劃對相關策略進行分組,為您的環境定義控制措施。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "考慮將專用終結點用於 Azure 存儲", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "新創建的存儲帳戶是使用ARM部署模型創建的,因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Azure Storage", "severity": "中等", - "text": "將法規和合規性要求映射到 Azure Policy 定義和 Azure 角色分配。", - "training": "https://learn.microsoft.com/training/modules/governance-security/", + "text": "確保較舊的存儲帳戶未使用“經典部署模型”", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Azure Storage", + "severity": "高", + "text": "為所有存儲帳戶啟用 Microsoft Defender", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "軟刪除機制允許恢復意外刪除的 blob。", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Azure Storage", + "severity": "中等", + "text": "為 blob 啟用“軟刪除”", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Azure Storage", "severity": "中等", - "text": "在中間根管理組建立 Azure Policy 定義,以便可以在繼承的範圍內分配這些定義。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "禁用 blob 的“軟刪除”", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "容器的軟刪除使您能夠在刪除容器后恢復容器,例如從意外刪除操作中恢復。", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Azure Storage", "severity": "高", - "text": "如果需要,在最高適當的級別管理策略分配,並在最低級別管理排除項。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "為容器啟用“軟刪除”", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", - "severity": "低", - "text": "使用 Azure Policy 控制使用者可以在訂閱/管理組級別預配哪些服務。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Azure Storage", + "severity": "中等", + "text": "禁用容器的“軟刪除”", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "通過強制使用者先刪除刪除鎖,然後再刪除存儲帳戶,防止意外刪除存儲帳戶", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Azure Storage", "severity": "高", - "text": "盡可能使用內置策略,以最大程度地減少運營開銷。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "在存儲帳戶上啟用資源鎖定", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "description": "通過將 Resource Policy Contributor 角色分配給特定範圍,您可以將策略管理委派給相關團隊。例如,中央IT團隊可以監督管理組級別的策略,而應用程式團隊則處理其訂閱的策略,從而在遵守組織標準的情況下實現分散式治理。", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", - "severity": "中等", - "text": "在特定範圍內分配內置的 Resource Policy Contributor 角色,以啟用應用程式級監管。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略,以便無法刪除 blob、容器或存儲帳戶。請注意,「不可能」實際上意味著「不可能」;一旦存儲帳戶包含不可變的 blob,「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Azure Storage", + "severity": "高", + "text": "考慮不可變的 blob", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "severity": "中等", - "text": "限制在根管理組範圍內進行的 Azure Policy 分配的數量,以避免通過繼承範圍內的排除項進行管理。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問,以便對所有數據傳輸進行加密、完整性保護,並且對伺服器進行身份驗證。", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Azure Storage", + "severity": "高", + "text": "需要 HTTPS,即在儲存帳戶上禁用埠 80", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", - "severity": "中等", - "text": "如果存在任何數據主權要求,則應部署 Azure 策略來強制實施這些要求。", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "在儲存帳戶上配置自定義域(主機名)時,請檢查是否需要 TLS/HTTPS;如果是這樣,可能需要將 Azure CDN 放在存儲帳戶的前面。", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Azure Storage", + "severity": "高", + "text": "強制執行 HTTPS(禁用 HTTP)時,請檢查是否不要對儲存帳戶使用自定義域 (CNAME)。", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "當用戶端使用SAS令牌訪問 blob 資料時,要求使用 HTTPS 有助於最大程度地降低憑據丟失的風險。", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Azure Storage", "severity": "中等", - "text": "對於 Sovereign Landing Zone,請部署主權策略基線並在正確的管理組級別進行分配。", + "text": "將共享訪問簽名 (SAS) 令牌限製為僅 HTTPS 連接", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", - "severity": "中等", - "text": "對於 Sovereign Landing Zone,將 Sovereign Control 目標記錄到策略映射。", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": ".強制執行最新的 TLS 版本將拒絕來自使用舊版本的用戶端的請求。", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Azure Storage", + "severity": "高", + "text": "強制實施存儲帳戶的最新 TLS 版本", "waf": "安全" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", - "severity": "中等", - "text": "對於 Sovereign Landing Zone,請確保已制定管理“主權控制目標到策略映射”的流程。", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "在可能的情況下,應優先使用 Microsoft Entra ID 令牌,而不是共用訪問簽名", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Azure Storage", + "severity": "高", + "text": "使用 Microsoft Entra ID 令牌進行 blob 訪問", "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", - "severity": "中等", - "text": "使用單個監視器日誌工作區集中管理平臺,除非 Azure 基於角色的訪問控制 (Azure RBAC)、數據主權要求或數據保留策略要求單獨的工作區。", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "操作" - }, - { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "為使用者、組或應用程式分配角色時,請僅授予該安全主體執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Azure Storage", "severity": "中等", - "text": "決定是對所有區域使用單個 Azure Monitor 日誌工作區,還是創建多個工作區以涵蓋不同的地理區域。每種方法都有優點和缺點,包括潛在的跨區域網路費用", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "可靠性" + "text": "IaM 許可權中的最小特權", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "使用者委派 SAS 使用 Azure Active Directory (Azure AD) 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS,但與服務 SAS 相比,它提供了安全優勢。", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Azure Storage", "severity": "高", - "text": "如果您的日誌保留要求超過 12 年,請將日誌匯出到 Azure 存儲。將不可變存儲與一次寫入、多次讀取策略結合使用,使數據在使用者指定的時間間隔內不可擦除且不可修改。", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "操作" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", - "severity": "中等", - "text": "使用 Azure Policy 監視 OS 等級的虛擬機 (VM) 配置偏移。通過策略啟用 Azure Automanage 計算機配置審核功能可幫助應用程式團隊工作負載輕鬆立即使用功能。", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "操作" + "text": "使用 SAS 時,首選「使用者委派 SAS」,而不是基於存儲帳戶密鑰的 SAS。", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", - "severity": "中等", - "text": "使用 Azure 更新管理員作為 Azure 中 Windows 和 Linux VM 的修補機制。", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "操作" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "存儲帳戶金鑰(“共用金鑰”)幾乎沒有審核功能。雖然可以監控誰/何時獲取了密鑰的副本,但一旦密鑰掌握在多人手中,就不可能將使用方式歸因於特定使用者。僅依賴 Entra ID 身份驗證可以更輕鬆地將存儲訪問許可權與用戶綁定。", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Azure Storage", + "severity": "高", + "text": "請考慮禁用存儲帳戶密鑰,以便僅支援 Microsoft Entra ID 訪問(和使用者委派 SAS)。", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", - "severity": "中等", - "text": "使用 Azure Update Manager 作為使用 Azure Arc 的 Azure 外部 Windows 和 Linux VM 的修補機制。", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", - "waf": "操作" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "使用活動日誌數據來確定查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”(即存儲帳戶密鑰、訪問策略等)。", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Azure Storage", + "severity": "高", + "text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作", + "waf": "安全" }, { - "arm-service": "microsoft.network/networkWatchers", - "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "通過金鑰過期策略,您可以設置帳戶訪問金鑰輪換的提醒。如果已過指定的時間間隔且尚未旋轉鍵,則會顯示提醒。", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Azure Storage", "severity": "中等", - "text": "使用網路觀察程序主動監控流量。", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "操作" + "text": "使用存儲帳戶密鑰時,請考慮啟用“金鑰過期策略”", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS 過期策略指定了 SAS 的有效時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時,他們將看到警告。", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Azure Storage", "severity": "中等", - "text": "使用 Azure Monitor 紀錄獲取見解和報告。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", - "waf": "操作" + "text": "考慮配置 SAS 過期策略", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "通過存儲訪問策略,可以選擇撤銷服務 SAS 的許可權,而無需重新生成存儲帳戶密鑰。", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Azure Storage", "severity": "中等", - "text": "使用 Azure Monitor 警報生成操作警報。", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", - "waf": "操作" + "text": "考慮將 SAS 連結到儲存存取策略", + "waf": "安全" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Azure Storage", "severity": "中等", - "text": "通過 Azure 自動化帳戶使用更改和清單跟蹤時,請確保已選擇受支持的區域,以便將 Log Analytics 工作區和自動化帳戶連結在一起。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", - "waf": "操作" + "text": "請考慮配置應用程式的原始程式碼儲存庫,以檢測簽入的連接字串和存儲帳戶密鑰。", + "waf": "安全" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", - "severity": "低", - "text": "使用Azure備份時,請使用正確的備份類型(GRS,ZRS和LRS)進行備份,因為預設設置是GRS。", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "可靠性" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "理想情況下,應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點,請考慮在 Azure KeyVault 或等效服務中擁有存儲憑據(連接字串、存儲帳戶密鑰、SAS、服務主體憑據)。", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Azure Storage", + "severity": "高", + "text": "請考慮在 Azure KeyVault 中儲存連接字串(在無法使用託管標識的情況下)", + "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", - "severity": "中等", - "text": "使用 Azure 來賓策略通過 VM 擴展自動部署軟體配置,並強制實施合規的基線 VM 配置。", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣,即使 SAS 遭到入侵,它也只會在短時間內有效。如果無法引用存儲訪問策略,則這種做法尤為重要。近期過期時間還通過限制可用於上傳到 blob 的時間來限制可以寫入 blob 的數據量。", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", + "severity": "高", + "text": "爭取縮短臨時 SAS 的有效期", "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "description": "使用 Azure Policy 的來賓配置功能來審核和修正電腦設置(例如,操作系統、應用程式、環境),以確保資源與預期配置保持一致,並且更新管理可以對 VM 強制實施修補程式管理。", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "創建 SAS 時,請盡可能具體且具有限制性。首選單一資源和操作的 SAS,而不是提供更廣泛訪問許可權的 SAS。", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Azure Storage", "severity": "中等", - "text": "通過 Azure Policy 監視 VM 安全配置偏移。", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "text": "對SAS應用窄範圍", "waf": "安全" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Azure Storage", "severity": "中等", - "text": "將 Azure Site Recovery 用於 Azure 到 Azure 虛擬機的災難恢復方案。這使您能夠跨區域複製工作負載。", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", - "waf": "操作" + "text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址", + "waf": "安全" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", - "severity": "中等", - "text": "使用 Azure 原生備份功能或與 Azure 相容的第三方備份解決方案。", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", - "waf": "操作" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "SAS無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型,驗證用戶端是否惡意上傳了大量內容可能很有意義。", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Azure Storage", + "severity": "低", + "text": "在用戶端使用SAS上傳檔后,請考慮檢查上傳的數據。", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "使用「本地使用者帳戶」通過 SFTP 訪問 blob 儲存時,“通常”的 RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更具限制性。遺憾的是,截至 2023 年初,本地使用者是 SFTP 端點目前支援的唯一身份管理形式", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Azure Storage", "severity": "高", - "text": "添加診斷設置以保存來自應用程式交付服務(如 Azure Front Door 和 Azure 應用程式閘道)的 WAF 日誌。定期查看日誌以檢查是否存在攻擊和誤報檢測。", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", - "waf": "操作" + "text": "SFTP:限制 SFTP 訪問的「本地使用者」數量,並審核隨著時間的推移是否需要訪問。", + "waf": "安全" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Azure Storage", "severity": "中等", - "text": "將 WAF 日誌從應用程式交付服務(如 Azure Front Door 和 Azure 應用程式閘道)發送到 Microsoft Sentinel。檢測攻擊並將 WAF 遙測集成到整個 Azure 環境中。", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", - "waf": "操作" + "text": "SFTP:SFTP 端點不支持類似 POSIX 的 ACL。", + "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "存儲支援 CORS(跨源資源分享),即一種 HTTP 功能,使來自不同域的 Web 應用程式能夠放鬆同源策略。啟用 CORS 時,請將 CorsRules 保留為最低許可權。", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Azure Storage", "severity": "高", - "text": "使用 Azure Key Vault 儲存機密和憑據。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "text": "避免過於寬泛的 CORS 策略", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", - "severity": "中等", - "text": "對不同的應用程式和區域使用不同的 Azure Key Vault,以避免事務規模限制並限制對機密的訪問。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "靜態數據始終在伺服器端加密,此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰(預設)或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰,或者完全在用戶端處理加密來實現。因此,完全不依賴 Azure 存儲來保證機密性。", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Azure Storage", + "severity": "高", + "text": "確定應如何加密靜態數據。了解數據的線程模型。", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Azure Storage", "severity": "中等", - "text": "預配 Azure Key Vault 並啟用軟刪除和清除策略,以允許對已刪除的物件進行保留保護。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "text": "確定應使用哪種/是否應使用平臺加密。", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Azure Storage", "severity": "中等", - "text": "通過將永久刪除密鑰、機密和證書的授權限制為專門的自定義 Microsoft Entra ID 角色,遵循最低許可權模型。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "text": "確定應使用哪種/是否應使用用戶端加密。", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "中等", - "text": "與公共證書頒發機構一起自動執行證書管理和續訂流程,以簡化管理。", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "利用 Resource Graph 資源管理器 (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) 查找允許匿名 blob 訪問的存儲帳戶。", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Azure Storage", + "severity": "高", + "text": "考慮是否需要公共 blob 匿名訪問,或者是否可以對某些存儲帳戶禁用公共 blob 匿名訪問。", "waf": "安全" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "中等", - "text": "建立金鑰和證書輪換的自動化流程。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "安全" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Azure Storage", + "severity": "高", + "text": "利用 storagev2 帳戶類型獲得更好的性能和可靠性", + "waf": "可靠性" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Azure Storage", + "severity": "高", + "text": "利用 GRS、ZRS 或 GZRS 儲存實現最高可用性", + "waf": "可靠性" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Azure Storage", "severity": "中等", - "text": "在保管庫上啟用防火牆和虛擬網路服務終結點或專用終結點,以控制對密鑰保管庫的訪問。", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", - "waf": "安全" + "text": "對於故障轉移后的寫入操作,請使用客戶管理的故障轉移", + "waf": "可靠性" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Azure Storage", "severity": "中等", - "text": "使用平臺中心的 Azure Monitor Log Analytics 工作區來審核 Key Vault 的每個實例中的密鑰、證書和機密使用方式。", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "安全" + "text": "瞭解 Microsoft 託管的故障轉移詳細資訊", + "waf": "可靠性" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Azure Storage", "severity": "中等", - "text": "委託 Key Vault 實例化和特權訪問,並使用 Azure Policy 強制實施一致的合規配置。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", - "waf": "安全" + "text": "啟用軟刪除", + "waf": "可靠性" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "91163418-2ba5-4275-8694-4008be7d7e48", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", "severity": "中等", - "text": "每個區域每個環境的每個應用程式使用 Azure Key Vault。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "安全" + "text": "Azure SAP 解決方案 中心 (ACSS) 是一種 Azure 產品/服務,它使 SAP 成為 Azure 上的頂級工作負載。ACSS 是一種端到端解決方案,使你能夠在 Azure 上將 SAP 系統作為統一工作負載創建和運行,併為創新提供更無縫的基礎。您可以利用新的和現有的基於 Azure 的 SAP 系統的管理功能。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "操作" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", "severity": "中等", - "text": "如果您想使用自己的金鑰,則可能並非所有考慮的服務都支援此功能。實施相關的緩解措施,以便不一致不會妨礙預期的結果。選擇適當的區域對和災難恢復區域,以最大限度地減少延遲。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "安全" + "text": "Azure 支援在Linux和 Windows 中自動執行 SAP 部署。SAP Deployment Automation Framework 是一種開源編排工具,可以部署、安裝和維護 SAP 環境。", + "training": "https://github.com/Azure/sap-automation", + "waf": "操作" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", "severity": "中等", - "text": "對於主權登陸區域,請使用 Azure Key Vault 託管 HSM 來儲存機密和憑據。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "安全" + "text": "在滿足 RTO 的任何時間和時間範圍內對生產資料庫執行時間點恢復;時間點恢復通常包括操作員錯誤地刪除 DBMS 層或透過 SAP 刪除數據", + "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", "severity": "中等", - "text": "使用 Microsoft Entra ID 報告功能生成訪問控制審核報告。", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", - "waf": "安全" + "text": "測試備份和恢復時間,以驗證它們是否滿足在災難發生后同時還原所有系統的 RTO 要求。", + "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", "severity": "高", - "text": "為所有訂閱啟用Defender Cloud安全態勢管理。", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", - "waf": "安全" + "text": "您可以在配對區域之間複製標準存儲,但不能使用標準存儲來存儲資料庫或虛擬硬碟。您只能在您使用的配對區域之間複製備份。對於所有其他數據,請使用 SQL Server Always On 或 SAP HANA 系統複製等本機 DBMS 功能運行複製。將 Site Recovery、rsync 或 robocopy 以及其他第三方軟體組合用於 SAP 應用程式層。", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", - "severity": "高", - "text": "為所有訂閱上的伺服器啟用Defender雲工作負載保護計劃。", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "中等", + "text": "使用 Azure 可用性區域實現高可用性時,必須考慮 SAP 應用程式伺服器和資料庫伺服器之間的延遲。對於具有高延遲的區域,需要制定操作過程,以確保 SAP 應用程式伺服器和資料庫伺服器始終在同一區域中運行。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", "severity": "高", - "text": "在所有訂閱上為 Azure 資源啟用 Defender Cloud 工作負載保護計劃。", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "安全" + "text": "設置從本地到主要和輔助 Azure 災難恢復區域的 ExpressRoute 連接。此外,作為使用 ExpressRoute 的替代方法,請考慮設置從本地到主要和輔助 Azure 災難恢復區域的 VPN 連接。", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", - "severity": "高", - "text": "在 IaaS 伺服器上啟用 Endpoint Protection。", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", + "severity": "低", + "text": "跨區域複製金鑰保管庫內容(如證書、機密或金鑰),以便可以在DR區域中解密資料。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", "severity": "中等", - "text": "通過 Azure Monitor 紀錄和 Defender for Cloud 監視基本作業系統修補偏差。", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", - "waf": "安全" + "text": "將主虛擬網路和災難恢復虛擬網路對等互連。例如,對於 HANA 系統複製,SAP HANA DB 虛擬網路需要與災難恢復網站的 SAP HANA DB 虛擬網路對等互連。", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", - "severity": "中等", - "text": "將預設資源配置連接到集中式 Azure Monitor Log Analytics 工作區。", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", + "severity": "低", + "text": "如果將 Azure NetApp Files 儲存用於 SAP 部署,則至少在兩個區域中的高級層中創建兩個 Azure NetApp Files 帳戶。", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "severity": "高", - "text": "使用關聯日誌進行集中威脅檢測 - 將安全數據整合到一個中心位置,以便通過SIEM(安全資訊和事件管理)在各種服務之間關聯數據", - "waf": "安全" + "text": "應使用本機資料庫複製技術來同步HA對中的資料庫。", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", - "severity": "中等", - "text": "對於 Sovereign Landing Zone,請在 Entra ID 租戶上啟用透明度日誌。", - "waf": "安全" + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", + "severity": "高", + "text": "主虛擬網路 (VNet) 的 CIDR 不應與DR網站的 VNet 的 CIDR 衝突或重疊", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "可靠性" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", - "severity": "中等", - "text": "對於 Sovereign Landing Zone,請在 Entra ID 租戶上啟用客戶密碼箱。", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", + "severity": "高", + "text": "使用 Site Recovery 將應用程式伺服器複製到 DR 網站。Site Recovery 還可以説明將中心服務群集 VM 複製到DR網站。調用DR時,您需要在DR網站上重新配置Linux Pacemaker集群(例如,替換VIP或SBD、運行 corosync.conf 等)。", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "高", - "text": "啟用到存儲帳戶的安全傳輸。", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", - "waf": "安全" + "text": "考慮 SAP 軟體的可用性,防止單點故障。這包括應用程式中的單點故障,例如 SAP NetWeaver 和 SAP S/4HANA 架構中使用的 DBMS、SAP ABAP 和 ASCS + SCS。此外,還可以使用其他工具,例如 SAP Web Dispatcher。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "可靠性" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", "severity": "高", - "text": "為存儲帳戶啟用容器軟刪除,以恢復已刪除的容器及其內容。", - "waf": "安全" + "text": "對於 SAP 和 SAP 資料庫,請考慮實現自動故障轉移群集。在 Windows 中,Windows Server 故障轉移群集支援故障轉移。在Linux中,Linux Pacemaker或SIOS Protection Suite 和 Veritas InfoScale 等第三方工具支援故障轉移。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "可靠性" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", "severity": "高", - "text": "使用 Key Vault 機密來避免對敏感資訊進行硬編碼,例如憑據(虛擬機用戶密碼)、證書或密鑰。", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", - "waf": "操作" + "text": "Azure 不支援主 VM 和輔助 VM 共用 DBMS 數據存儲的體系結構。對於 DBMS 層,常見的架構模式是同時複製資料庫,並且使用與主 VM 和輔助 VM 使用的儲存堆疊不同的儲存堆疊。", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure 事件中心提供靜態數據加密。如果使用自己的金鑰,則仍使用 Microsoft 管理的金鑰對數據進行加密,但此外,Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "service": "Event Hubs", - "severity": "低", - "text": "需要時,在靜態數據加密中使用客戶管理的金鑰選項", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", + "severity": "高", + "text": "DBMS 數據和事務/重做日誌檔存儲在 Azure 支援的塊存儲或 Azure NetApp 檔中。不支援將 Azure 檔案儲存或 Azure 高級檔儲存作為 SAP 工作負載的 DBMS 資料和/或重做日誌檔的存儲。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure 事件中心命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施,可以將事件中心命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。如果事件中心命名空間需要最低版本的 TLS,則使用舊版本發出的任何請求都將失敗。", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "service": "Event Hubs", - "severity": "中等", - "text": "對請求強制實施傳輸層安全性 (TLS) 的最低要求版本", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", + "severity": "高", + "text": "您可以在 Windows 中使用 Azure 共用磁碟,以實現 ASCS + SCS 元件和特定的高可用性方案。分別為 SAP 應用程式層元件和 DBMS 層設置故障轉移集群。Azure 目前不支援將 SAP 應用程式層元件和 DBMS 層合併到一個故障轉移群集中的高可用性體系結構。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "創建事件中心命名空間時,會自動為命名空間創建名為 RootManageSharedAccessKey 的策略規則。此策略具有整個命名空間的管理許可權。建議您將此規則視為管理根帳戶,不要在應用程式中使用它。建議將 AAD 用作 RBAC 的身份驗證提供程式。", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", - "severity": "中等", - "text": "避免在不必要的情況下使用root帳戶", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "安全" + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", + "severity": "高", + "text": "SAP 應用程式層元件 (ASCS) 和 DBMS 層的大多數故障轉移群集都需要故障轉移群集的虛擬 IP 位址。 Azure 負載均衡器應處理所有其他情況下的虛擬IP位址。一種設計原則是每個集群配置使用一個負載均衡器。我們建議您使用標準版本的負載均衡器 (Standard Load Balancer SKU)。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure 資源的託管標識可以使用 Azure AD 憑據從 Azure 虛擬機 (VM)、函數應用、虛擬機規模集和其他服務中運行的應用程式授權訪問事件中心資源。通過將 Azure 資源的託管標識與 Azure AD 身份驗證結合使用,可以避免將憑據存儲在雲中運行的應用程式中。", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", - "severity": "中等", - "text": "如果可能,應用程式應使用託管標識向 Azure 事件中心進行身份驗證。如果沒有,請考慮在 Azure Key Vault 或等效服務中擁有存儲憑據(SAS、服務主體憑據)", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", + "severity": "高", + "text": "確保在負載均衡器上啟用了浮動IP", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "創建許可權時,請對用戶端對 Azure 事件中心的訪問提供精細控制。Azure 事件中心中的許可權可以而且應該限定為單個資源級別,例如消費者組、事件中心實體、事件中心命名空間等。", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", "severity": "高", - "text": "使用最低特權數據平面 RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "安全" + "text": "在部署高可用性基礎結構之前,根據您選擇的區域,確定是使用 Azure 可用性集還是可用性區域進行部署。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure 事件中心資源日誌包括操作日誌、虛擬網路和 Kafka 日誌。運行時審核日誌捕獲事件中心中所有數據平面訪問操作(例如發送或接收事件)的聚合診斷資訊。", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", - "severity": "中等", - "text": "啟用記錄以進行安全調查。使用 Azure Monitor 捕獲指標和日誌,例如資源日誌、運行時審核日誌和 Kafka 紀錄", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", + "severity": "高", + "text": "如果要滿足 SAP 元件(中央服務、應用程式伺服器和資料庫)的應用程式的基礎設施 SLA,則必須為所有元件選擇相同的高可用性選項(VM、可用性集、可用區)。", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "默認情況下,Azure 事件中心具有公共IP位址,並且可通過Internet訪問。專用終結點允許虛擬網路和 Azure 事件中心之間的流量遍歷 Microsoft 主幹網路。除此之外,如果未使用公共終結點,則應禁用這些終結點。", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", - "severity": "中等", - "text": "請考慮使用專用終結點訪問 Azure 事件中心,並在適用時禁用公用網路訪問。", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "高", + "text": "不要在同一可用性集中混合使用不同角色的伺服器。將中心服務 VM、資料庫 VM、應用程式 VM 保留在其自己的可用性集中", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "使用IP防火牆,可以將公共終結點進一步限製為僅一組IPv4位址或 CIDR(無類別域間路由)表示法的IPv4位址範圍。", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", "severity": "中等", - "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 事件中心命名空間", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "安全" + "text": "除非使用鄰近放置組,否則無法在 Azure 可用性區域中部署 Azure 可用性集。", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", - "severity": "中等", - "text": "利用 FTA 彈性手冊", + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", + "severity": "高", + "text": "創建可用性集時,請使用可用的容錯域和更新域的最大數量。例如,如果您在一個可用性集中部署兩個以上的 VM,除了 Azure 計劃內維護之外,還請使用最大數量的容錯域 (三個) 和足夠的更新域,以限制潛在物理硬體故障、網路中斷或電源中斷的影響。容錯域的預設數量為 2,以後無法在線更改。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "對於從門戶創建的新 EH 命名空間,在啟用區域的區域中具有高級、專用或標準 SKU,將自動啟用此功能。EH 元數據和事件數據本身都是跨區域複製的", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "高", - "text": "利用可用區(如果區域適用)", + "text": "在可用性集部署中使用 Azure 鄰近放置組時,所有三個 SAP 元件(中央服務、應用程式伺服器和資料庫)都應位於同一鄰近放置組中。", "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "service": "Event Hubs", - "severity": "中等", - "text": "使用高級或專用 SKU 實現可預測的性能", + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "高", + "text": "每個 SAP SID 使用一個鄰近放置組。組不跨可用性區域或 Azure 區域", "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "啟用內置異地災難恢復功能后,可確保命名空間的整個配置(事件中心、消費者組和設置)從主命名空間持續複製到輔助命名空間,並允許隨時從主命名空間向輔助命名空間進行一次故障轉移。主動/被動功能旨在更輕鬆地從失敗的 Azure 區域中恢復和放棄,而無需更改應用程式配置", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "高", - "text": "使用主動被動配置規劃異地災難恢復", + "text": "使用以下服務之一運行 SAP Central Services 集群,具體取決於操作系統。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "應用於無法容忍關閉區域中事件數據中斷或丟失的DR配置。對於這些情況,請遵循複製指南,不要使用內置的異地災難恢復功能(主動/被動)。使用「主動/主動」時,在不同區域和命名空間中維護多個事件中心,事件將在中心之間複製", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", "severity": "中等", - "text": "對於業務關鍵型應用程式,請使用 Active Active 配置", + "text": "Azure 目前不支援在同一個 Linux Pacemaker 群集中組合 ASCS 和 DB HA;將它們分成單獨的集群。但是,您最多可以將5個多個中央服務集群組合成一對VM。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "可靠性" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "中等", - "text": "設計可復原的事件中心", + "text": "將高可用性對中的兩個 VM 部署在可用性集或可用性區域中。這些 VM 的大小應相同,並且具有相同的存儲配置。", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", - "severity": "高", - "text": "利用可用區(如果區域適用)(這是自動啟用的)", + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", + "severity": "中等", + "text": "Azure 支援在 Red Hat Enterprise Linux (RHEL) 上運行的同一高可用性群集上安裝和配置 SAP HANA 以及 ASCS/SCS 和 ERS 實例。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "中等", - "text": "請注意 Microsoft 發起的故障轉移。Microsoft 在極少數情況下會執行這些操作,以將所有IoT中心從受影響的區域故障轉移到相應的異地配對區域。", + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "高", + "text": "在高級託管 SSD 上運行所有生產系統,並使用 Azure NetApp Files 或超級磁碟存儲。至少OS磁碟應位於高級層上,以便您可以獲得更好的性能和最佳SLA。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", "severity": "高", - "text": "考慮為關鍵工作負載制定跨區域災難恢復策略", + "text": "應僅在 SAP 認證的存儲類型上運行 Azure 上的 SAP HANA。請注意,某些卷必須在某些磁碟配置上運行(如果適用)。這些配置包括啟用 Write Accelerator 和使用高級存儲。您還需要確保在儲存上運行的檔案系統與計算機上運行的 DBMS 相容。", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", "severity": "高", - "text": "瞭解如何觸發手動故障轉移。", + "text": "考慮根據您用於 SAP 工作負載的儲存類型配置高可用性。Azure Site Recovery 不支援 Azure 中提供的某些存儲服務,因此高可用性配置可能會有所不同。", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", "waf": "可靠性" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", "severity": "高", - "text": "瞭解如何在故障轉移後進行故障回復。", + "text": "不同的本機 Azure 儲存服務(如 Azure 檔、Azure NetApp 檔、Azure 共用磁碟)可能並非在所有區域都可用。因此,要在故障轉移后在DR區域上進行類似的SAP設置,請確保在DR網站中提供相應的存儲服務。", "waf": "可靠性" }, { "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", "service": "SAP", "severity": "中等", - "text": "Azure SAP 解決方案 中心 (ACSS) 是一種 Azure 產品/服務,它使 SAP 成為 Azure 上的頂級工作負載。ACSS 是一種端到端解決方案,使你能夠在 Azure 上將 SAP 系統作為統一工作負載創建和運行,併為創新提供更無縫的基礎。您可以利用新的和現有的基於 Azure 的 SAP 系統的管理功能。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "操作" + "text": "自動化 SAP System Start-Stop 以管理成本。", + "waf": "成本" }, { "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", "service": "SAP", - "severity": "中等", - "text": "Azure 支援在Linux和 Windows 中自動執行 SAP 部署。SAP Deployment Automation Framework 是一種開源編排工具,可以部署、安裝和維護 SAP 環境。", - "training": "https://github.com/Azure/sap-automation", - "waf": "操作" + "severity": "低", + "text": "如果將 Azure 高級存儲與 SAP HANA 配合使用,則可以使用 Azure 標準 SSD 儲存來選擇注重成本的儲存解決方案。但是,請注意,選擇標準 SSD 或標準 HDD Azure 儲存將影響單個 VM 的 SLA。此外,對於 I/O 輸送量較低且延遲較低的系統(如非生產環境),可以使用較低系列的 VM。", + "waf": "成本" }, { "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", "service": "SAP", - "severity": "中等", - "text": "在滿足 RTO 的任何時間和時間範圍內對生產資料庫執行時間點恢復;時間點恢復通常包括操作員錯誤地刪除 DBMS 層或透過 SAP 刪除數據", - "waf": "可靠性" + "severity": "低", + "text": "作為成本較低的替代配置(多用途),您可以為非生產 HANA 資料庫伺服器 VM 選擇低性能 SKU。但是,請務必注意,某些 VM 類型(如 E 系列)未經過 HANA 認證(SAP HANA 硬體目錄),或者無法實現小於 1 毫秒的存儲延遲。", + "waf": "成本" }, { "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", + "severity": "高", + "text": "對管理組、訂閱、資源組和資源強制實施 RBAC 模型", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "安全" + }, + { + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", "service": "SAP", "severity": "中等", - "text": "測試備份和恢復時間,以驗證它們是否滿足在災難發生后同時還原所有系統的 RTO 要求。", - "waf": "可靠性" + "text": "強制實施主體傳播,以便透過雲連接器將身份從 SAP 雲應用程式轉發到 SAP 本地(包括 IaaS)", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", "service": "SAP", - "severity": "高", - "text": "您可以在配對區域之間複製標準存儲,但不能使用標準存儲來存儲資料庫或虛擬硬碟。您只能在您使用的配對區域之間複製備份。對於所有其他數據,請使用 SQL Server Always On 或 SAP HANA 系統複製等本機 DBMS 功能運行複製。將 Site Recovery、rsync 或 robocopy 以及其他第三方軟體組合用於 SAP 應用程式層。", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "可靠性" + "severity": "中等", + "text": "使用 SAML 通過 Azure AD 實現對 SAP SaaS 應用程式(如 SAP Analytics Cloud、SAP Cloud Platform、Business by design、SAP Qualtrics 和 SAP C4C)的 SSO。", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", "service": "SAP", "severity": "中等", - "text": "使用 Azure 可用性區域實現高可用性時,必須考慮 SAP 應用程式伺服器和資料庫伺服器之間的延遲。對於具有高延遲的區域,需要制定操作過程,以確保 SAP 應用程式伺服器和資料庫伺服器始終在同一區域中運行。", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "可靠性" + "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "安全" }, { "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", "service": "SAP", - "severity": "高", - "text": "設置從本地到主要和輔助 Azure 災難恢復區域的 ExpressRoute 連接。此外,作為使用 ExpressRoute 的替代方法,請考慮設置從本地到主要和輔助 Azure 災難恢復區域的 VPN 連接。", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "可靠性" + "severity": "中等", + "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", "service": "SAP", - "severity": "低", - "text": "跨區域複製金鑰保管庫內容(如證書、機密或金鑰),以便可以在DR區域中解密資料。", - "waf": "可靠性" + "severity": "中等", + "text": "您可以使用 SAP NetWeaver SSO 或合作夥伴解決方案實現對 SAP GUI 的 SSO。", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", "service": "SAP", "severity": "中等", - "text": "將主虛擬網路和災難恢復虛擬網路對等互連。例如,對於 HANA 系統複製,SAP HANA DB 虛擬網路需要與災難恢復網站的 SAP HANA DB 虛擬網路對等互連。", - "waf": "可靠性" + "text": "對於 SAP GUI 和 Web 瀏覽器訪問的 SSO,實施 SNC / Kerberos/SPNEGO(簡單且受保護的 GSSAPI 協商機制),因為它易於配置和維護。對於使用 X.509 用戶端證書的 SSO,請考慮使用 SAP Secure Login Server,它是 SAP SSO 解決方案的一個元件。", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", "service": "SAP", - "severity": "低", - "text": "如果將 Azure NetApp Files 儲存用於 SAP 部署,則至少在兩個區域中的高級層中創建兩個 Azure NetApp Files 帳戶。", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "可靠性" + "severity": "中等", + "text": "對於 SAP GUI 和 Web 瀏覽器訪問的 SSO,實施 SNC / Kerberos/SPNEGO(簡單且受保護的 GSSAPI 協商機制),因為它易於配置和維護。對於使用 X.509 用戶端證書的 SSO,請考慮使用 SAP Secure Login Server,它是 SAP SSO 解決方案的一個元件。", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", "service": "SAP", - "severity": "高", - "text": "應使用本機資料庫複製技術來同步HA對中的資料庫。", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", - "waf": "可靠性" + "severity": "中等", + "text": "通過使用 SAP NetWeaver 的 OAuth 實施 SSO,以允許第三方或自定義應用程式訪問 SAP NetWeaver OData 服務。", + "waf": "安全" }, { "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", "service": "SAP", - "severity": "高", - "text": "主虛擬網路 (VNet) 的 CIDR 不應與DR網站的 VNet 的 CIDR 衝突或重疊", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "可靠性" + "severity": "中等", + "text": "實施SAP HANA的 SSO", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", "service": "SAP", - "severity": "高", - "text": "使用 Site Recovery 將應用程式伺服器複製到 DR 網站。Site Recovery 還可以説明將中心服務群集 VM 複製到DR網站。調用DR時,您需要在DR網站上重新配置Linux Pacemaker集群(例如,替換VIP或SBD、運行 corosync.conf 等)。", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "可靠性" + "severity": "中等", + "text": "將 Azure AD 視為 RISE 上託管的 SAP 系統的標識提供者。有關詳細資訊,請參閱將服務與 Azure AD 集成。", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", "service": "SAP", - "severity": "高", - "text": "考慮 SAP 軟體的可用性,防止單點故障。這包括應用程式中的單點故障,例如 SAP NetWeaver 和 SAP S/4HANA 架構中使用的 DBMS、SAP ABAP 和 ASCS + SCS。此外,還可以使用其他工具,例如 SAP Web Dispatcher。", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "可靠性" + "severity": "中等", + "text": "對於訪問 SAP 的應用程式,您可能希望使用主體傳播來建立 SSO。", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", "service": "SAP", - "severity": "高", - "text": "對於 SAP 和 SAP 資料庫,請考慮實現自動故障轉移群集。在 Windows 中,Windows Server 故障轉移群集支援故障轉移。在Linux中,Linux Pacemaker或SIOS Protection Suite 和 Veritas InfoScale 等第三方工具支援故障轉移。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "可靠性" + "severity": "中等", + "text": "如果使用需要 SAP 身份驗證服務 (IAS) 的 SAP BTP 服務或 SaaS 解決方案,請考慮在 SAP Cloud Identity Authentication 服務和 Azure AD 之間實現 SSO 以存取這些 SAP 服務。此集成允許 SAP IAS 充當代理標識提供者,並將身份驗證請求轉發到作為中央使用者存儲和標識提供者的 Azure AD。", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", "service": "SAP", - "severity": "高", - "text": "Azure 不支援主 VM 和輔助 VM 共用 DBMS 數據存儲的體系結構。對於 DBMS 層,常見的架構模式是同時複製資料庫,並且使用與主 VM 和輔助 VM 使用的儲存堆疊不同的儲存堆疊。", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "可靠性" + "severity": "中等", + "text": "實施 SSO 到 SAP BTP", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", "service": "SAP", - "severity": "高", - "text": "DBMS 數據和事務/重做日誌檔存儲在 Azure 支援的塊存儲或 Azure NetApp 檔中。不支援將 Azure 檔案儲存或 Azure 高級檔儲存作為 SAP 工作負載的 DBMS 資料和/或重做日誌檔的存儲。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", - "waf": "可靠性" + "severity": "中等", + "text": "如果使用的是 SAP SuccessFactors,請考慮使用 Azure AD 自動使用者預配。通過此整合,當您將新員工添加到 SAP SuccessFactors 時,您可以在 Azure AD 中自動建立其用戶帳戶。(可選)您可以在 Microsoft 365 或 Azure AD 支援的其他 SaaS 應用程式中創建用戶帳戶。", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "description": "保持管理組層次結構合理平坦,不超過 4 個。", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", + "severity": "中等", + "text": "對 SAP 訂閱實施現有管理組策略", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "waf": "操作" + }, + { + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", "service": "SAP", "severity": "高", - "text": "您可以在 Windows 中使用 Azure 共用磁碟,以實現 ASCS + SCS 元件和特定的高可用性方案。分別為 SAP 應用程式層元件和 DBMS 層設置故障轉移集群。Azure 目前不支援將 SAP 應用程式層元件和 DBMS 層合併到一個故障轉移群集中的高可用性體系結構。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "可靠性" + "text": "將緊密耦合的應用程式集成到同一 SAP 訂閱中,以避免額外的路由和管理複雜性", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "waf": "操作" }, { "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", "service": "SAP", "severity": "高", - "text": "SAP 應用程式層元件 (ASCS) 和 DBMS 層的大多數故障轉移群集都需要故障轉移群集的虛擬 IP 位址。 Azure 負載均衡器應處理所有其他情況下的虛擬IP位址。一種設計原則是每個集群配置使用一個負載均衡器。我們建議您使用標準版本的負載均衡器 (Standard Load Balancer SKU)。", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "可靠性" + "text": "利用 Subscription 作為縮放單元並擴展我們的資源,考慮為每個環境部署 Subscription,例如。沙箱、非生產、生產", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", "service": "SAP", "severity": "高", - "text": "確保在負載均衡器上啟用了浮動IP", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", - "waf": "可靠性" + "text": "確保在訂閱預配過程中增加配額(例如,訂閱中的可用 VM 核心總數)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", "service": "SAP", - "severity": "高", - "text": "在部署高可用性基礎結構之前,根據您選擇的區域,確定是使用 Azure 可用性集還是可用性區域進行部署。", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "可靠性" + "severity": "低", + "text": "配額 API 是一個 REST API,可用於查看和管理 Azure 服務的配額。如有必要,請考慮使用它。", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", "service": "SAP", "severity": "高", - "text": "如果要滿足 SAP 元件(中央服務、應用程式伺服器和資料庫)的應用程式的基礎設施 SLA,則必須為所有元件選擇相同的高可用性選項(VM、可用性集、可用區)。", - "waf": "可靠性" + "text": "如果部署到可用區,請確保在配額獲得批准后,VM 的區域部署可用。提交支援請求,其中包含所需的訂閱、VM 系列、CPU 數量和可用區。", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", "service": "SAP", "severity": "高", - "text": "不要在同一可用性集中混合使用不同角色的伺服器。將中心服務 VM、資料庫 VM、應用程式 VM 保留在其自己的可用性集中", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "可靠性" + "text": "確保所需的服務和功能在選定的部署區域內可用,例如。ANF 、 Zone 等", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", "service": "SAP", "severity": "中等", - "text": "除非使用鄰近放置組,否則無法在 Azure 可用性區域中部署 Azure 可用性集。", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "可靠性" + "text": "利用 Azure 資源標籤進行成本分類和資源組(:BillTo、部門(或營業單位)、環境(生產、階段、開發)、層(Web 層、應用程式層)、應用程式擁有者、ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", "service": "SAP", "severity": "高", - "text": "創建可用性集時,請使用可用的容錯域和更新域的最大數量。例如,如果您在一個可用性集中部署兩個以上的 VM,除了 Azure 計劃內維護之外,還請使用最大數量的容錯域 (三個) 和足夠的更新域,以限制潛在物理硬體故障、網路中斷或電源中斷的影響。容錯域的預設數量為 2,以後無法在線更改。", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "text": "使用 Azure 備份服務幫助保護 HANA 資料庫。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "可靠性" }, { "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", "service": "SAP", - "severity": "高", - "text": "在可用性集部署中使用 Azure 鄰近放置組時,所有三個 SAP 元件(中央服務、應用程式伺服器和資料庫)都應位於同一鄰近放置組中。", + "severity": "中等", + "text": "如果您為 HANA、Oracle 或 DB2 資料庫部署 Azure NetApp 檔,請使用 Azure 應用程式一致性快照工具 (AzAcSnap) 拍攝應用程式一致性快照。AzAcSnap 還支援 Oracle 資料庫。考慮在中央 VM 上使用 AzAcSnap ,而不是在單個 VM 上使用。", "waf": "可靠性" }, { "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", "service": "SAP", "severity": "高", - "text": "每個 SAP SID 使用一個鄰近放置組。組不跨可用性區域或 Azure 區域", - "waf": "可靠性" + "text": "確保操作系統和 SAP 系統之間的時區匹配。", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", "service": "SAP", - "severity": "高", - "text": "使用以下服務之一運行 SAP Central Services 集群,具體取決於操作系統。", + "severity": "中等", + "text": "不要將不同的應用程式服務分組到同一個集群中。例如,不要將DRBD和中央服務集群合併到同一個集群上。但是,您可以使用同一個 Pacemaker 集群來管理大約五個不同的中央服務(多 SID 集群)。", "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "可靠性" }, { "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", "service": "SAP", - "severity": "中等", - "text": "Azure 目前不支援在同一個 Linux Pacemaker 群集中組合 ASCS 和 DB HA;將它們分成單獨的集群。但是,您最多可以將5個多個中央服務集群組合成一對VM。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "可靠性" + "severity": "低", + "text": "考慮在推遲模型中運行開發/測試系統,以節省和優化 Azure 運行成本。", + "waf": "成本" }, { "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", "service": "SAP", "severity": "中等", - "text": "將高可用性對中的兩個 VM 部署在可用性集或可用性區域中。這些 VM 的大小應相同,並且具有相同的存儲配置。", - "waf": "可靠性" + "text": "如果你通過管理客戶的 SAP 資產來與客戶合作,請考慮使用 Azure Lighthouse。Azure Lighthouse 允許託管服務提供者使用 Azure 原生標識服務對客戶的環境進行身份驗證。它將控制權交到客戶手中,因為他們可以隨時撤銷訪問許可權並審核服務提供者的行為。", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", "service": "SAP", "severity": "中等", - "text": "Azure 支援在 Red Hat Enterprise Linux (RHEL) 上運行的同一高可用性群集上安裝和配置 SAP HANA 以及 ASCS/SCS 和 ERS 實例。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "可靠性" + "text": "使用 Azure Update Manager 檢查單個 VM 或多個 VM 的可用更新的狀態,並考慮計劃定期修補。", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", "service": "SAP", - "severity": "高", - "text": "在高級託管 SSD 上運行所有生產系統,並使用 Azure NetApp Files 或超級磁碟存儲。至少OS磁碟應位於高級層上,以便您可以獲得更好的性能和最佳SLA。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "可靠性" + "severity": "低", + "text": "使用 SAP Landscape Management (LaMa) 優化和管理 SAP Basis 運營。使用適用於 Azure 的 SAP LaMa 連接器來重新定位、複製、克隆和刷新 SAP 系統。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", "service": "SAP", - "severity": "高", - "text": "應僅在 SAP 認證的存儲類型上運行 Azure 上的 SAP HANA。請注意,某些卷必須在某些磁碟配置上運行(如果適用)。這些配置包括啟用 Write Accelerator 和使用高級存儲。您還需要確保在儲存上運行的檔案系統與計算機上運行的 DBMS 相容。", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", - "waf": "可靠性" + "severity": "中等", + "text": "使用適用於 SAP 解決方案的 Azure Monitor 監視 Azure 上的 SAP 工作負載(SAP HANA、高可用性 SUSE 群集和 SQL 系統)。請考慮使用 SAP 解決方案管理器補充適用於 SAP 解決方案的 Azure Monitor。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", "service": "SAP", "severity": "高", - "text": "考慮根據您用於 SAP 工作負載的儲存類型配置高可用性。Azure Site Recovery 不支援 Azure 中提供的某些存儲服務,因此高可用性配置可能會有所不同。", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", - "waf": "可靠性" + "text": "運行 VM Extension for SAP 檢查。適用於 SAP 的 VM 擴展使用虛擬機 (VM) 的分配託管標識來訪問 VM 監視和配置數據。該檢查可確保 SAP 應用程式中的所有性能指標都來自適用於 SAP 的基礎 Azure 擴展。", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "service": "SAP", - "severity": "高", - "text": "不同的本機 Azure 儲存服務(如 Azure 檔、Azure NetApp 檔、Azure 共用磁碟)可能並非在所有區域都可用。因此,要在故障轉移后在DR區域上進行類似的SAP設置,請確保在DR網站中提供相應的存儲服務。", - "waf": "可靠性" + "severity": "中等", + "text": "使用 Azure Policy 進行訪問控制和合規性報告。Azure Policy 提供了強制實施組織範圍設置的功能,以確保一致的策略遵守和快速的違規檢測。", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", "service": "SAP", "severity": "中等", - "text": "自動化 SAP System Start-Stop 以管理成本。", - "waf": "成本" + "text": "使用 Azure 網路觀察程式中的連接監視器來監視 SAP 資料庫和應用程式伺服器的延遲指標。或者使用 Azure Monitor 收集和顯示網路延遲測量值。", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", "service": "SAP", - "severity": "低", - "text": "如果將 Azure 高級存儲與 SAP HANA 配合使用,則可以使用 Azure 標準 SSD 儲存來選擇注重成本的儲存解決方案。但是,請注意,選擇標準 SSD 或標準 HDD Azure 儲存將影響單個 VM 的 SLA。此外,對於 I/O 輸送量較低且延遲較低的系統(如非生產環境),可以使用較低系列的 VM。", - "waf": "成本" + "severity": "中等", + "text": "在預配的 Azure 基礎結構上對 SAP HANA 執行質量檢查,以驗證預配的 VM 是否符合 Azure 上的 SAP HANA 最佳做法。", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", "service": "SAP", - "severity": "低", - "text": "作為成本較低的替代配置(多用途),您可以為非生產 HANA 資料庫伺服器 VM 選擇低性能 SKU。但是,請務必注意,某些 VM 類型(如 E 系列)未經過 HANA 認證(SAP HANA 硬體目錄),或者無法實現小於 1 毫秒的存儲延遲。", - "waf": "成本" + "severity": "高", + "text": "對於每個 Azure 訂閱,在區域部署之前,請在 Azure 可用性區域上運行延遲測試,以選擇低延遲區域以在 Azure 上部署 SAP。", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "性能" }, { "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", "service": "SAP", - "severity": "高", - "text": "對管理組、訂閱、資源組和資源強制實施 RBAC 模型", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "安全" + "severity": "中等", + "text": "運行彈性報告,確保整個預配的 Azure 基礎結構(計算、資料庫、網路、存儲、Site Recovery)的配置符合 Cloud Adaption Framework for Azure 定義的配置。", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "waf": "可靠性" }, { "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", "service": "SAP", "severity": "中等", - "text": "強制實施主體傳播,以便透過雲連接器將身份從 SAP 雲應用程式轉發到 SAP 本地(包括 IaaS)", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", + "text": "使用適用於 SAP 的 Microsoft Sentinel 解決方案實現威脅防護。使用此解決方案可監控您的 SAP 系統並檢測整個業務邏輯和應用程式層的複雜威脅。", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", "service": "SAP", "severity": "中等", - "text": "使用 SAML 通過 Azure AD 實現對 SAP SaaS 應用程式(如 SAP Analytics Cloud、SAP Cloud Platform、Business by design、SAP Qualtrics 和 SAP C4C)的 SSO。", - "waf": "安全" + "text": "可以利用 Azure 標記對資源進行邏輯分組和跟蹤、自動化部署,最重要的是,提供對所產生成本的可見性。", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "操作" + }, + { + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", + "severity": "低", + "text": "對延遲敏感型應用程式使用虛擬機間延遲監控。", + "waf": "性能" + }, + { + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "中等", + "text": "使用 Azure Site Recovery 監視來維護 SAP 應用程式伺服器的災難恢復服務的運行狀況。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "可靠性" }, { "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", "service": "SAP", "severity": "中等", - "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "安全" + "text": "從防病毒掃描中排除所有資料庫檔系統和可執行程式。包含它們可能會導致性能問題。請與資料庫供應商聯繫,瞭解有關排除清單的規範性詳細資訊。例如,Oracle 建議從防病毒掃描中排除 /oracle//sapdata。", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", "service": "SAP", - "severity": "中等", - "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", - "waf": "安全" + "severity": "低", + "text": "考慮在遷移後收集非 HANA 資料庫的完整資料庫統計資訊。例如,實施SAP註釋 1020260 - Oracle 統計資訊的交付。", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", "service": "SAP", "severity": "中等", - "text": "您可以使用 SAP NetWeaver SSO 或合作夥伴解決方案實現對 SAP GUI 的 SSO。", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "安全" + "text": "請考慮將 Oracle Automatic Storage Management (ASM) 用於使用 Azure 上的 SAP 的所有 Oracle 部署。", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", "service": "SAP", "severity": "中等", - "text": "對於 SAP GUI 和 Web 瀏覽器訪問的 SSO,實施 SNC / Kerberos/SPNEGO(簡單且受保護的 GSSAPI 協商機制),因為它易於配置和維護。對於使用 X.509 用戶端證書的 SSO,請考慮使用 SAP Secure Login Server,它是 SAP SSO 解決方案的一個元件。", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", - "waf": "安全" + "text": "對於運行 Oracle 的 Azure 上的 SAP,一組 SQL 腳本可以説明你診斷性能問題。 Automatic Workload Repository (AWR) 報告包含用於診斷 Oracle 系統中問題的寶貴資訊。我們建議您在多個工作階段期間運行 AWR 報告,並為其選擇高峰時間,以確保分析的廣泛覆蓋範圍。", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", "service": "SAP", - "severity": "中等", - "text": "對於 SAP GUI 和 Web 瀏覽器訪問的 SSO,實施 SNC / Kerberos/SPNEGO(簡單且受保護的 GSSAPI 協商機制),因為它易於配置和維護。對於使用 X.509 用戶端證書的 SSO,請考慮使用 SAP Secure Login Server,它是 SAP SSO 解決方案的一個元件。", - "waf": "安全" + "severity": "高", + "text": "使用 Azure Site Recovery 監視來維護 SAP 應用程式伺服器的災難恢復服務的運行狀況。", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "service": "SAP", "severity": "中等", - "text": "通過使用 SAP NetWeaver 的 OAuth 實施 SSO,以允許第三方或自定義應用程式訪問 SAP NetWeaver OData 服務。", + "text": "為了安全交付 HTTP/S 應用程式,請使用應用程式閘道 v2 並確保啟用 WAF 保護和策略。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "service": "SAP", "severity": "中等", - "text": "實施SAP HANA的 SSO", - "waf": "安全" + "text": "如果在遷移到 Azure 期間未更改虛擬機器的 DNS 或虛擬名稱,則後台 DNS 和虛擬名稱將連接 SAP 環境中的許多系統介面,並且客戶有時只會知道開發人員隨時間定義的介面。遷移后,當虛擬或 DNS 名稱發生變化時,各種系統之間會出現連接挑戰,建議保留 DNS 別名以防止出現這些類型的困難。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "service": "SAP", "severity": "中等", - "text": "將 Azure AD 視為 RISE 上託管的 SAP 系統的標識提供者。有關詳細資訊,請參閱將服務與 Azure AD 集成。", - "waf": "安全" + "text": "使用不同的 DNS 區域來區分每個環境(沙箱、開發、預生產和生產)。具有自己的 VNet 的 SAP 部署除外;在這裡,私有 DNS 區域可能不是必需的。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "description": "配置 VNet 對等互連時,請使用允許流量流向遠端虛擬網路設置。", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", "service": "SAP", "severity": "中等", - "text": "對於訪問 SAP 的應用程式,您可能希望使用主體傳播來建立 SSO。", - "waf": "安全" + "text": "本地和全域 VNet 對等互連提供連接,是確保跨多個 Azure 區域進行 SAP 部署的登陸區域之間建立連接的首選方法", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "可靠性" }, { "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", "service": "SAP", - "severity": "中等", - "text": "如果使用需要 SAP 身份驗證服務 (IAS) 的 SAP BTP 服務或 SaaS 解決方案,請考慮在 SAP Cloud Identity Authentication 服務和 Azure AD 之間實現 SSO 以存取這些 SAP 服務。此集成允許 SAP IAS 充當代理標識提供者,並將身份驗證請求轉發到作為中央使用者存儲和標識提供者的 Azure AD。", - "waf": "安全" + "severity": "高", + "text": "不支援在 SAP 應用程式和 SAP 資料庫伺服器之間部署任何 NVA", + "training": "https://me.sap.com/notes/2731110", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", "service": "SAP", "severity": "中等", - "text": "實施 SSO 到 SAP BTP", - "waf": "安全" + "text": "在需要跨 Azure 區域和本地位置建立全球傳輸連接的新網路、大型網路或全球網路中,使用虛擬 WAN 進行 Azure 部署。使用此方法,無需手動為 Azure 網路設置可傳遞路由,並且可以遵循 Azure 上的 SAP 部署標準。", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", "service": "SAP", "severity": "中等", - "text": "如果使用的是 SAP SuccessFactors,請考慮使用 Azure AD 自動使用者預配。通過此整合,當您將新員工添加到 SAP SuccessFactors 時,您可以在 Azure AD 中自動建立其用戶帳戶。(可選)您可以在 Microsoft 365 或 Azure AD 支援的其他 SaaS 應用程式中創建用戶帳戶。", - "waf": "安全" + "text": "僅當使用合作夥伴 NVA 時,才考慮在區域之間部署網路虛擬設備 (NVA)。如果存在本機 NVA,則不需要區域或 VNet 之間的 NVA。部署合作夥伴網路技術和 NVA 時,請按照供應商的指南驗證與 Azure 網路的衝突配置。", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "操作" }, { "checklist": "SAP Checklist", - "description": "保持管理組層次結構合理平坦,不超過 4 個。", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", "service": "SAP", "severity": "中等", - "text": "對 SAP 訂閱實施現有管理組策略", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "text": "虛擬 WAN 管理基於虛擬 WAN 的拓撲的分支 VNet 之間的連接(無需設置使用者定義的路由 [UDR] 或 NVA),同一虛擬中心中 VNet 到 VNet 流量的最大網路輸送量為每秒 50 Gb。如有必要,SAP 登陸區域可以使用 VNet 對等互連連接到其他登陸區域並克服此頻寬限制。", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", "waf": "操作" }, { "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", "service": "SAP", "severity": "高", - "text": "將緊密耦合的應用程式集成到同一 SAP 訂閱中,以避免額外的路由和管理複雜性", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", - "waf": "操作" + "text": "不建議將公共IP分配給運行SAP工作負載的 VM。", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", "service": "SAP", "severity": "高", - "text": "利用 Subscription 作為縮放單元並擴展我們的資源,考慮為每個環境部署 Subscription,例如。沙箱、非生產、生產", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "text": "配置 ASR 時,請考慮在 DR 端保留 IP 位址", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "操作" }, { "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", "service": "SAP", "severity": "高", - "text": "確保在訂閱預配過程中增加配額(例如,訂閱中的可用 VM 核心總數)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "text": "避免對生產和DR網站使用重疊的IP位址範圍。", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", "service": "SAP", - "severity": "低", - "text": "配額 API 是一個 REST API,可用於查看和管理 Azure 服務的配額。如有必要,請考慮使用它。", + "severity": "中等", + "text": "雖然 Azure 確實可以説明您在 VNet 中創建多個委託子網,但 Azure NetApp 檔的 VNet 中只能存在一個委託子網。如果為 Azure NetApp Files 使用多個委託子網,則嘗試創建新卷將失敗。", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", "service": "SAP", - "severity": "高", - "text": "如果部署到可用區,請確保在配額獲得批准后,VM 的區域部署可用。提交支援請求,其中包含所需的訂閱、VM 系列、CPU 數量和可用區。", - "waf": "操作" + "severity": "中等", + "text": "使用 Azure 防火牆來管理到 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西向流量篩選(如果組織需要)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", "service": "SAP", - "severity": "高", - "text": "確保所需的服務和功能在選定的部署區域內可用,例如。ANF 、 Zone 等", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", - "waf": "操作" + "severity": "中等", + "text": "當應用程式閘道充當 SAP Web 應用的反向代理時,應用程式閘道和 Web 應用程式防火牆存在限制,如應用程式閘道、SAP Web 調度程式和其他第三方服務之間的比較所示。", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "waf": "安全" }, { "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "service": "SAP", "severity": "中等", - "text": "利用 Azure 資源標籤進行成本分類和資源組(:BillTo、部門(或營業單位)、環境(生產、階段、開發)、層(Web 層、應用程式層)、應用程式擁有者、ProjectName)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "操作" + "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為到登陸區域的入站 HTTP/S 連接提供全域保護。", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", "service": "SAP", - "severity": "高", - "text": "使用 Azure 備份服務幫助保護 HANA 資料庫。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "可靠性" + "severity": "中等", + "text": "使用 Azure Front Door 和應用程式閘道保護 HTTP/S 應用程式時,請利用 Azure Front Door 中的 Web 應用程式防火牆策略。鎖定應用程式閘道以僅接收來自 Azure Front Door 的流量。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "service": "SAP", "severity": "中等", - "text": "如果您為 HANA、Oracle 或 DB2 資料庫部署 Azure NetApp 檔,請使用 Azure 應用程式一致性快照工具 (AzAcSnap) 拍攝應用程式一致性快照。AzAcSnap 還支援 Oracle 資料庫。考慮在中央 VM 上使用 AzAcSnap ,而不是在單個 VM 上使用。", - "waf": "可靠性" + "text": "使用 Web 應用程式防火牆在流量暴露於 Internet 時對其進行掃描。另一種選擇是將它與負載均衡器或具有內置防火牆功能的資源(如應用程式閘道或第三方解決方案)一起使用。", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", "service": "SAP", - "severity": "高", - "text": "確保操作系統和 SAP 系統之間的時區匹配。", - "waf": "操作" + "severity": "中等", + "text": "在需要跨 Azure 區域和本地位置建立全球傳輸連接的新網路、大型網路或全球網路中,使用虛擬 WAN 進行 Azure 部署。使用此方法,無需手動為 Azure 網路設置可傳遞路由,並且可以遵循 Azure 上的 SAP 部署標準。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", "service": "SAP", "severity": "中等", - "text": "不要將不同的應用程式服務分組到同一個集群中。例如,不要將DRBD和中央服務集群合併到同一個集群上。但是,您可以使用同一個 Pacemaker 集群來管理大約五個不同的中央服務(多 SID 集群)。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "可靠性" + "text": "為了防止數據洩露,請使用 Azure 專用連結安全地訪問平臺即服務資源,例如 Azure Blob 存儲、Azure 檔存儲、Azure Data Lake Storage Gen2、Azure 數據工廠等。Azure 專用終結點還可以幫助保護 VNet 與 Azure 存儲、Azure 備份等服務之間的流量。VNet 與啟用了專用終結點的服務之間的流量通過 Microsoft 全球網路傳輸,從而防止其暴露在公共 Internet 上。", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", "service": "SAP", - "severity": "低", - "text": "考慮在推遲模型中運行開發/測試系統,以節省和優化 Azure 運行成本。", - "waf": "成本" + "severity": "高", + "text": "確保在 SAP 應用程式和 DBMS 層中使用的 VM 上啟用了 Azure 加速網路。", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", "service": "SAP", "severity": "中等", - "text": "如果你通過管理客戶的 SAP 資產來與客戶合作,請考慮使用 Azure Lighthouse。Azure Lighthouse 允許託管服務提供者使用 Azure 原生標識服務對客戶的環境進行身份驗證。它將控制權交到客戶手中,因為他們可以隨時撤銷訪問許可權並審核服務提供者的行為。", - "waf": "操作" + "text": "確保將 Azure 負載均衡器的內部部署設置為使用直接伺服器返回 (DSR)。當內部負載均衡器配置用於 DBMS 層上的高可用性配置時,此設置 (Enabling Floating IP) 將減少延遲。", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "service": "SAP", "severity": "中等", - "text": "使用 Azure Update Manager 檢查單個 VM 或多個 VM 的可用更新的狀態,並考慮計劃定期修補。", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", - "waf": "操作" + "text": "您可以使用應用程式安全組 (ASG) 和 NSG 規則來定義 SAP 應用程式和 DBMS 層之間的網路安全存取控制清單。ASG 對虛擬機進行分組以説明管理其安全性。", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", "service": "SAP", - "severity": "低", - "text": "使用 SAP Landscape Management (LaMa) 優化和管理 SAP Basis 運營。使用適用於 Azure 的 SAP LaMa 連接器來重新定位、複製、克隆和刷新 SAP 系統。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", - "waf": "操作" + "severity": "高", + "text": "不支援將 SAP 應用程式層和 SAP DBMS 放置在未對等互連的不同 Azure VNet 中。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", "service": "SAP", "severity": "中等", - "text": "使用適用於 SAP 解決方案的 Azure Monitor 監視 Azure 上的 SAP 工作負載(SAP HANA、高可用性 SUSE 群集和 SQL 系統)。請考慮使用 SAP 解決方案管理器補充適用於 SAP 解決方案的 Azure Monitor。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "操作" + "text": "為了實現 SAP 應用程式的最佳網路延遲,請考慮使用 Azure 鄰近放置組。", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", "service": "SAP", "severity": "高", - "text": "運行 VM Extension for SAP 檢查。適用於 SAP 的 VM 擴展使用虛擬機 (VM) 的分配託管標識來訪問 VM 監視和配置數據。該檢查可確保 SAP 應用程式中的所有性能指標都來自適用於 SAP 的基礎 Azure 擴展。", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", - "waf": "操作" + "text": "根本不支援在本地和 Azure 之間運行 SAP Application Server 層和 DBMS 層。這兩個層都需要完全駐留在本地或 Azure 中。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", "service": "SAP", - "severity": "中等", - "text": "使用 Azure Policy 進行訪問控制和合規性報告。Azure Policy 提供了強制實施組織範圍設置的功能,以確保一致的策略遵守和快速的違規檢測。", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "操作" + "severity": "高", + "text": "建議不要將 SAP 系統的資料庫管理系統 (DBMS) 和應用程式層託管在不同的 VNet 中,並將它們與 VNet 對等互連連接,因為層之間過多的網路流量可能會產生大量成本。建議使用 Azure 虛擬網路中的子網來分隔 SAP 應用程式層和 DBMS 層。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "成本" }, { "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", "service": "SAP", - "severity": "中等", - "text": "使用 Azure 網路觀察程式中的連接監視器來監視 SAP 資料庫和應用程式伺服器的延遲指標。或者使用 Azure Monitor 收集和顯示網路延遲測量值。", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", - "waf": "操作" + "severity": "高", + "text": "如果將負載均衡器與 Linux 客戶機作業系統一起使用,請檢查 Linux 網路參數 net.ipv4.tcp_timestamps 是否設置為 0。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", "service": "SAP", "severity": "中等", - "text": "在預配的 Azure 基礎結構上對 SAP HANA 執行質量檢查,以驗證預配的 VM 是否符合 Azure 上的 SAP HANA 最佳做法。", - "waf": "操作" + "text": "對於 SAP RISE/ECS 部署,虛擬對等互連是與客戶的現有 Azure 環境建立連接的首選方式。SAP VNet 和客戶 VNet 都受到網路安全組 (NSG) 的保護,從而通過 VNet 對等互連在 SAP 和資料庫埠上進行通信", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", "service": "SAP", "severity": "高", - "text": "對於每個 Azure 訂閱,在區域部署之前,請在 Azure 可用性區域上運行延遲測試,以選擇低延遲區域以在 Azure 上部署 SAP。", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "waf": "性能" + "text": "查看 Azure VM 的 SAP HANA 資料庫備份。", + "waf": "成本" }, { "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", "service": "SAP", "severity": "中等", - "text": "運行彈性報告,確保整個預配的 Azure 基礎結構(計算、資料庫、網路、存儲、Site Recovery)的配置符合 Cloud Adaption Framework for Azure 定義的配置。", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", - "waf": "可靠性" + "text": "查看用於 SAP 的 Site Recovery 內置監視。", + "waf": "成本" }, { "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", "service": "SAP", - "severity": "中等", - "text": "使用適用於 SAP 的 Microsoft Sentinel 解決方案實現威脅防護。使用此解決方案可監控您的 SAP 系統並檢測整個業務邏輯和應用程式層的複雜威脅。", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", - "waf": "安全" + "severity": "高", + "text": "查看監控 SAP HANA 系統環境指南。", + "waf": "操作" }, { "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", "service": "SAP", "severity": "中等", - "text": "可以利用 Azure 標記對資源進行邏輯分組和跟蹤、自動化部署,最重要的是,提供對所產生成本的可見性。", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "text": "查看 Azure Linux VM 中的 Oracle Database 備份策略。", "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", - "severity": "低", - "text": "對延遲敏感型應用程式使用虛擬機間延遲監控。", - "waf": "性能" - }, - { - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", "service": "SAP", "severity": "中等", - "text": "使用 Azure Site Recovery 監視來維護 SAP 應用程式伺服器的災難恢復服務的運行狀況。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "可靠性" + "text": "查看 Azure Blob Storage 與 SQL Server 2016 的使用方式。", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", "service": "SAP", "severity": "中等", - "text": "從防病毒掃描中排除所有資料庫檔系統和可執行程式。包含它們可能會導致性能問題。請與資料庫供應商聯繫,瞭解有關排除清單的規範性詳細資訊。例如,Oracle 建議從防病毒掃描中排除 /oracle//sapdata。", - "waf": "性能" + "text": "查看 Azure VM 的自動備份 v2 的使用方式。", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", "service": "SAP", - "severity": "低", - "text": "考慮在遷移後收集非 HANA 資料庫的完整資料庫統計資訊。例如,實施SAP註釋 1020260 - Oracle 統計資訊的交付。", - "waf": "性能" + "severity": "高", + "text": "使用進階磁碟時為 M 系列開啟寫入加速器 (V1)", + "waf": "操作" }, { "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", "service": "SAP", "severity": "中等", - "text": "請考慮將 Oracle Automatic Storage Management (ASM) 用於使用 Azure 上的 SAP 的所有 Oracle 部署。", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "text": "測試可用區延遲。", "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", "service": "SAP", "severity": "中等", - "text": "對於運行 Oracle 的 Azure 上的 SAP,一組 SQL 腳本可以説明你診斷性能問題。 Automatic Workload Repository (AWR) 報告包含用於診斷 Oracle 系統中問題的寶貴資訊。我們建議您在多個工作階段期間運行 AWR 報告,並為其選擇高峰時間,以確保分析的廣泛覆蓋範圍。", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "text": "為所有 SAP 元件啟動 SAP EarlyWatch Alert。", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", - "severity": "高", - "text": "使用 Azure Site Recovery 監視來維護 SAP 應用程式伺服器的災難恢復服務的運行狀況。", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "waf": "操作" - }, - { - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", "service": "SAP", "severity": "中等", - "text": "為了安全交付 HTTP/S 應用程式,請使用應用程式閘道 v2 並確保啟用 WAF 保護和策略。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", - "waf": "安全" + "text": "使用 SAP ABAPMeter 報告 /SSA/CAT 查看 SAP 應用程式伺服器到資料庫伺服器的延遲。", + "training": "https://me.sap.com/notes/0002879613", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", "service": "SAP", "severity": "中等", - "text": "如果在遷移到 Azure 期間未更改虛擬機器的 DNS 或虛擬名稱,則後台 DNS 和虛擬名稱將連接 SAP 環境中的許多系統介面,並且客戶有時只會知道開發人員隨時間定義的介面。遷移后,當虛擬或 DNS 名稱發生變化時,各種系統之間會出現連接挑戰,建議保留 DNS 別名以防止出現這些類型的困難。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "操作" + "text": "查看使用 CCMS 的 SQL Server 性能監控。", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", "service": "SAP", "severity": "中等", - "text": "使用不同的 DNS 區域來區分每個環境(沙箱、開發、預生產和生產)。具有自己的 VNet 的 SAP 部署除外;在這裡,私有 DNS 區域可能不是必需的。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "操作" + "text": "測試 SAP 應用層 VM 和 DBMS VM 之間的網路延遲 (NIPING)。", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "性能" }, { "checklist": "SAP Checklist", - "description": "配置 VNet 對等互連時,請使用允許流量流向遠端虛擬網路設置。", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", "service": "SAP", "severity": "中等", - "text": "本地和全域 VNet 對等互連提供連接,是確保跨多個 Azure 區域進行 SAP 部署的登陸區域之間建立連接的首選方法", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "可靠性" - }, - { - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", - "severity": "高", - "text": "不支援在 SAP 應用程式和 SAP 資料庫伺服器之間部署任何 NVA", - "training": "https://me.sap.com/notes/2731110", + "text": "查看 SAP HANA Studio 警報。", "waf": "性能" }, { "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", "service": "SAP", "severity": "中等", - "text": "在需要跨 Azure 區域和本地位置建立全球傳輸連接的新網路、大型網路或全球網路中,使用虛擬 WAN 進行 Azure 部署。使用此方法,無需手動為 Azure 網路設置可傳遞路由,並且可以遵循 Azure 上的 SAP 部署標準。", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "waf": "操作" + "text": "使用 HANA_Configuration_Minichecks 執行 SAP HANA 執行狀況檢查。", + "waf": "性能" }, { "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "service": "SAP", "severity": "中等", - "text": "僅當使用合作夥伴 NVA 時,才考慮在區域之間部署網路虛擬設備 (NVA)。如果存在本機 NVA,則不需要區域或 VNet 之間的 NVA。部署合作夥伴網路技術和 NVA 時,請按照供應商的指南驗證與 Azure 網路的衝突配置。", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "操作" + "text": "如果您在 Azure、本地或其他雲環境中運行 Windows 和 Linux VM,則可以使用 Azure 自動化中的更新管理中心來管理操作系統更新,包括安全補丁。", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "service": "SAP", "severity": "中等", - "text": "虛擬 WAN 管理基於虛擬 WAN 的拓撲的分支 VNet 之間的連接(無需設置使用者定義的路由 [UDR] 或 NVA),同一虛擬中心中 VNet 到 VNet 流量的最大網路輸送量為每秒 50 Gb。如有必要,SAP 登陸區域可以使用 VNet 對等互連連接到其他登陸區域並克服此頻寬限制。", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", - "waf": "操作" + "text": "定期查看 SAP 安全 OSS 說明,因為 SAP 發佈了高度關鍵的安全補丁或熱修復程式,需要立即採取措施保護您的 SAP 系統。", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "waf": "安全" }, { "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", "service": "SAP", - "severity": "高", - "text": "不建議將公共IP分配給運行SAP工作負載的 VM。", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "severity": "低", + "text": "對於 SQL Server 上的 SAP,您可以禁用 SQL Server 系統管理員帳戶,因為 SQL Server 上的 SAP 系統不使用該帳戶。在禁用原始系統管理員帳戶之前,請確保具有系統管理員許可權的其他使用者可以訪問伺服器。", "waf": "安全" }, { "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", "service": "SAP", "severity": "高", - "text": "配置 ASR 時,請考慮在 DR 端保留 IP 位址", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "操作" + "text": "禁用 xp_cmdshell。SQL Server 功能xp_cmdshell啟用 SQL Server 內部作業系統命令 shell。這是安全審計中的潛在風險。", + "training": "https://me.sap.com/notes/3019299/E", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", "service": "SAP", "severity": "高", - "text": "避免對生產和DR網站使用重疊的IP位址範圍。", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "操作" + "text": "在 Azure 上加密 SAP HANA 資料庫伺服器使用 SAP HANA 本機加密技術。此外,如果使用 Azure 上的 SQL Server,請使用透明數據加密 (TDE) 來保護數據和日誌檔,並確保備份也已加密。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", "service": "SAP", "severity": "中等", - "text": "雖然 Azure 確實可以説明您在 VNet 中創建多個委託子網,但 Azure NetApp 檔的 VNet 中只能存在一個委託子網。如果為 Azure NetApp Files 使用多個委託子網,則嘗試創建新卷將失敗。", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "操作" + "text": "Azure 儲存加密已為所有 Azure Resource Manager 和經典存儲帳戶啟用,並且無法禁用。由於數據預設加密,因此無需修改代碼或應用程式即可使用 Azure 儲存加密。", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", "service": "SAP", - "severity": "中等", - "text": "使用 Azure 防火牆來管理到 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西向流量篩選(如果組織需要)", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "severity": "高", + "text": "使用 Azure Key Vault 儲存機密和憑據", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", "service": "SAP", "severity": "中等", - "text": "當應用程式閘道充當 SAP Web 應用的反向代理時,應用程式閘道和 Web 應用程式防火牆存在限制,如應用程式閘道、SAP Web 調度程式和其他第三方服務之間的比較所示。", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "text": "建議在成功部署后鎖定 Azure 資源,以防止未經授權的更改。您還可以使用自定義的 Azure 策略(自定義角色)按訂閱強制實施 LOCK 約束和規則。", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", "service": "SAP", "severity": "中等", - "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為到登陸區域的入站 HTTP/S 連接提供全域保護。", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "text": "預配 Azure Key Vault 並啟用軟刪除和清除策略,以允許對已刪除的物件進行保留保護。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", "service": "SAP", - "severity": "中等", - "text": "使用 Azure Front Door 和應用程式閘道保護 HTTP/S 應用程式時,請利用 Azure Front Door 中的 Web 應用程式防火牆策略。鎖定應用程式閘道以僅接收來自 Azure Front Door 的流量。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "severity": "高", + "text": "根據現有要求、法規和合規性控制(內部/外部)- 確定需要哪些 Azure 策略和 Azure RBAC 角色", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", "service": "SAP", - "severity": "中等", - "text": "使用 Web 應用程式防火牆在流量暴露於 Internet 時對其進行掃描。另一種選擇是將它與負載均衡器或具有內置防火牆功能的資源(如應用程式閘道或第三方解決方案)一起使用。", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "severity": "高", + "text": "在 SAP 環境中啟用 Microsoft Defender for Endpoint 時,建議排除 DBMS 伺服器上的數據和日誌檔,而不是以所有伺服器為目標。排除目標檔時,請遵循 DBMS 供應商的建議。", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", "service": "SAP", - "severity": "中等", - "text": "在需要跨 Azure 區域和本地位置建立全球傳輸連接的新網路、大型網路或全球網路中,使用虛擬 WAN 進行 Azure 部署。使用此方法,無需手動為 Azure 網路設置可傳遞路由,並且可以遵循 Azure 上的 SAP 部署標準。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "性能" + "severity": "高", + "text": "委派 SAP 管理員自定義角色,使其具有 Microsoft Defender for Cloud 的即時訪問許可權。", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "低", + "text": "通過將第三方安全產品與適用於 DIAG (SAP GUI)、RFC 和 SPNEGO for HTTPS 的安全網路通信 (SNC) 集成,對傳輸中的數據進行加密", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "waf": "安全" + }, + { + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", "service": "SAP", "severity": "中等", - "text": "為了防止數據洩露,請使用 Azure 專用連結安全地訪問平臺即服務資源,例如 Azure Blob 存儲、Azure 檔存儲、Azure Data Lake Storage Gen2、Azure 數據工廠等。Azure 專用終結點還可以幫助保護 VNet 與 Azure 存儲、Azure 備份等服務之間的流量。VNet 與啟用了專用終結點的服務之間的流量通過 Microsoft 全球網路傳輸,從而防止其暴露在公共 Internet 上。", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "text": "預設使用 Microsoft 管理的金鑰來實現主體加密功能,並在需要時使用客戶管理的金鑰。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "安全" }, { "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", "service": "SAP", "severity": "高", - "text": "確保在 SAP 應用程式和 DBMS 層中使用的 VM 上啟用了 Azure 加速網路。", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "性能" + "text": "每個區域每個環境的每個應用程式使用 Azure Key Vault。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", "service": "SAP", - "severity": "中等", - "text": "確保將 Azure 負載均衡器的內部部署設置為使用直接伺服器返回 (DSR)。當內部負載均衡器配置用於 DBMS 層上的高可用性配置時,此設置 (Enabling Floating IP) 將減少延遲。", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "severity": "高", + "text": "要控制和管理非 HANA Windows 和非 Windows 作業系統的磁碟加密密鑰和機密,請使用 Azure Key Vault。Azure Key Vault 不支援 SAP HANA,因此必須使用 SAP ABAP 或 SSH 密鑰等替代方法。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", "waf": "安全" }, { "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", "service": "SAP", - "severity": "中等", - "text": "您可以使用應用程式安全組 (ASG) 和 NSG 規則來定義 SAP 應用程式和 DBMS 層之間的網路安全存取控制清單。ASG 對虛擬機進行分組以説明管理其安全性。", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "severity": "高", + "text": "為 Azure 上的 SAP 分支訂閱自定義基於角色的訪問控制 (RBAC) 角色,以避免意外的與網路相關的更改", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", "service": "SAP", "severity": "高", - "text": "不支援將 SAP 應用程式層和 SAP DBMS 放置在未對等互連的不同 Azure VNet 中。", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "性能" + "text": "將 DMZ 和 NVA 與 SAP 資產的其餘部分隔離開來,配置 Azure 專用連結,並安全地管理和控制 Azure 上的 SAP 資源", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", "service": "SAP", - "severity": "中等", - "text": "為了實現 SAP 應用程式的最佳網路延遲,請考慮使用 Azure 鄰近放置組。", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "性能" + "severity": "低", + "text": "考慮在 Azure 上使用 Microsoft 反惡意軟體來保護虛擬機免受惡意文件、廣告軟體和其他威脅的侵害。", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", "service": "SAP", - "severity": "高", - "text": "根本不支援在本地和 Azure 之間運行 SAP Application Server 層和 DBMS 層。這兩個層都需要完全駐留在本地或 Azure 中。", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "性能" + "severity": "低", + "text": "要獲得更強大的保護,請考慮使用 Microsoft Defender for Endpoint。", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", "service": "SAP", "severity": "高", - "text": "建議不要將 SAP 系統的資料庫管理系統 (DBMS) 和應用程式層託管在不同的 VNet 中,並將它們與 VNet 對等互連連接,因為層之間過多的網路流量可能會產生大量成本。建議使用 Azure 虛擬網路中的子網來分隔 SAP 應用程式層和 DBMS 層。", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "成本" + "text": "通過中心虛擬網路傳遞所有流量,將 SAP 應用程式和資料庫伺服器與 Internet 或本地網路隔離開來,該虛擬網路通過虛擬網路對等互連連接到輻射網路。對等互連的虛擬網路保證 Azure 上的 SAP 解決方案與公共 Internet 隔離。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", "service": "SAP", - "severity": "高", - "text": "如果將負載均衡器與 Linux 客戶機作業系統一起使用,請檢查 Linux 網路參數 net.ipv4.tcp_timestamps 是否設置為 0。", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "性能" + "severity": "低", + "text": "對於面向 Internet 的應用程式(如 SAP Fiori),請確保根據應用程式要求分配負載,同時保持安全級別。對於第 7 層安全性,您可以使用 Azure Marketplace 中提供的第三方 Web 應用程式防火牆 (WAF)。", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "waf": "安全" }, { "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", "service": "SAP", "severity": "中等", - "text": "對於 SAP RISE/ECS 部署,虛擬對等互連是與客戶的現有 Azure 環境建立連接的首選方式。SAP VNet 和客戶 VNet 都受到網路安全組 (NSG) 的保護,從而通過 VNet 對等互連在 SAP 和資料庫埠上進行通信", + "text": "若要在適用於 SAP 解決方案的 Azure Monitor 中啟用安全通信,可以選擇使用根證書或伺服器證書。我們強烈建議您使用根證書。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "Azure OpenAI", "severity": "高", - "text": "查看 Azure VM 的 SAP HANA 資料庫備份。", - "waf": "成本" + "text": "遵循 Metaprompting 護欄,實現 realible AI", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", - "severity": "中等", - "text": "查看用於 SAP 的 Site Recovery 內置監視。", - "waf": "成本" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "Azure OpenAI", + "severity": "高", + "text": "考慮使用APIM或 AI central 等解決方案的閘道模式,以實現更好的速率限制、負載均衡、身份驗證和日誌記錄", + "waf": "卓越運營" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "Azure OpenAI", + "severity": "高", + "text": "為您的 AOAI 實例啟用監控", + "waf": "卓越運營" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "Azure OpenAI", + "severity": "高", + "text": "建立警報以通知團隊有關事件的通知,例如由對資源執行的操作(例如重新生成其訂閱金閜)創建的活動日誌中的條目或指標閾值(例如一小時內超過 10 的錯誤數)", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "severity": "高", - "text": "查看監控 SAP HANA 系統環境指南。", - "waf": "操作" + "text": "監控令牌使用方式,防止由於容量導致服務中斷", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "Azure OpenAI", "severity": "中等", - "text": "查看 Azure Linux VM 中的 Oracle Database 備份策略。", - "waf": "操作" + "text": "觀察已處理的推理令牌、生成的完成令牌等指標,監視速率限制", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", - "severity": "中等", - "text": "查看 Azure Blob Storage 與 SQL Server 2016 的使用方式。", - "waf": "操作" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "Azure OpenAI", + "severity": "低", + "text": "如果診斷對你來說還不夠,請考慮在 Azure OpenAI 前面使用閘道(例如 Azure API 管理)來記錄傳入提示和傳出回應(如果允許)", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", - "severity": "中等", - "text": "查看 Azure VM 的自動備份 v2 的使用方式。", - "waf": "操作" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "Azure OpenAI", + "severity": "高", + "text": "使用基礎結構即代碼部署 Azure OpenAI 服務、模型部署和所有相關資源", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", "severity": "高", - "text": "使用進階磁碟時為 M 系列開啟寫入加速器 (V1)", - "waf": "操作" + "text": "將 Microsoft Entra 身份驗證與託管標識(而不是 API 金鑰)配合使用", + "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", - "severity": "中等", - "text": "測試可用區延遲。", - "waf": "性能" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "高", + "text": "使用已知的黃金數據集評估系統的性能/準確性,該數據集具有輸入和正確答案。利用 PromptFlow 中的功能進行評估。", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", - "severity": "中等", - "text": "為所有 SAP 元件啟動 SAP EarlyWatch Alert。", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "Azure OpenAI", + "severity": "高", + "text": "評估預配輸送量模型的使用方式", "waf": "性能" }, { - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", - "severity": "中等", - "text": "使用 SAP ABAPMeter 報告 /SSA/CAT 查看 SAP 應用程式伺服器到資料庫伺服器的延遲。", - "training": "https://me.sap.com/notes/0002879613", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "Azure OpenAI", + "severity": "高", + "text": "查看和實施 Azure AI 內容安全性", + "waf": "卓越運營" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "Azure OpenAI", + "severity": "高", + "text": "根據令牌數和每分鐘的回應來定義和評估系統的輸送量,並符合要求", "waf": "性能" }, { - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "Azure OpenAI", "severity": "中等", - "text": "查看使用 CCMS 的 SQL Server 性能監控。", + "text": "通過限制令牌大小、流式處理選項來改善系統的延遲", "waf": "性能" }, { - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", "severity": "中等", - "text": "測試 SAP 應用層 VM 和 DBMS VM 之間的網路延遲 (NIPING)。", - "training": "https://me.sap.com/notes/1100926/E", + "text": "估計彈性需求,以根據優先順序確定同步和批量請求分離。對於高優先順序,使用同步方法,對於低優先順序,首選使用佇列的異步批處理", "waf": "性能" }, { - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", - "severity": "中等", - "text": "查看 SAP HANA Studio 警報。", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", + "severity": "高", + "text": "根據消費者的估計需求對代幣消費要求進行基準測試。如果使用的是預設輸送量單元部署,請考慮使用 Azure OpenAI 基準測試工具來幫助驗證輸送量", "waf": "性能" }, { - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "中等", - "text": "使用 HANA_Configuration_Minichecks 執行 SAP HANA 執行狀況檢查。", + "text": "如果您使用的是預設輸送量單位 (PTU),請考慮為溢出請求部署每分鐘令牌 (TPM) 部署。當達到 PTU 限制時,使用閘道將請求路由到 TPM 部署。", "waf": "性能" }, { - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", - "severity": "中等", - "text": "如果您在 Azure、本地或其他雲環境中運行 Windows 和 Linux VM,則可以使用 Azure 自動化中的更新管理中心來管理操作系統更新,包括安全補丁。", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", - "waf": "安全" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "Azure OpenAI", + "severity": "高", + "text": "為正確的任務選擇正確的模型。選擇在速度、回應質量和輸出複雜性之間做出正確權衡的模型", + "waf": "性能" }, { - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "Azure OpenAI", "severity": "中等", - "text": "定期查看 SAP 安全 OSS 說明,因為 SAP 發佈了高度關鍵的安全補丁或熱修復程式,需要立即採取措施保護您的 SAP 系統。", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", - "waf": "安全" + "text": "有一個性能基線,而不進行微調,以瞭解微調是否提高了模型性能", + "waf": "性能" }, { - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", "severity": "低", - "text": "對於 SQL Server 上的 SAP,您可以禁用 SQL Server 系統管理員帳戶,因為 SQL Server 上的 SAP 系統不使用該帳戶。在禁用原始系統管理員帳戶之前,請確保具有系統管理員許可權的其他使用者可以訪問伺服器。", - "waf": "安全" - }, - { - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", - "severity": "高", - "text": "禁用 xp_cmdshell。SQL Server 功能xp_cmdshell啟用 SQL Server 內部作業系統命令 shell。這是安全審計中的潛在風險。", - "training": "https://me.sap.com/notes/3019299/E", - "waf": "安全" + "text": "跨區域部署多個 OAI 實例", + "waf": "可靠性" }, { - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "Azure OpenAI", "severity": "高", - "text": "在 Azure 上加密 SAP HANA 資料庫伺服器使用 SAP HANA 本機加密技術。此外,如果使用 Azure 上的 SQL Server,請使用透明數據加密 (TDE) 來保護數據和日誌檔,並確保備份也已加密。", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "waf": "安全" + "text": "使用閘道模式(如 APIM)實現重試和運行狀況檢查", + "waf": "可靠性" }, { - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "Azure OpenAI", "severity": "中等", - "text": "Azure 儲存加密已為所有 Azure Resource Manager 和經典存儲帳戶啟用,並且無法禁用。由於數據預設加密,因此無需修改代碼或應用程式即可使用 Azure 儲存加密。", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", - "waf": "安全" + "text": "確保為工作負載提供足夠的 TPM 和 RPM 配額", + "waf": "可靠性" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", - "severity": "高", - "text": "使用 Azure Key Vault 儲存機密和憑據", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "安全" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "Azure OpenAI", + "severity": "中等", + "text": "查看 HAI 工具包指南中的注意事項,並將這些交互實踐應用於 slution", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Azure OpenAI", "severity": "中等", - "text": "建議在成功部署后鎖定 Azure 資源,以防止未經授權的更改。您還可以使用自定義的 Azure 策略(自定義角色)按訂閱強制實施 LOCK 約束和規則。", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", - "waf": "安全" + "text": "如果採用微調,則跨區域部署單獨的微調模型", + "waf": "可靠性" }, { - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "Azure OpenAI", "severity": "中等", - "text": "預配 Azure Key Vault 並啟用軟刪除和清除策略,以允許對已刪除的物件進行保留保護。", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "安全" + "text": "定期備份和複製關鍵數據,以確保數據丟失或系統故障時的數據可用性和可恢復性。利用 Azure 的備份和災難恢復服務來保護數據。", + "waf": "可靠性" }, { - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "Azure OpenAI", "severity": "高", - "text": "根據現有要求、法規和合規性控制(內部/外部)- 確定需要哪些 Azure 策略和 Azure RBAC 角色", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", + "text": "應選擇 Azure AI 搜索服務層級以具有 SLA", + "waf": "可靠性" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "Azure OpenAI", + "severity": "低", + "text": "對數據和敏感度進行分類,在生成嵌入之前使用 Microsoft Purview 進行標記,並確保以相同的敏感度和分類處理生成的嵌入", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "Azure OpenAI", "severity": "高", - "text": "在 SAP 環境中啟用 Microsoft Defender for Endpoint 時,建議排除 DBMS 伺服器上的數據和日誌檔,而不是以所有伺服器為目標。排除目標檔時,請遵循 DBMS 供應商的建議。", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", + "text": "使用 SSE/磁碟加密和可選的 BYOK 加密來加密用於 RAG 的數據", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "Azure OpenAI", "severity": "高", - "text": "委派 SAP 管理員自定義角色,使其具有 Microsoft Defender for Cloud 的即時訪問許可權。", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "text": "確保對跨數據源傳輸的數據實施 TLS,用於檢索增強生成 (RAG) 和 LLM 通信的 AI 搜索", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "低", - "text": "通過將第三方安全產品與適用於 DIAG (SAP GUI)、RFC 和 SPNEGO for HTTPS 的安全網路通信 (SNC) 集成,對傳輸中的數據進行加密", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", + "severity": "高", + "text": "使用 RBAC 管理對 Azure OpenAI 服務的訪問。為使用者分配適當的許可權,並根據其角色和職責限制訪問許可權", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "Azure OpenAI", "severity": "中等", - "text": "預設使用 Microsoft 管理的金鑰來實現主體加密功能,並在需要時使用客戶管理的金鑰。", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "實施數據加密、遮罩或編輯技術,以在非生產環境中或出於測試或故障排除目的共用數據時隱藏敏感數據或將其替換為混淆值", "waf": "安全" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction", + "service": "Azure OpenAI", "severity": "高", - "text": "每個區域每個環境的每個應用程式使用 Azure Key Vault。", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "利用 Azure Defender 來檢測和回應安全威脅,並設置監視和警報機制來識別可疑活動或違規行為。利用 Azure Sentinel 進行高級威脅檢測和回應", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", - "severity": "高", - "text": "要控制和管理非 HANA Windows 和非 Windows 作業系統的磁碟加密密鑰和機密,請使用 Azure Key Vault。Azure Key Vault 不支援 SAP HANA,因此必須使用 SAP ABAP 或 SSH 密鑰等替代方法。", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "Azure OpenAI", + "severity": "中等", + "text": "制定數據保留和處置策略,以遵守合規性法規。對不再需要的數據實施安全刪除方法,並維護數據保留和處置活動的審計跟蹤", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "Azure OpenAI", "severity": "高", - "text": "為 Azure 上的 SAP 分支訂閱自定義基於角色的訪問控制 (RBAC) 角色,以避免意外的與網路相關的更改", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", - "waf": "安全" + "text": "使用 Content Safety 實施 Prompt shields 和接地檢測", + "waf": "卓越運營" }, { - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "Azure OpenAI", "severity": "高", - "text": "將 DMZ 和 NVA 與 SAP 資產的其餘部分隔離開來,配置 Azure 專用連結,並安全地管理和控制 Azure 上的 SAP 資源", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "waf": "安全" - }, - { - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "severity": "低", - "text": "考慮在 Azure 上使用 Microsoft 反惡意軟體來保護虛擬機免受惡意文件、廣告軟體和其他威脅的侵害。", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "text": "通過實施隱私控制並獲得數據處理活動所需的同意或許可,確保遵守相關的數據保護法規,例如GDPR或HIPAA。", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", - "severity": "低", - "text": "要獲得更強大的保護,請考慮使用 Microsoft Defender for Endpoint。", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "Azure OpenAI", + "severity": "中等", + "text": "對員工進行有關數據安全最佳實踐、安全處理數據的重要性以及與數據洩露相關的潛在風險的教育。鼓勵他們勤奮地遵循數據安全協定。", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "Azure OpenAI", "severity": "高", - "text": "通過中心虛擬網路傳遞所有流量,將 SAP 應用程式和資料庫伺服器與 Internet 或本地網路隔離開來,該虛擬網路通過虛擬網路對等互連連接到輻射網路。對等互連的虛擬網路保證 Azure 上的 SAP 解決方案與公共 Internet 隔離。", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "text": "將生產數據與開發和測試數據分開。僅在生產中使用真實的敏感數據,並在開發和測試環境中使用匿名或合成數據。", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "低", - "text": "對於面向 Internet 的應用程式(如 SAP Fiori),請確保根據應用程式要求分配負載,同時保持安全級別。對於第 7 層安全性,您可以使用 Azure Marketplace 中提供的第三方 Web 應用程式防火牆 (WAF)。", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "Azure OpenAI", + "severity": "中等", + "text": "如果您具有不同級別的數據敏感度,請考慮為每個級別創建單獨的索引。例如,您可以有一個用於常規數據的索引,另一個用於敏感數據的索引,每個索引都由不同的訪問協定管理", "waf": "安全" }, { - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "Azure OpenAI", "severity": "中等", - "text": "若要在適用於 SAP 解決方案的 Azure Monitor 中啟用安全通信,可以選擇使用根證書或伺服器證書。我們強烈建議您使用根證書。", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "text": "通過將敏感數據集放置在服務的不同實例中,進一步實現隔離。每個實例都可以使用其自己的特定 RBAC 策略集進行控制", "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "Azure OpenAI", "severity": "高", - "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃", - "waf": "可靠性" + "text": "認識到從敏感資訊生成的嵌入和向量本身就是敏感的。這些數據應得到與源材料相同的保護措施", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "Azure OpenAI", "severity": "高", - "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響", - "waf": "可靠性" + "text": "將 RBAC 應用於具有嵌入和向量的數據存儲,並根據角色的訪問要求確定存取範圍", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "Azure OpenAI", "severity": "高", - "text": "考慮為關鍵工作負載制定跨區域災難恢復策略", - "waf": "可靠性" + "text": "為 AI 服務配置專用終結點,以限制網路內的服務訪問", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "Azure OpenAI", "severity": "高", - "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3", - "waf": "可靠性" + "text": "使用 Azure 防火牆和 UDR 強制實施嚴格的入站和出站流量控制,並限制外部集成點", + "waf": "安全" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", - "severity": "中等", - "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼", - "waf": "操作" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "Azure OpenAI", + "severity": "高", + "text": "實施網路分段和訪問控制,將 LLM 應用程式的存取限製為僅授權使用者和系統,並防止橫向行動", + "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "應用與存儲相關的 Microsoft 雲安全基準中的指導", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "Azure OpenAI", "severity": "中等", - "text": "請考慮「存儲的 Azure 安全基線”", - "waf": "安全" + "text": "使用提示壓縮工具,如 LLMLingua 或 gprtrim", + "waf": "成本優化" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "默認情況下,Azure 儲存具有公共IP位址,並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲,從而消除對公共 Internet 的暴露", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "Azure OpenAI", "severity": "高", - "text": "考慮將專用終結點用於 Azure 存儲", + "text": "確保 LLM 應用程式使用的 API 和端點使用身份驗證和授權機制(例如託管標識、API 金鑰或 OAuth)得到適當保護,以防止未經授權的訪問。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "新創建的存儲帳戶是使用ARM部署模型創建的,因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "Azure OpenAI", "severity": "中等", - "text": "確保較舊的存儲帳戶未使用“經典部署模型”", + "text": "實施強大的最終使用者身份驗證機制,例如多因素身份驗證,以防止對 LLM 應用程式和相關網路資源的未經授權的訪問", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Azure Storage", - "severity": "高", - "text": "為所有存儲帳戶啟用 Microsoft Defender", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "Azure OpenAI", + "severity": "中等", + "text": "實施網路監控工具,以檢測和分析網路流量中的任何可疑或惡意活動。啟用日誌記錄以捕獲網路事件,並在發生安全事件時促進取證分析", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "軟刪除機制允許恢復意外刪除的 blob。", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "Azure OpenAI", "severity": "中等", - "text": "為 blob 啟用“軟刪除”", + "text": "進行安全審計和滲透測試,以識別和解決LLM應用程式的網路基礎設施中的任何網路安全弱點或漏洞", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Azure Storage", - "severity": "中等", - "text": "禁用 blob 的“軟刪除”", - "waf": "安全" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "Azure OpenAI", + "severity": "低", + "text": "Azure AI 服務已正確標記,以便更好地管理", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "容器的軟刪除使您能夠在刪除容器后恢復容器,例如從意外刪除操作中恢復。", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "Azure OpenAI", + "severity": "低", + "text": "Azure AI 服務帳戶遵循組織命名約定", + "waf": "卓越運營" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "Azure OpenAI", "severity": "高", - "text": "為容器啟用“軟刪除”", - "waf": "安全" + "text": "應啟用 Azure AI 服務資源中的診斷日誌", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Azure Storage", - "severity": "中等", - "text": "禁用容器的“軟刪除”", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "Azure OpenAI", + "severity": "高", + "text": "為了安全起見,建議禁用密鑰訪問(本地身份驗證)。 禁用基於密鑰的訪問后,Microsoft Entra ID 將成為唯一的訪問方法,該方法允許保持最小許可權原則和精細控制。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "通過強制使用者先刪除刪除鎖,然後再刪除存儲帳戶,防止意外刪除存儲帳戶", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "severity": "高", - "text": "在存儲帳戶上啟用資源鎖定", + "text": "使用 Azure Key Vault 安全地存儲和管理密鑰。避免在 LLM 應用程式的代碼中硬編碼或嵌入敏感密鑰,並使用託管標識從 Azure Key Vault 中安全地檢索它們", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略,以便無法刪除 blob、容器或存儲帳戶。請注意,「不可能」實際上意味著「不可能」;一旦存儲帳戶包含不可變的 blob,「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Azure OpenAI", "severity": "高", - "text": "考慮不可變的 blob", + "text": "定期輪換和過期存儲在 Azure Key Vault 中的密鑰,以最大程度地降低未經授權訪問的風險。", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問,以便對所有數據傳輸進行加密、完整性保護,並且對伺服器進行身份驗證。", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "Azure OpenAI", "severity": "高", - "text": "需要 HTTPS,即在儲存帳戶上禁用埠 80", + "text": "使用 tiktoken 了解對話模式下令牌優化的令牌大小", + "waf": "成本優化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "Azure OpenAI", + "severity": "高", + "text": "遵循安全編碼做法,以防止常見漏洞,例如注入攻擊、跨網站腳本 (XSS) 或安全配置錯誤", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "在儲存帳戶上配置自定義域(主機名)時,請檢查是否需要 TLS/HTTPS;如果是這樣,可能需要將 Azure CDN 放在存儲帳戶的前面。", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "Azure OpenAI", "severity": "高", - "text": "強制執行 HTTPS(禁用 HTTP)時,請檢查是否不要對儲存帳戶使用自定義域 (CNAME)。", + "text": "設置一個流程來定期更新和修補 LLM 庫和其他系統元件", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "當用戶端使用SAS令牌訪問 blob 資料時,要求使用 HTTPS 有助於最大程度地降低憑據丟失的風險。", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "Azure OpenAI", + "severity": "高", + "text": "遵守 Azure OpenAI 或其他 LLM 的使用條款、策略和指南以及允許的用例", + "waf": "卓越運營" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "Azure OpenAI", + "severity": "中等", + "text": "了解基礎模型和微調模型的成本差異以及令牌步長", + "waf": "成本優化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "Azure OpenAI", + "severity": "高", + "text": "在可能的情況下,批量請求,以最大程度地減少每次調用的開銷,從而降低總體成本。確保優化批量大小", + "waf": "成本優化" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "Azure OpenAI", "severity": "中等", - "text": "將共享訪問簽名 (SAS) 令牌限製為僅 HTTPS 連接", - "waf": "安全" + "text": "設置成本跟蹤系統,用於監視模型使用方式,並使用該資訊來説明通知模型選擇和提示大小", + "waf": "成本優化" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": ".強制執行最新的 TLS 版本將拒絕來自使用舊版本的用戶端的請求。", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Azure Storage", - "severity": "高", - "text": "強制實施存儲帳戶的最新 TLS 版本", - "waf": "安全" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "Azure OpenAI", + "severity": "中等", + "text": "為每個模型回應的令牌數設置最大限制。優化大小以確保其足夠大以實現有效的回應", + "waf": "成本優化" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "在可能的情況下,應優先使用 Microsoft Entra ID 令牌,而不是共用訪問簽名", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Azure Storage", - "severity": "高", - "text": "使用 Microsoft Entra ID 令牌進行 blob 訪問", - "waf": "安全" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "Azure OpenAI", + "severity": "中等", + "text": "查看提供的有關設置 AI 搜索以實現可靠性的指南", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "為使用者、組或應用程式分配角色時,請僅授予該安全主體執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "Azure OpenAI", "severity": "中等", - "text": "IaM 許可權中的最小特權", - "waf": "安全" + "text": "規劃和管理 AI 搜索向量存儲", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "使用者委派 SAS 使用 Azure Active Directory (Azure AD) 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS,但與服務 SAS 相比,它提供了安全優勢。", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Azure Storage", - "severity": "高", - "text": "使用 SAS 時,首選「使用者委派 SAS」,而不是基於存儲帳戶密鑰的 SAS。", - "waf": "安全" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "Azure OpenAI", + "severity": "中等", + "text": "應用 LLMOps 實踐來自動化 GenAI 應用程式的生命週期管理", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "存儲帳戶金鑰(“共用金鑰”)幾乎沒有審核功能。雖然可以監控誰/何時獲取了密鑰的副本,但一旦密鑰掌握在多人手中,就不可能將使用方式歸因於特定使用者。僅依賴 Entra ID 身份驗證可以更輕鬆地將存儲訪問許可權與用戶綁定。", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "Azure OpenAI", "severity": "高", - "text": "請考慮禁用存儲帳戶密鑰,以便僅支援 Microsoft Entra ID 訪問(和使用者委派 SAS)。", - "waf": "安全" + "text": "評估計費模型的使用方式 - PAYG 與 PTU", + "waf": "成本優化" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "使用活動日誌數據來確定查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”(即存儲帳戶密鑰、訪問策略等)。", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Azure Storage", - "severity": "高", - "text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作", - "waf": "安全" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "Azure OpenAI", + "severity": "中等", + "text": "在模型版本之間切換時評估提示和應用程式的品質", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "通過金鑰過期策略,您可以設置帳戶訪問金鑰輪換的提醒。如果已過指定的時間間隔且尚未旋轉鍵,則會顯示提醒。", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "Azure OpenAI", "severity": "中等", - "text": "使用存儲帳戶密鑰時,請考慮啟用“金鑰過期策略”", - "waf": "安全" + "text": "評估、監控和優化您的 GenAI 應用程式的特性,如接地氣、相關性、準確性、連貫性、流暢性、", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS 過期策略指定了 SAS 的有效時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時,他們將看到警告。", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "Azure OpenAI", "severity": "中等", - "text": "考慮配置 SAS 過期策略", - "waf": "安全" + "text": "根據不同的搜索參數評估 Azure AI 搜尋結果", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "通過存儲訪問策略,可以選擇撤銷服務 SAS 的許可權,而無需重新生成存儲帳戶密鑰。", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "Azure OpenAI", "severity": "中等", - "text": "考慮將 SAS 連結到儲存存取策略", - "waf": "安全" + "text": "只有在嘗試了其他基本方法(如提示工程和RAG處理數據)時,才將微調模型視為提高準確性的方法", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Azure OpenAI", "severity": "中等", - "text": "請考慮配置應用程式的原始程式碼儲存庫,以檢測簽入的連接字串和存儲帳戶密鑰。", - "waf": "安全" + "text": "使用提示工程技術來提高 LLM 回應的準確性", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "理想情況下,應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點,請考慮在 Azure KeyVault 或等效服務中擁有存儲憑據(連接字串、存儲帳戶密鑰、SAS、服務主體憑據)。", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Azure Storage", - "severity": "高", - "text": "請考慮在 Azure KeyVault 中儲存連接字串(在無法使用託管標識的情況下)", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "Azure OpenAI", + "severity": "中等", + "text": "紅隊您的 GenAI 應用程式", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣,即使 SAS 遭到入侵,它也只會在短時間內有效。如果無法引用存儲訪問策略,則這種做法尤為重要。近期過期時間還通過限制可用於上傳到 blob 的時間來限制可以寫入 blob 的數據量。", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "Azure OpenAI", + "severity": "中等", + "text": "為最終使用者提供 LLM 回應的評分選項並跟蹤這些分數。", + "waf": "卓越運營" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "Azure OpenAI", "severity": "高", - "text": "爭取縮短臨時 SAS 的有效期", - "waf": "安全" + "text": "考慮配額管理做法", + "waf": "成本優化" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "創建 SAS 時,請盡可能具體且具有限制性。首選單一資源和操作的 SAS,而不是提供更廣泛訪問許可權的 SAS。", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Azure Storage", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "Azure OpenAI", "severity": "中等", - "text": "對SAS應用窄範圍", - "waf": "安全" + "text": "使用負載均衡器解決方案(如基於APIM的閘道)在服務和區域之間平衡負載和容量", + "waf": "卓越運營" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", + "severity": "中等", + "text": "在全域級別實施錯誤處理策略", + "waf": "操作" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", + "severity": "中等", + "text": "確保所有 API 策略都包含一個元素。", + "waf": "操作" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", "severity": "中等", - "text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址", - "waf": "安全" + "text": "使用策略片段可避免在多個 API 中重複相同的策略定義", + "waf": "操作" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "SAS無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型,驗證用戶端是否惡意上傳了大量內容可能很有意義。", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Azure Storage", - "severity": "低", - "text": "在用戶端使用SAS上傳檔后,請考慮檢查上傳的數據。", - "waf": "安全" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", + "severity": "中等", + "text": "如果您計劃通過 API 獲利,請查看“獲利支援”一文,瞭解最佳做法", + "waf": "操作" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "使用「本地使用者帳戶」通過 SFTP 訪問 blob 儲存時,“通常”的 RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更具限制性。遺憾的是,截至 2023 年初,本地使用者是 SFTP 端點目前支援的唯一身份管理形式", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", "severity": "高", - "text": "SFTP:限制 SFTP 訪問的「本地使用者」數量,並審核隨著時間的推移是否需要訪問。", - "waf": "安全" + "text": "啟用診斷設置以將日誌導出到 Azure Monitor", + "waf": "操作" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "severity": "中等", - "text": "SFTP:SFTP 端點不支持類似 POSIX 的 ACL。", - "waf": "安全" + "text": "啟用 Application Insights 以獲取更詳細的遙測數據", + "waf": "操作" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "存儲支援 CORS(跨源資源分享),即一種 HTTP 功能,使來自不同域的 Web 應用程式能夠放鬆同源策略。啟用 CORS 時,請將 CorsRules 保留為最低許可權。", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", "severity": "高", - "text": "避免過於寬泛的 CORS 策略", - "waf": "安全" + "text": "針對最關鍵的指標配置警報", + "waf": "操作" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "靜態數據始終在伺服器端加密,此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰(預設)或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰,或者完全在用戶端處理加密來實現。因此,完全不依賴 Azure 存儲來保證機密性。", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", "severity": "高", - "text": "確定應如何加密靜態數據。了解數據的線程模型。", + "text": "確保自定義 SSL 證書儲存在 Azure Key Vault 中,以便可以安全地訪問和更新它們", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Azure Storage", - "severity": "中等", - "text": "確定應使用哪種/是否應使用平臺加密。", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", + "severity": "高", + "text": "使用 Azure AD 保護對 API(數據平面)的傳入請求", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", "severity": "中等", - "text": "確定應使用哪種/是否應使用用戶端加密。", + "text": "使用 Microsoft Entra ID 在開發人員門戶中對用戶進行身份驗證", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "利用 Resource Graph 資源管理器 (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) 查找允許匿名 blob 訪問的存儲帳戶。", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Azure Storage", - "severity": "高", - "text": "考慮是否需要公共 blob 匿名訪問,或者是否可以對某些存儲帳戶禁用公共 blob 匿名訪問。", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", + "severity": "中等", + "text": "創建適當的組來控制產品的可見性", "waf": "安全" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Azure Storage", - "severity": "高", - "text": "利用 storagev2 帳戶類型獲得更好的性能和可靠性", - "waf": "可靠性" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Azure Storage", - "severity": "高", - "text": "利用 GRS、ZRS 或 GZRS 儲存實現最高可用性", - "waf": "可靠性" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", "severity": "中等", - "text": "對於故障轉移后的寫入操作,請使用客戶管理的故障轉移", - "waf": "可靠性" + "text": "使用後端功能消除冗餘 API 後端配置", + "waf": "操作" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", "severity": "中等", - "text": "瞭解 Microsoft 託管的故障轉移詳細資訊", - "waf": "可靠性" + "text": "使用命名值存儲可在策略中使用的通用值", + "waf": "操作" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Azure Storage", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", "severity": "中等", - "text": "啟用軟刪除", + "text": "對於DR,利用高級層,跨兩個或多個區域擴展部署,實現99.99%的SLA", "waf": "可靠性" }, { - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", "severity": "中等", - "text": "使用長期可撤銷令牌,緩存令牌並使用 Microsoft 標識庫以靜默方式獲取令牌", + "text": "在兩個或多個可用區中部署至少一台設備,SLA 提高 99.99%", "waf": "可靠性" }, { - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", - "severity": "中等", - "text": "請確保登錄使用者流已備份並具有復原能力。請確保用於登錄使用者的代碼已備份且可恢復。與外部進程的彈性介面", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", + "severity": "高", + "text": "確保有一個自動備份例程", "waf": "可靠性" }, { - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", "severity": "中等", - "text": "自訂品牌資產應託管在CDN上", - "waf": "性能" - }, - { - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", - "severity": "低", - "text": "擁有多個標識提供者(即使用您的 Microsoft、Google、Facebook 帳戶登錄)", + "text": "使用策略添加故障轉移後端 URL 和緩存,以減少失敗的調用。", "waf": "可靠性" }, { - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", - "severity": "中等", - "text": "遵循 VM 規則,實現 VM 級別的高可用性(高級磁碟,一個區域中的兩個或更多磁碟,位於不同的可用性區域)", - "waf": "可靠性" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", + "severity": "低", + "text": "如果需要以高性能級別進行日誌記錄,請考慮事件中心策略", + "waf": "操作" }, { - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", "severity": "中等", - "text": "不要複製!複製可能會產生目錄同步問題", - "waf": "可靠性" + "text": "應用限制策略來控制每秒的請求數", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "waf": "性能" }, { - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", "severity": "中等", - "text": "對多區域具有主動-主動", - "waf": "可靠性" + "text": "配置自動縮放以在負載增加時橫向擴展實例數", + "waf": "性能" }, { - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", "severity": "中等", - "text": "將 Azure AD 域服務標記添加到其他區域和位置", - "waf": "可靠性" + "text": "在 Azure 沒有靠近後端 API 的區域的地方部署自承載閘道。", + "waf": "性能" }, { - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", "severity": "中等", - "text": "將副本集用於DR", + "text": "將高級層用於生產工作負載。", "waf": "可靠性" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", "severity": "中等", - "text": "遵循 Azure 機器人服務中的可靠性支持建議", + "text": "在多區域模型中,使用策略根據可用性或延遲將請求路由到區域後端。", "waf": "可靠性" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", - "severity": "中等", - "text": "部署具有本地數據駐留和區域合規性的機器人", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", + "severity": "高", + "text": "注意APIM的局限性", "waf": "可靠性" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", - "severity": "中等", - "text": "Azure 機器人服務在全域和區域服務的主動-主動模式下運行。發生中斷時,無需檢測錯誤或管理服務。Azure 機器人服務在多區域地理體系結構中自動執行自動故障轉移和自動恢復。對於歐盟機器人區域服務,Azure 機器人服務在歐洲境內提供兩個完整區域,並提供主動/主動複製,以確保冗餘。對於全球機器人服務,所有可用的區域/地理位置都可以作為全球足跡。", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", + "severity": "高", + "text": "確保自承載閘道部署具有復原能力。", "waf": "可靠性" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", "service": "APIM", "severity": "中等", - "text": "在全域級別實施錯誤處理策略", - "waf": "操作" + "text": "在APIM前面使用 Azure Front Door 進行多區域部署", + "waf": "性能" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", "service": "APIM", "severity": "中等", - "text": "確保所有 API 策略都包含一個元素。", - "waf": "操作" + "text": "在虛擬網络 (VNet) 中部署服務Deploy the service within a Virtual Network (VNet)", + "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", "service": "APIM", "severity": "中等", - "text": "使用策略片段可避免在多個 API 中重複相同的策略定義", - "waf": "操作" + "text": "將網路安全組 (NSG) 部署到子網,以限制或監視進出APIM的流量。", + "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", "service": "APIM", "severity": "中等", - "text": "如果您計劃通過 API 獲利,請查看“獲利支援”一文,瞭解最佳做法", - "waf": "操作" + "text": "部署專用終結點以在未將APIM部署到 VNet 時篩選傳入流量。", + "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", "service": "APIM", "severity": "高", - "text": "啟用診斷設置以將日誌導出到 Azure Monitor", + "text": "禁用公網訪問", + "waf": "安全" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", + "severity": "中等", + "text": "使用 PowerShell 自動化腳本簡化管理", "waf": "操作" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", "service": "APIM", "severity": "中等", - "text": "啟用 Application Insights 以獲取更詳細的遙測數據", + "text": "通過基礎架構即代碼配置APIM。查看 Cloud Adaption Framework 中的 DevOps 最佳實踐 APIM 登陸區域加速器", "waf": "操作" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", "service": "APIM", - "severity": "高", - "text": "針對最關鍵的指標配置警報", + "severity": "中等", + "text": "促進 Visual Studio Code APIM 擴展的使用,以加快 API 開發速度", "waf": "操作" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", "service": "APIM", - "severity": "高", - "text": "確保自定義 SSL 證書儲存在 Azure Key Vault 中,以便可以安全地訪問和更新它們", - "waf": "安全" + "severity": "中等", + "text": "在工作流中實施DevOps和 CI/CD", + "waf": "操作" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", "service": "APIM", - "severity": "高", - "text": "使用 Azure AD 保護對 API(數據平面)的傳入請求", + "severity": "中等", + "text": "使用用戶端證書身份驗證保護 API", "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", "service": "APIM", "severity": "中等", - "text": "使用 Microsoft Entra ID 在開發人員門戶中對用戶進行身份驗證", + "text": "使用用戶端證書身份驗證保護後端服務", "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", "service": "APIM", "severity": "中等", - "text": "創建適當的組來控制產品的可見性", + "text": "查看“緩解 OWASP API 安全前 10 大威脅的建議”一文,並查看適用於您的 API 的內容", "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", "service": "APIM", "severity": "中等", - "text": "使用後端功能消除冗餘 API 後端配置", - "waf": "操作" + "text": "使用授權功能簡化後端 API 的 OAuth 2.0 令牌管理", + "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", "service": "APIM", - "severity": "中等", - "text": "使用命名值存儲可在策略中使用的通用值", - "waf": "操作" + "severity": "高", + "text": "加密傳輸中的資訊時,請使用最新的 TLS 版本。盡可能禁用過時和不必要的協議和密碼。", + "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", "service": "APIM", - "severity": "中等", - "text": "對於DR,利用高級層,跨兩個或多個區域擴展部署,實現99.99%的SLA", - "waf": "可靠性" + "severity": "高", + "text": "確保機密(命名值)存儲在 Azure Key Vault 中,以便可以安全地訪問和更新它們", + "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", "service": "APIM", "severity": "中等", - "text": "在兩個或多個可用區中部署至少一台設備,SLA 提高 99.99%", - "waf": "可靠性" + "text": "盡可能使用託管標識向其他 Azure 資源進行身份驗證", + "waf": "安全" }, { "arm-service": "Microsoft.ApiManagement/service", "checklist": "Azure API Management Review", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", "service": "APIM", "severity": "高", - "text": "確保有一個自動備份例程", - "waf": "可靠性" + "text": "使用 APIM 前面部署應用程式閘道來使用 Web 應用程式防火牆 (WAF)", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", + "severity": "中等", + "text": "確保使用的是應用程式閘道 v2 SKU", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", + "severity": "中等", + "text": "確保將標準 SKU 用於 Azure 負載均衡器", + "waf": "安全" + }, + { + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", + "severity": "中等", + "text": "確保您的負載均衡器前端IP位址是區域冗餘的(除非您需要可用區前端)。", + "waf": "安全" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", + "severity": "中等", + "text": "應用程式閘道 v2 應部署在IP前綴等於或大於 /24 的子網中", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "description": "一般來說,反向代理(尤其是 WAF)的管理更接近應用程式而不是網路,因此它們與應用程式屬於同一訂閱。如果應用程式閘道和 WAF 由一個團隊管理,則將其集中在連接訂閱中可能是可以的。", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", "severity": "中等", - "text": "使用策略添加故障轉移後端 URL 和緩存,以減少失敗的調用。", - "waf": "可靠性" + "text": "部署 Azure 應用程式閘道 v2 或合作夥伴 NVA,用於在登陸區虛擬網路中代理入站 HTTP(S) 連接,以及它們所保護的應用。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", - "severity": "低", - "text": "如果需要以高性能級別進行日誌記錄,請考慮事件中心策略", - "waf": "操作" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", + "severity": "中等", + "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", "severity": "中等", - "text": "應用限制策略來控制每秒的請求數", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", - "waf": "性能" + "text": "配置自動縮放,最小實例數為 2。", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "可靠性" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", "severity": "中等", - "text": "配置自動縮放以在負載增加時橫向擴展實例數", - "waf": "性能" + "text": "跨可用區部署應用程式閘道", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "可靠性" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", "severity": "中等", - "text": "在 Azure 沒有靠近後端 API 的區域的地方部署自承載閘道。", - "waf": "性能" + "text": "使用 Front Door 和應用程式閘道幫助保護 HTTP/S 應用時,請在 Front Door 中使用 WAF 策略。鎖定應用程式閘道以僅接收來自 Front Door 的流量。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", - "severity": "中等", - "text": "將高級層用於生產工作負載。", + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", + "severity": "高", + "text": "使用流量管理器交付跨 HTTP/S 以外的協定的全域應用。", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "可靠性" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "低", + "text": "如果使用者只需要存取內部應用程式,是否考慮將 Microsoft Entra ID 應用程式代理作為 Azure 虛擬桌面 (AVD) 的替代方案?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "安全" + }, + { + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", "severity": "中等", - "text": "在多區域模型中,使用策略根據可用性或延遲將請求路由到區域後端。", - "waf": "可靠性" + "text": "要減少網路中為傳入連接打開的防火牆埠數,請考慮使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式的安全且經過身份驗證的訪問。", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", "severity": "高", - "text": "注意APIM的局限性", + "text": "使用 Azure NAT 閘道而不是負載均衡器出站規則來提高 SNAT 可伸縮性", "waf": "可靠性" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", "severity": "高", - "text": "確保自承載閘道部署具有復原能力。", - "waf": "可靠性" + "text": "啟用 Azure 應用程式閘道 WAF 機器人保護規則集。機器人規則檢測好的機器人和壞的機器人。", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", - "severity": "中等", - "text": "在APIM前面使用 Azure Front Door 進行多區域部署", - "waf": "性能" + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", + "severity": "高", + "text": "確保 Azure 應用程式閘道 WAF 策略中是否啟用了請求正文檢查功能。", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", - "severity": "中等", - "text": "在虛擬網络 (VNet) 中部署服務Deploy the service within a Virtual Network (VNet)", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", + "severity": "高", + "text": "在檢測模式下優化工作負載的 Azure 應用程式閘道 WAF。減少誤報檢測。", "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", - "severity": "中等", - "text": "將網路安全組 (NSG) 部署到子網,以限制或監視進出APIM的流量。", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "App Gateway", + "severity": "高", + "text": "在「防護」模式下部署應用程式閘道的 WAF 策略。", "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", "severity": "中等", - "text": "部署專用終結點以在未將APIM部署到 VNet 時篩選傳入流量。", + "text": "向 Azure 應用程式閘道 WAF 添加速率限制。Rate limit 會阻止客戶端在短時間內意外或故意發送大量流量。", "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", - "severity": "高", - "text": "禁用公網訪問", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", + "severity": "中等", + "text": "對 Azure 應用程式閘道 WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可針對可能使基礎設施不堪重負的極大量請求提供保護。", "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", - "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", - "service": "APIM", - "severity": "中等", - "text": "使用 PowerShell 自動化腳本簡化管理", - "waf": "操作" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", + "severity": "低", + "text": "如果您不希望收到來自所有地理區域的流量,請使用地理篩選條件來阻止來自非預期國家/地區的流量。", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", "severity": "中等", - "text": "通過基礎架構即代碼配置APIM。查看 Cloud Adaption Framework 中的 DevOps 最佳實踐 APIM 登陸區域加速器", - "waf": "操作" + "text": "在使用 Azure 應用程式閘道 WAF 對流量進行異地篩選時,指定未知 (ZZ) 位置。避免在IP位址無法進行異地匹配時意外阻止合法請求。", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", - "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", "severity": "中等", - "text": "促進 Visual Studio Code APIM 擴展的使用,以加快 API 開發速度", - "waf": "操作" + "text": "使用最新的 Azure 應用程式閘道 WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。", + "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "354f1c03-8112-4965-85ad-c0074bddf231", - "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", "severity": "中等", - "text": "在工作流中實施DevOps和 CI/CD", + "text": "添加診斷設置以保存 Azure 應用程式閘道 WAF 紀錄。", "waf": "操作" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "b6439493-426a-45f3-9697-cf65baee208d", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", "severity": "中等", - "text": "使用用戶端證書身份驗證保護 API", - "waf": "安全" + "text": "將 Azure 應用程式閘道 WAF 紀錄發送到 Microsoft Sentinel。", + "waf": "操作" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2a67d143-1033-4c0a-8732-680896478f08", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", "severity": "中等", - "text": "使用用戶端證書身份驗證保護後端服務", - "waf": "安全" + "text": "將 Azure 應用程式閘道 WAF 設定定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。", + "waf": "操作" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", - "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", "severity": "中等", - "text": "查看“緩解 OWASP API 安全前 10 大威脅的建議”一文,並查看適用於您的 API 的內容", - "waf": "安全" + "text": "使用 WAF 策略而不是舊版 WAF 配置。", + "waf": "操作" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", - "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", "severity": "中等", - "text": "使用授權功能簡化後端 API 的 OAuth 2.0 令牌管理", + "text": "篩選後端中的入站流量,使其僅接受來自應用程式閘道子網的連接,例如使用NSG的連接。", "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", "severity": "高", - "text": "加密傳輸中的資訊時,請使用最新的 TLS 版本。盡可能禁用過時和不必要的協議和密碼。", + "text": "您應該對到後端伺服器的流量進行加密。", "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", "severity": "高", - "text": "確保機密(命名值)存儲在 Azure Key Vault 中,以便可以安全地訪問和更新它們", + "text": "您應該使用 Web 應用程式防火牆。", "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "App Gateway", "severity": "中等", - "text": "盡可能使用託管標識向其他 Azure 資源進行身份驗證", + "text": "將 HTTP 重定向到 HTTPS", "waf": "安全" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", + "severity": "中等", + "text": "使用閘道託管的 Cookie 將流量從使用者工作階段定向到同一伺服器進行處理", + "waf": "操作" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", "severity": "高", - "text": "使用 APIM 前面部署應用程式閘道來使用 Web 應用程式防火牆 (WAF)", + "text": "在計劃內服務更新期間啟用連接耗盡,以防止後端池的現有成員失去連接", "waf": "安全" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure 服務總線高級版提供靜態數據加密。如果您使用自己的金鑰,則數據仍使用 Microsoft 管理的金鑰進行加密,但此外,Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "App Gateway", "severity": "低", - "text": "需要時,在靜態數據加密中使用客戶管理的金鑰選項", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "安全" + "text": "創建自訂錯誤頁面以顯示個人化的用戶體驗", + "waf": "操作" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "用戶端應用程式與 Azure 服務總線命名空間之間的通信使用傳輸層安全性 (TLS) 進行加密。Azure 服務總線命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施,可以將服務總線命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "App Gateway", "severity": "中等", - "text": "對請求強制實施最低要求的傳輸層安全性 (TLS) 版本", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "text": "編輯 HTTP 請求和回應標頭,以便更輕鬆地在用戶端和伺服器之間進行路由和資訊交換", "waf": "安全" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "創建服務總線命名空間時,會自動為命名空間創建名為 RootManageSharedAccessKey 的 SAS 規則。此策略具有整個命名空間的 Manage 許可權。建議您將此規則視為管理根帳戶,不要在應用程式中使用它。 建議使用 AAD 作為 RBAC 的身份驗證提供程式。", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "App Gateway", "severity": "中等", - "text": "避免在不需要時使用 root 帳戶", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "安全" + "text": "配置 Front Door 以優化全域 Web 流量路由和頂級最終使用者性能,並通過快速全域故障轉移實現可靠性", + "waf": "性能" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "在 Azure 應用服務應用程式內或在啟用了 Azure 資源支援的託管實體的虛擬機中運行的服務總線用戶端應用不需要處理 SAS 規則和密鑰或任何其他存取權杖。用戶端應用程式只需要 Service Bus Messaging 命名空間的終結點位址。", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", - "service": "Service Bus", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", "severity": "中等", - "text": "如果可能,應用程式應使用託管標識向 Azure 服務總線進行身份驗證。如果沒有,請考慮在 Azure Key Vault 或等效服務中使用存儲憑據(SAS、服務主體憑據)", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "安全" - }, - { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "創建許可權時,請對用戶端對 Azure 服務總線的訪問提供精細控制。Azure 服務總線中的許可權可以而且應該限定為單個資源級別,例如佇列、主題或訂閱。", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", - "severity": "高", - "text": "使用最低許可權數據平面 RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "安全" + "text": "使用傳輸層負載均衡", + "waf": "性能" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure 服務總線資源日誌包括操作日誌、虛擬網路和IP篩選日誌。運行時審核日誌捕獲服務總線中各種數據平面訪問操作(例如發送或接收消息)的聚合診斷資訊。", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", "severity": "中等", - "text": "啟用記錄以進行安全調查。使用 Azure Monitor 追蹤資源紀錄和執行時審核紀錄(目前僅在進階層中可用 )", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "為單個閘道上的多個 Web 應用程式配置基於主機名稱或功能變數名稱的路由", "waf": "安全" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "默認情況下,Azure 服務總線具有公共IP位址,並且可通過Internet訪問。專用終結點允許虛擬網路與 Azure 服務總線之間的流量遍歷 Microsoft 主幹網路。除此之外,如果未使用公有終端節點,則應禁用這些終端節點。", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", "severity": "中等", - "text": "請考慮使用專用終結點訪問 Azure 服務總線,並在適用時禁用公用網路訪問。", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "集中 SSL 證書管理以減少後端伺服器場的加密和解密開銷", "waf": "安全" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "使用IP防火牆,您可以將公有終端節點進一步限製為僅一組 IPv4 位址或 CIDR(無類域間路由)表示法的 IPv4 位址範圍。", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", - "severity": "中等", - "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 服務總線命名空間", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", + "severity": "低", + "text": "使用應用程式閘道實現對 WebSocket 和 HTTP/2 協定的本機支援", "waf": "安全" } ], "metadata": { "name": "WAF checklist", - "timestamp": "October 02, 2024" + "timestamp": "October 21, 2024" }, "severities": [ { @@ -9995,15 +10583,15 @@ ], "status": [ { - "description": "此檢查尚未查看", + "description": "尚未查看此檢查", "name": "未驗證" }, { - "description": "有一個與此檢查關聯的措施項", + "description": "存在與此檢查關聯的操作項", "name": "打開" }, { - "description": "此檢查已通過驗證,並且沒有與之關聯的進一步操作項", + "description": "此檢查已經過驗證,沒有與之關聯的其他操作項", "name": "實現" }, { diff --git a/spreadsheet/macrofree/checklist.en.master.xlsx b/spreadsheet/macrofree/checklist.en.master.xlsx index df44846c1..d5c09cd6d 100644 Binary files a/spreadsheet/macrofree/checklist.en.master.xlsx and b/spreadsheet/macrofree/checklist.en.master.xlsx differ diff --git a/spreadsheet/macrofree/datasecurity_checklist.en.xlsx b/spreadsheet/macrofree/datasecurity_checklist.en.xlsx new file mode 100644 index 000000000..10dc39ccd Binary files /dev/null and b/spreadsheet/macrofree/datasecurity_checklist.en.xlsx differ diff --git a/spreadsheet/macrofree/datasecurity_checklist.es.xlsx b/spreadsheet/macrofree/datasecurity_checklist.es.xlsx new file mode 100644 index 000000000..67f965496 Binary files /dev/null and b/spreadsheet/macrofree/datasecurity_checklist.es.xlsx differ diff --git a/spreadsheet/macrofree/datasecurity_checklist.ja.xlsx b/spreadsheet/macrofree/datasecurity_checklist.ja.xlsx new file mode 100644 index 000000000..d09315a2d Binary files /dev/null and b/spreadsheet/macrofree/datasecurity_checklist.ja.xlsx differ diff --git a/spreadsheet/macrofree/datasecurity_checklist.ko.xlsx b/spreadsheet/macrofree/datasecurity_checklist.ko.xlsx new file mode 100644 index 000000000..8a9b63e59 Binary files /dev/null and b/spreadsheet/macrofree/datasecurity_checklist.ko.xlsx differ diff --git a/spreadsheet/macrofree/datasecurity_checklist.pt.xlsx b/spreadsheet/macrofree/datasecurity_checklist.pt.xlsx new file mode 100644 index 000000000..8bead3eca Binary files /dev/null and b/spreadsheet/macrofree/datasecurity_checklist.pt.xlsx differ diff --git a/spreadsheet/macrofree/datasecurity_checklist.zh-Hant.xlsx b/spreadsheet/macrofree/datasecurity_checklist.zh-Hant.xlsx new file mode 100644 index 000000000..4e4ac60f0 Binary files /dev/null and b/spreadsheet/macrofree/datasecurity_checklist.zh-Hant.xlsx differ diff --git a/spreadsheet/macrofree/waf_checklist.en.xlsx b/spreadsheet/macrofree/waf_checklist.en.xlsx index 522ed62d0..460a744fe 100644 Binary files a/spreadsheet/macrofree/waf_checklist.en.xlsx and b/spreadsheet/macrofree/waf_checklist.en.xlsx differ diff --git a/spreadsheet/macrofree/waf_checklist.es.xlsx b/spreadsheet/macrofree/waf_checklist.es.xlsx index 853071496..da2c81d20 100644 Binary files a/spreadsheet/macrofree/waf_checklist.es.xlsx and b/spreadsheet/macrofree/waf_checklist.es.xlsx differ diff --git a/spreadsheet/macrofree/waf_checklist.ja.xlsx b/spreadsheet/macrofree/waf_checklist.ja.xlsx index cc865bb3c..447033120 100644 Binary files a/spreadsheet/macrofree/waf_checklist.ja.xlsx and b/spreadsheet/macrofree/waf_checklist.ja.xlsx differ diff --git a/spreadsheet/macrofree/waf_checklist.ko.xlsx b/spreadsheet/macrofree/waf_checklist.ko.xlsx index 2386363b9..4007a99c9 100644 Binary files a/spreadsheet/macrofree/waf_checklist.ko.xlsx and b/spreadsheet/macrofree/waf_checklist.ko.xlsx differ diff --git a/spreadsheet/macrofree/waf_checklist.pt.xlsx b/spreadsheet/macrofree/waf_checklist.pt.xlsx index 65ba18396..390829a78 100644 Binary files a/spreadsheet/macrofree/waf_checklist.pt.xlsx and b/spreadsheet/macrofree/waf_checklist.pt.xlsx differ diff --git a/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx b/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx index 8d9deadc5..6eee1f28e 100644 Binary files a/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx and b/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx differ diff --git a/workbooks/alz_checklist.en_network_counters.json b/workbooks/alz_checklist.en_network_counters.json index 11653e008..6d2080e55 100644 --- a/workbooks/alz_checklist.en_network_counters.json +++ b/workbooks/alz_checklist.en_network_counters.json @@ -1085,7 +1085,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}" + "resultVal": "{Query26Stats:$.Success}" } } ] @@ -1104,7 +1104,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}" + "resultVal": "{Query26Stats:$.Total}" } } ] @@ -1142,7 +1142,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}" + "resultVal": "{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}" } } ] @@ -1161,7 +1161,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}" + "resultVal": "{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}" } } ] @@ -1199,7 +1199,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query26Stats:$.Success}" + "resultVal": "{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}" } } ] @@ -1218,7 +1218,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query26Stats:$.Total}" + "resultVal": "{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}" } } ] @@ -1256,7 +1256,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}" + "resultVal": "{Query9Stats:$.Success}" } } ] @@ -1275,7 +1275,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}" + "resultVal": "{Query9Stats:$.Total}" } } ] @@ -1313,7 +1313,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}" + "resultVal": "{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}" } } ] @@ -1332,7 +1332,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}" + "resultVal": "{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}" } } ] @@ -1370,7 +1370,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query9Stats:$.Success}" + "resultVal": "{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}" } } ] @@ -1389,7 +1389,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query9Stats:$.Total}" + "resultVal": "{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}" } } ] @@ -1427,7 +1427,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}" + "resultVal": "{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}" } } ] @@ -1446,7 +1446,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}" + "resultVal": "{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}" } } ] @@ -1484,7 +1484,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}" + "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}" } } ] @@ -1503,7 +1503,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}" + "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}" } } ] @@ -1541,7 +1541,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query26Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}+{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}+{Query9Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}" + "resultVal": "{Query26Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}+{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}+{Query9Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}" } } ] @@ -1560,7 +1560,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query26Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}+{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}+{Query9Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}" + "resultVal": "{Query26Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}+{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}+{Query9Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}" } } ] @@ -1634,75 +1634,75 @@ "style": "tabs", "links": [ { - "id": "d09d335b-9ade-4003-8e63-451df1ab5372", + "id": "14d2ae59-3c95-484c-90c1-265cdc04e147", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke ({Tab0Success:value}/{Tab0Total:value})", + "linkLabel": "PaaS ({Tab0Success:value}/{Tab0Total:value})", "subTarget": "tab0", - "preText": "Hub and spoke", + "preText": "PaaS", "style": "primary" }, { - "id": "ffcf9d69-0fea-46de-92c9-5b9c733557a8", + "id": "a0c636d7-9e89-4051-9c87-668f37323219", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hybrid ({Tab1Success:value}/{Tab1Total:value})", + "linkLabel": "Firewall ({Tab1Success:value}/{Tab1Total:value})", "subTarget": "tab1", - "preText": "Hybrid", + "preText": "Firewall", "style": "primary" }, { - "id": "b185ea2f-c721-494c-a4d9-fd73320880a0", + "id": "e0aedecb-88cb-4843-89c8-05555564d4a5", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS ({Tab2Success:value}/{Tab2Total:value})", + "linkLabel": "Virtual WAN ({Tab2Success:value}/{Tab2Total:value})", "subTarget": "tab2", - "preText": "PaaS", + "preText": "Virtual WAN", "style": "primary" }, { - "id": "45afa7e9-868b-4154-a87d-801dd27b7ce1", + "id": "718547ab-9547-473f-99e5-7006e1801e2e", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Firewall ({Tab3Success:value}/{Tab3Total:value})", + "linkLabel": "Internet ({Tab3Success:value}/{Tab3Total:value})", "subTarget": "tab3", - "preText": "Firewall", + "preText": "Internet", "style": "primary" }, { - "id": "eb39ef34-d60f-46ee-b026-2addee4d81c4", + "id": "dcbf97ee-db34-4d75-88d2-0fa493646a70", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Segmentation ({Tab4Success:value}/{Tab4Total:value})", + "linkLabel": "IP plan ({Tab4Success:value}/{Tab4Total:value})", "subTarget": "tab4", - "preText": "Segmentation", + "preText": "IP plan", "style": "primary" }, { - "id": "ffdadd27-a1a0-4169-a90a-d50cbc5ff0dc", + "id": "0bc9b16b-c1c4-4845-ba62-32ec7b988ccc", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet ({Tab5Success:value}/{Tab5Total:value})", + "linkLabel": "Hybrid ({Tab5Success:value}/{Tab5Total:value})", "subTarget": "tab5", - "preText": "Internet", + "preText": "Hybrid", "style": "primary" }, { - "id": "21c3eb6e-e014-4fce-b3b0-3fa9d1bfd6aa", + "id": "3f972b4e-3984-4c8e-8913-6b7c8767e53d", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "IP plan ({Tab6Success:value}/{Tab6Total:value})", + "linkLabel": "Segmentation ({Tab6Success:value}/{Tab6Total:value})", "subTarget": "tab6", - "preText": "IP plan", + "preText": "Segmentation", "style": "primary" }, { - "id": "1c920114-2aa2-4cb8-bd35-5c2dc6c6a7ce", + "id": "e22702e8-99df-41c6-bf68-98c527fc8d9e", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Virtual WAN ({Tab7Success:value}/{Tab7Total:value})", + "linkLabel": "Hub and spoke ({Tab7Success:value}/{Tab7Total:value})", "subTarget": "tab7", - "preText": "Virtual WAN", + "preText": "Hub and spoke", "style": "primary" } ] @@ -1718,22 +1718,22 @@ { "type": 1, "content": { - "json": "## Hub and spoke" + "json": "## PaaS" }, "name": "tab0title" }, { "type": 1, "content": { - "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this." + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." }, - "name": "querytext0" + "name": "querytext26" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1782,20 +1782,42 @@ ] } }, - "name": "query0" + "name": "query26" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Firewall" + }, + "name": "tab1title" }, { "type": 1, "content": { - "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." + "json": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext1" + "name": "querytext17" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1844,20 +1866,20 @@ ] } }, - "name": "query1" + "name": "query17" }, { "type": 1, "content": { - "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." + "json": "Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext2" + "name": "querytext18" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1906,20 +1928,20 @@ ] } }, - "name": "query2" + "name": "query18" }, { "type": 1, "content": { - "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information." }, - "name": "querytext3" + "name": "querytext19" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1968,20 +1990,20 @@ ] } }, - "name": "query3" + "name": "query19" }, { "type": 1, "content": { - "json": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information." + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext4" + "name": "querytext20" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2030,20 +2052,20 @@ ] } }, - "name": "query4" + "name": "query20" }, { "type": 1, "content": { - "json": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information." + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." }, - "name": "querytext5" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2092,42 +2114,20 @@ ] } }, - "name": "query5" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab0" - }, - "name": "tab0" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Hybrid" - }, - "name": "tab1title" + "name": "query21" }, { "type": 1, "content": { - "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this." }, - "name": "querytext10" + "name": "querytext23" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2176,20 +2176,20 @@ ] } }, - "name": "query10" + "name": "query23" }, { "type": 1, "content": { - "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this." }, - "name": "querytext11" + "name": "querytext24" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2238,20 +2238,20 @@ ] } }, - "name": "query11" + "name": "query24" }, { "type": 1, "content": { - "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information." }, - "name": "querytext12" + "name": "querytext25" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2300,20 +2300,42 @@ ] } }, - "name": "query12" + "name": "query25" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab1" + }, + "name": "tab1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Virtual WAN" + }, + "name": "tab2title" }, { "type": 1, "content": { - "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext13" + "name": "querytext32" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2362,20 +2384,20 @@ ] } }, - "name": "query13" + "name": "query32" }, { "type": 1, "content": { - "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." + "json": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." }, - "name": "querytext14" + "name": "querytext33" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2424,20 +2446,20 @@ ] } }, - "name": "query14" + "name": "query33" }, { "type": 1, "content": { - "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." }, - "name": "querytext15" + "name": "querytext34" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2486,20 +2508,20 @@ ] } }, - "name": "query15" + "name": "query34" }, { "type": 1, "content": { - "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." + "json": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." }, - "name": "querytext16" + "name": "querytext35" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2548,16 +2570,16 @@ ] } }, - "name": "query16" + "name": "query35" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab1" + "value": "tab2" }, - "name": "tab1" + "name": "tab2" }, { "type": 12, @@ -2568,22 +2590,22 @@ { "type": 1, "content": { - "json": "## PaaS" + "json": "## Internet" }, - "name": "tab2title" + "name": "tab3title" }, { "type": 1, "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this." }, - "name": "querytext26" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2632,16 +2654,16 @@ ] } }, - "name": "query26" + "name": "query9" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab2" + "value": "tab3" }, - "name": "tab2" + "name": "tab3" }, { "type": 12, @@ -2652,22 +2674,22 @@ { "type": 1, "content": { - "json": "## Firewall" + "json": "## IP plan" }, - "name": "tab3title" + "name": "tab4title" }, { "type": 1, "content": { - "json": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext17" + "name": "querytext6" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2716,20 +2738,20 @@ ] } }, - "name": "query17" + "name": "query6" }, { "type": 1, "content": { - "json": "Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." + "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext18" + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2778,20 +2800,20 @@ ] } }, - "name": "query18" + "name": "query7" }, { "type": 1, "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information." + "json": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this." }, - "name": "querytext19" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2840,20 +2862,42 @@ ] } }, - "name": "query19" + "name": "query8" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab4" + }, + "name": "tab4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Hybrid" + }, + "name": "tab5title" }, { "type": 1, "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." + "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext20" + "name": "querytext10" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2902,20 +2946,20 @@ ] } }, - "name": "query20" + "name": "query10" }, { "type": 1, "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext21" + "name": "querytext11" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2964,20 +3008,20 @@ ] } }, - "name": "query21" + "name": "query11" }, { "type": 1, "content": { - "json": "Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this." + "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext23" + "name": "querytext12" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3026,20 +3070,20 @@ ] } }, - "name": "query23" + "name": "query12" }, { "type": 1, "content": { - "json": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this." + "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext24" + "name": "querytext13" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3088,20 +3132,20 @@ ] } }, - "name": "query24" + "name": "query13" }, { "type": 1, "content": { - "json": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information." + "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." }, - "name": "querytext25" + "name": "querytext14" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3150,42 +3194,20 @@ ] } }, - "name": "query25" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab3" - }, - "name": "tab3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Segmentation" - }, - "name": "tab4title" + "name": "query14" }, { "type": 1, "content": { - "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." + "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext22" + "name": "querytext15" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3234,20 +3256,20 @@ ] } }, - "name": "query22" + "name": "query15" }, { "type": 1, "content": { - "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." + "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." }, - "name": "querytext27" + "name": "querytext16" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3296,20 +3318,42 @@ ] } }, - "name": "query27" + "name": "query16" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab5" + }, + "name": "tab5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Segmentation" + }, + "name": "tab6title" }, { "type": 1, "content": { - "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." + "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext28" + "name": "querytext22" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3358,20 +3402,20 @@ ] } }, - "name": "query28" + "name": "query22" }, { "type": 1, "content": { - "json": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." + "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." }, - "name": "querytext29" + "name": "querytext27" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3420,20 +3464,20 @@ ] } }, - "name": "query29" + "name": "query27" }, { "type": 1, "content": { - "json": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this." + "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." }, - "name": "querytext30" + "name": "querytext28" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3482,20 +3526,20 @@ ] } }, - "name": "query30" + "name": "query28" }, { "type": 1, "content": { - "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this." + "json": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "querytext31" + "name": "querytext29" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3544,42 +3588,20 @@ ] } }, - "name": "query31" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab4" - }, - "name": "tab4" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Internet" - }, - "name": "tab5title" + "name": "query29" }, { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this." + "json": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this." }, - "name": "querytext9" + "name": "querytext30" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3628,42 +3650,20 @@ ] } }, - "name": "query9" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab5" - }, - "name": "tab5" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## IP plan" - }, - "name": "tab6title" + "name": "query30" }, { "type": 1, "content": { - "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this." }, - "name": "querytext6" + "name": "querytext31" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3712,20 +3712,42 @@ ] } }, - "name": "query6" + "name": "query31" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab6" + }, + "name": "tab6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Hub and spoke" + }, + "name": "tab7title" }, { "type": 1, "content": { - "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this." }, - "name": "querytext7" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3774,20 +3796,20 @@ ] } }, - "name": "query7" + "name": "query0" }, { "type": 1, "content": { - "json": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this." + "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." }, - "name": "querytext8" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3836,42 +3858,20 @@ ] } }, - "name": "query8" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab6" - }, - "name": "tab6" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Virtual WAN" - }, - "name": "tab7title" + "name": "query1" }, { "type": 1, "content": { - "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." }, - "name": "querytext32" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3920,20 +3920,20 @@ ] } }, - "name": "query32" + "name": "query2" }, { "type": 1, "content": { - "json": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." + "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." }, - "name": "querytext33" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3982,20 +3982,20 @@ ] } }, - "name": "query33" + "name": "query3" }, { "type": 1, "content": { - "json": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." + "json": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information." }, - "name": "querytext34" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -4044,20 +4044,20 @@ ] } }, - "name": "query34" + "name": "query4" }, { "type": 1, "content": { - "json": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." + "json": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information." }, - "name": "querytext35" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -4106,7 +4106,7 @@ ] } }, - "name": "query35" + "name": "query5" } ] }, diff --git a/workbooks/alz_checklist.en_network_counters_template.json b/workbooks/alz_checklist.en_network_counters_template.json index 59ba6ec34..3d514da69 100644 --- a/workbooks/alz_checklist.en_network_counters_template.json +++ b/workbooks/alz_checklist.en_network_counters_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query24Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query24FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query24Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query25Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query25FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query25Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query26Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query26FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query26Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query27Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query27FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query27Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query28Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query28FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query28Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query29Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query29FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query29Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query30Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query30FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query30Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query31Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query31FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query31Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query32Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query32FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query32Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query33Stats\",\n \"type\": 1,\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query33FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query33Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query34Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query34FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query34Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query35Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query35FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query35Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab7Success}/{Tab7Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query26Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}+{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}+{Query9Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query26Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}+{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}+{Query9Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"d09d335b-9ade-4003-8e63-451df1ab5372\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ffcf9d69-0fea-46de-92c9-5b9c733557a8\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"b185ea2f-c721-494c-a4d9-fd73320880a0\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS ({Tab2Success:value}/{Tab2Total:value})\",\n \"subTarget\": \"tab2\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"45afa7e9-868b-4154-a87d-801dd27b7ce1\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Firewall ({Tab3Success:value}/{Tab3Total:value})\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Firewall\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"eb39ef34-d60f-46ee-b026-2addee4d81c4\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation ({Tab4Success:value}/{Tab4Total:value})\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ffdadd27-a1a0-4169-a90a-d50cbc5ff0dc\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet ({Tab5Success:value}/{Tab5Total:value})\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"21c3eb6e-e014-4fce-b3b0-3fa9d1bfd6aa\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan ({Tab6Success:value}/{Tab6Total:value})\",\n \"subTarget\": \"tab6\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"1c920114-2aa2-4cb8-bd35-5c2dc6c6a7ce\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN ({Tab7Success:value}/{Tab7Total:value})\",\n \"subTarget\": \"tab7\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext26\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query26\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Firewall\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext24\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query24\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information.\"\n },\n \"name\": \"querytext25\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query25\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext27\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query27\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext28\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query28\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext29\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query29\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext30\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query30\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n },\n \"name\": \"querytext31\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query31\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab7title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext32\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query32\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext33\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query33\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext34\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query34\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext35\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query35\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab7\"\n },\n \"name\": \"tab7\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query24Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query24FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query24Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query25Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query25FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query25Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query26Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query26FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query26Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query27Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query27FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query27Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query28Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query28FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query28Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query29Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query29FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query29Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query30Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query30FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query30Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query31Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query31FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query31Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query32Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query32FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query32Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query33Stats\",\n \"type\": 1,\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query33FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query33Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query34Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query34FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query34Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query35Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query35FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query35Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab7Success}/{Tab7Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}+{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}+{Query9Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}+{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}+{Query9Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"14d2ae59-3c95-484c-90c1-265cdc04e147\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"a0c636d7-9e89-4051-9c87-668f37323219\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Firewall ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Firewall\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"e0aedecb-88cb-4843-89c8-05555564d4a5\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN ({Tab2Success:value}/{Tab2Total:value})\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"718547ab-9547-473f-99e5-7006e1801e2e\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet ({Tab3Success:value}/{Tab3Total:value})\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"dcbf97ee-db34-4d75-88d2-0fa493646a70\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan ({Tab4Success:value}/{Tab4Total:value})\",\n \"subTarget\": \"tab4\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"0bc9b16b-c1c4-4845-ba62-32ec7b988ccc\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid ({Tab5Success:value}/{Tab5Total:value})\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"3f972b4e-3984-4c8e-8913-6b7c8767e53d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation ({Tab6Success:value}/{Tab6Total:value})\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"e22702e8-99df-41c6-bf68-98c527fc8d9e\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke ({Tab7Success:value}/{Tab7Total:value})\",\n \"subTarget\": \"tab7\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext26\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query26\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Firewall\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext24\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query24\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information.\"\n },\n \"name\": \"querytext25\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query25\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext32\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query32\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext33\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query33\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext34\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query34\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext35\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query35\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext27\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query27\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext28\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query28\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext29\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query29\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext30\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query30\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n },\n \"name\": \"querytext31\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query31\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab7title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab7\"\n },\n \"name\": \"tab7\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/alz_checklist.en_network_tabcounters.json b/workbooks/alz_checklist.en_network_tabcounters.json index e04c80cb3..48b377e42 100644 --- a/workbooks/alz_checklist.en_network_tabcounters.json +++ b/workbooks/alz_checklist.en_network_tabcounters.json @@ -70,75 +70,75 @@ "style": "tabs", "links": [ { - "id": "89bf89f7-7147-4c45-8c00-42bd5b6f62fa", + "id": "fbc281ef-f267-4caa-9175-e0020134b644", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hybrid", + "linkLabel": "Segmentation", "subTarget": "tab0", - "preText": "Hybrid", + "preText": "Segmentation", "style": "primary" }, { - "id": "f74234f9-2135-4de1-9a4b-1e317ce1adcc", + "id": "e2257931-f963-455c-9f7a-ad6403c8d96f", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Firewall", + "linkLabel": "Internet", "subTarget": "tab1", - "preText": "Firewall", + "preText": "Internet", "style": "primary" }, { - "id": "f4143294-ad8e-45a8-9a16-55298c86118c", + "id": "f7cb96d2-b731-4452-80d6-0f164b82fe4a", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "IP plan", + "linkLabel": "Hybrid", "subTarget": "tab2", - "preText": "IP plan", + "preText": "Hybrid", "style": "primary" }, { - "id": "fce5d8ad-341c-4ddf-9e8c-28c0c994d754", + "id": "01360cd1-e5dd-45e5-a226-67c03dc0dccf", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet", + "linkLabel": "Firewall", "subTarget": "tab3", - "preText": "Internet", + "preText": "Firewall", "style": "primary" }, { - "id": "db5f2341-8d9e-4897-bf3d-cfc1fa70e78f", + "id": "3907955b-f4d7-41c3-aed7-fcfdbb74a516", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Segmentation", + "linkLabel": "PaaS", "subTarget": "tab4", - "preText": "Segmentation", + "preText": "PaaS", "style": "primary" }, { - "id": "d5cc6cdc-7552-4d9a-a3e4-e98c2b4c79a9", + "id": "8cc858d6-a2a3-4e87-bd9e-dbb987dc89ca", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke", + "linkLabel": "IP plan", "subTarget": "tab5", - "preText": "Hub and spoke", + "preText": "IP plan", "style": "primary" }, { - "id": "e279d28d-c3ee-4cad-bce6-daa3b400d57e", + "id": "ec217b09-fef2-4a35-a7ea-a53ca431357d", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Virtual WAN", + "linkLabel": "Hub and spoke", "subTarget": "tab6", - "preText": "Virtual WAN", + "preText": "Hub and spoke", "style": "primary" }, { - "id": "29d1d611-37e0-4308-901e-fa7810e574a6", + "id": "01e7565a-60c5-4ab0-bf8b-3c186d62ead1", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS", + "linkLabel": "Virtual WAN", "subTarget": "tab7", - "preText": "PaaS", + "preText": "Virtual WAN", "style": "primary" } ] @@ -162,37 +162,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query10Stats", - "type": 1, - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query10FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query10Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query11Stats", + "name": "Query22Stats", "type": 1, - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -206,9 +178,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query11FullyCompliant", + "name": "Query22FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query11Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query22Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -218,9 +190,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query12Stats", + "name": "Query27Stats", "type": 1, - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -234,9 +206,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query12FullyCompliant", + "name": "Query27FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query12Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query27Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -246,9 +218,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query13Stats", + "name": "Query28Stats", "type": 1, - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -262,9 +234,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query13FullyCompliant", + "name": "Query28FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query13Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query28Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -274,9 +246,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query14Stats", + "name": "Query29Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -290,9 +262,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query14FullyCompliant", + "name": "Query29FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query14Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query29Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -302,9 +274,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query15Stats", + "name": "Query30Stats", "type": 1, - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -318,9 +290,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query15FullyCompliant", + "name": "Query30FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query15Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query30Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -330,9 +302,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query16Stats", + "name": "Query31Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -346,9 +318,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query16FullyCompliant", + "name": "Query31FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query16Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query31Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -369,7 +341,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}" + "resultVal": "{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}" } } ] @@ -388,7 +360,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}" + "resultVal": "{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}" } } ] @@ -422,7 +394,7 @@ { "type": 1, "content": { - "json": "## Hybrid" + "json": "## Segmentation" }, "customWidth": "50", "name": "tab0title" @@ -463,77 +435,15 @@ { "type": 1, "content": { - "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." - }, - "name": "querytext10" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query10" - }, - { - "type": 1, - "content": { - "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext11" + "name": "querytext22" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -582,20 +492,20 @@ ] } }, - "name": "query11" + "name": "query22" }, { "type": 1, "content": { - "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." }, - "name": "querytext12" + "name": "querytext27" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -644,20 +554,20 @@ ] } }, - "name": "query12" + "name": "query27" }, { "type": 1, "content": { - "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." }, - "name": "querytext13" + "name": "querytext28" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -706,20 +616,20 @@ ] } }, - "name": "query13" + "name": "query28" }, { "type": 1, "content": { - "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." + "json": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "querytext14" + "name": "querytext29" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -768,20 +678,20 @@ ] } }, - "name": "query14" + "name": "query29" }, { "type": 1, "content": { - "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this." }, - "name": "querytext15" + "name": "querytext30" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -830,20 +740,20 @@ ] } }, - "name": "query15" + "name": "query30" }, { "type": 1, "content": { - "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." + "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this." }, - "name": "querytext16" + "name": "querytext31" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -892,7 +802,7 @@ ] } }, - "name": "query16" + "name": "query31" } ] }, @@ -920,9 +830,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query17Stats", + "name": "Query9Stats", "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -936,9 +846,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query17FullyCompliant", + "name": "Query9FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query17Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query9Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -948,33 +858,1009 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query18Stats", + "name": "Tab1Success", "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query9Stats:$.Success}" + } + } + ] }, { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query18FullyCompliant", + "name": "Tab1Total", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query18Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query9Stats:$.Total}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab1Percent", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "round(100*{Tab1Success}/{Tab1Total})" + } + } + ] + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "TabInvisibleParameters" + }, + { + "type": 1, + "content": { + "json": "## Internet" + }, + "customWidth": "50", + "name": "tab1title" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab1Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "size": 3, + "queryType": 8, + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 4, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "subtitleContent": { + "columnMatch": "Column2" + }, + "showBorder": true + } + }, + "customWidth": "50", + "name": "TabPercentTile" + }, + { + "type": 1, + "content": { + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this." + }, + "name": "querytext9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query9" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab1" + }, + "name": "tab1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query10Stats", + "type": 1, + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query10FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query10Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query11Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query11FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query11Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query12Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query12FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query12Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query13Stats", + "type": 1, + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query13FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query13Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query14Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query14FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query14Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query15Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query15FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query15Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query16Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query16FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query16Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab2Success", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab2Total", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab2Percent", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "round(100*{Tab2Success}/{Tab2Total})" + } + } + ] + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "TabInvisibleParameters" + }, + { + "type": 1, + "content": { + "json": "## Hybrid" + }, + "customWidth": "50", + "name": "tab2title" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab2Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "size": 3, + "queryType": 8, + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 4, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "subtitleContent": { + "columnMatch": "Column2" + }, + "showBorder": true + } + }, + "customWidth": "50", + "name": "TabPercentTile" + }, + { + "type": 1, + "content": { + "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + }, + "name": "querytext10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query10" + }, + { + "type": 1, + "content": { + "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + }, + "name": "querytext11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query11" + }, + { + "type": 1, + "content": { + "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + }, + "name": "querytext12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query12" + }, + { + "type": 1, + "content": { + "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + }, + "name": "querytext13" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query13" + }, + { + "type": 1, + "content": { + "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." + }, + "name": "querytext14" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query14" + }, + { + "type": 1, + "content": { + "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + }, + "name": "querytext15" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query15" + }, + { + "type": 1, + "content": { + "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." + }, + "name": "querytext16" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query16" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab2" + }, + "name": "tab2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query17Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query17FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query17Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query18Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query18FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query18Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", "name": "Query19Stats", "type": 1, @@ -1144,7 +2030,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab1Success", + "name": "Tab3Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1163,7 +2049,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab1Total", + "name": "Tab3Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1182,7 +2068,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab1Percent", + "name": "Tab3Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1193,7 +2079,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab1Success}/{Tab1Total})" + "resultVal": "round(100*{Tab3Success}/{Tab3Total})" } } ] @@ -1211,301 +2097,53 @@ "json": "## Firewall" }, "customWidth": "50", - "name": "tab1title" + "name": "tab3title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab1Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab3Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 4, - "formatOptions": { - "min": 0, - "max": 100, - "palette": "redGreen" - }, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - "subtitleContent": { - "columnMatch": "Column2" - }, - "showBorder": true - } - }, - "customWidth": "50", - "name": "TabPercentTile" - }, - { - "type": 1, - "content": { - "json": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." - }, - "name": "querytext17" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query17" - }, - { - "type": 1, - "content": { - "json": "Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." - }, - "name": "querytext18" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query18" - }, - { - "type": 1, - "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information." - }, - "name": "querytext19" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query19" - }, - { - "type": 1, - "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." - }, - "name": "querytext20" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 4, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen" }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" } } - ] + }, + "subtitleContent": { + "columnMatch": "Column2" + }, + "showBorder": true } }, - "name": "query20" + "customWidth": "50", + "name": "TabPercentTile" }, { "type": 1, "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + "json": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext21" + "name": "querytext17" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1554,20 +2192,20 @@ ] } }, - "name": "query21" + "name": "query17" }, { "type": 1, "content": { - "json": "Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this." + "json": "Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext23" + "name": "querytext18" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1616,20 +2254,20 @@ ] } }, - "name": "query23" + "name": "query18" }, { "type": 1, "content": { - "json": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information." }, - "name": "querytext24" + "name": "querytext19" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1678,20 +2316,20 @@ ] } }, - "name": "query24" + "name": "query19" }, { "type": 1, "content": { - "json": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information." + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext25" + "name": "querytext20" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1723,249 +2361,99 @@ "text": "Success" }, { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query25" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab1" - }, - "name": "tab1" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "crossComponentResources": [ - "{Subscription}" - ], - "parameters": [ - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query6Stats", - "type": 1, - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query6FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query6Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query7Stats", - "type": 1, - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query7FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query7Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query8Stats", - "type": 1, - "query": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query8FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query8Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab2Success", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}" - } - } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab2Total", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}" - } - } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab2Percent", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "round(100*{Tab2Success}/{Tab2Total})" - } + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] } - ] - } - ], - "style": "pills", - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" + } + ] + } }, - "name": "TabInvisibleParameters" + "name": "query20" }, { "type": 1, "content": { - "json": "## IP plan" + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." }, - "customWidth": "50", - "name": "tab2title" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab2Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", - "size": 3, - "queryType": 8, - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 4, - "formatOptions": { - "min": 0, - "max": 100, - "palette": "redGreen" + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } }, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] } } - }, - "subtitleContent": { - "columnMatch": "Column2" - }, - "showBorder": true + ] } }, - "customWidth": "50", - "name": "TabPercentTile" + "name": "query21" }, { "type": 1, "content": { - "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this." }, - "name": "querytext6" + "name": "querytext23" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2014,20 +2502,20 @@ ] } }, - "name": "query6" + "name": "query23" }, { "type": 1, "content": { - "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this." }, - "name": "querytext7" + "name": "querytext24" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2076,20 +2564,20 @@ ] } }, - "name": "query7" + "name": "query24" }, { "type": 1, "content": { - "json": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this." + "json": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information." }, - "name": "querytext8" + "name": "querytext25" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2138,16 +2626,16 @@ ] } }, - "name": "query8" + "name": "query25" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab2" + "value": "tab3" }, - "name": "tab2" + "name": "tab3" }, { "type": 12, @@ -2166,9 +2654,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query9Stats", + "name": "Query26Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -2182,9 +2670,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query9FullyCompliant", + "name": "Query26FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query9Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query26Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -2194,7 +2682,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Success", + "name": "Tab4Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2205,7 +2693,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query9Stats:$.Success}" + "resultVal": "{Query26Stats:$.Success}" } } ] @@ -2213,7 +2701,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Total", + "name": "Tab4Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2224,7 +2712,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query9Stats:$.Total}" + "resultVal": "{Query26Stats:$.Total}" } } ] @@ -2232,7 +2720,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Percent", + "name": "Tab4Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2243,7 +2731,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab3Success}/{Tab3Total})" + "resultVal": "round(100*{Tab4Success}/{Tab4Total})" } } ] @@ -2258,16 +2746,16 @@ { "type": 1, "content": { - "json": "## Internet" + "json": "## PaaS" }, "customWidth": "50", - "name": "tab3title" + "name": "tab4title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab3Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab4Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -2299,15 +2787,15 @@ { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this." + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." }, - "name": "querytext9" + "name": "querytext26" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2356,121 +2844,37 @@ ] } }, - "name": "query9" + "name": "query26" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab3" + "value": "tab4" }, - "name": "tab3" + "name": "tab4" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "crossComponentResources": [ - "{Subscription}" - ], - "parameters": [ - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query22Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query22FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query22Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query27Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query27FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query27Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query28Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query28FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query28Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query29Stats", + "name": "Query6Stats", "type": 1, - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -2484,9 +2888,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query29FullyCompliant", + "name": "Query6FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query29Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query6Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -2496,9 +2900,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query30Stats", + "name": "Query7Stats", "type": 1, - "query": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -2512,9 +2916,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query30FullyCompliant", + "name": "Query7FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query30Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query7Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -2524,9 +2928,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query31Stats", + "name": "Query8Stats", "type": 1, - "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -2540,9 +2944,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query31FullyCompliant", + "name": "Query8FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query31Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query8Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -2552,7 +2956,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab4Success", + "name": "Tab5Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2563,7 +2967,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}" + "resultVal": "{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}" } } ] @@ -2571,7 +2975,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab4Total", + "name": "Tab5Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2582,7 +2986,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}" + "resultVal": "{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}" } } ] @@ -2590,7 +2994,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab4Percent", + "name": "Tab5Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2601,7 +3005,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab4Success}/{Tab4Total})" + "resultVal": "round(100*{Tab5Success}/{Tab5Total})" } } ] @@ -2616,16 +3020,16 @@ { "type": 1, "content": { - "json": "## Segmentation" + "json": "## IP plan" }, "customWidth": "50", - "name": "tab4title" + "name": "tab5title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab4Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab5Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -2657,201 +3061,15 @@ { "type": 1, "content": { - "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." - }, - "name": "querytext22" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query22" - }, - { - "type": 1, - "content": { - "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." - }, - "name": "querytext27" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query27" - }, - { - "type": 1, - "content": { - "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." - }, - "name": "querytext28" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query28" - }, - { - "type": 1, - "content": { - "json": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." + "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext29" + "name": "querytext6" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2900,20 +3118,20 @@ ] } }, - "name": "query29" + "name": "query6" }, { "type": 1, "content": { - "json": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this." + "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext30" + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2962,20 +3180,20 @@ ] } }, - "name": "query30" + "name": "query7" }, { "type": 1, "content": { - "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this." + "json": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this." }, - "name": "querytext31" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -3024,16 +3242,16 @@ ] } }, - "name": "query31" + "name": "query8" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab4" + "value": "tab5" }, - "name": "tab4" + "name": "tab5" }, { "type": 12, @@ -3220,7 +3438,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab5Success", + "name": "Tab6Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -3239,7 +3457,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab5Total", + "name": "Tab6Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -3258,7 +3476,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab5Percent", + "name": "Tab6Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -3269,7 +3487,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab5Success}/{Tab5Total})" + "resultVal": "round(100*{Tab6Success}/{Tab6Total})" } } ] @@ -3287,13 +3505,13 @@ "json": "## Hub and spoke" }, "customWidth": "50", - "name": "tab5title" + "name": "tab6title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab5Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab6Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -3699,9 +3917,9 @@ "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab5" + "value": "tab6" }, - "name": "tab5" + "name": "tab6" }, { "type": 12, @@ -3832,7 +4050,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab6Success", + "name": "Tab7Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -3851,7 +4069,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab6Total", + "name": "Tab7Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -3870,7 +4088,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab6Percent", + "name": "Tab7Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -3881,7 +4099,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab6Success}/{Tab6Total})" + "resultVal": "round(100*{Tab7Success}/{Tab7Total})" } } ] @@ -3899,13 +4117,13 @@ "json": "## Virtual WAN" }, "customWidth": "50", - "name": "tab6title" + "name": "tab7title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab6Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab7Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -4184,224 +4402,6 @@ } ] }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab6" - }, - "name": "tab6" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "crossComponentResources": [ - "{Subscription}" - ], - "parameters": [ - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query26Stats", - "type": 1, - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query26FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query26Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab7Success", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query26Stats:$.Success}" - } - } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab7Total", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query26Stats:$.Total}" - } - } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab7Percent", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "round(100*{Tab7Success}/{Tab7Total})" - } - } - ] - } - ], - "style": "pills", - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - "name": "TabInvisibleParameters" - }, - { - "type": 1, - "content": { - "json": "## PaaS" - }, - "customWidth": "50", - "name": "tab7title" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab7Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", - "size": 3, - "queryType": 8, - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 4, - "formatOptions": { - "min": 0, - "max": 100, - "palette": "redGreen" - }, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - "subtitleContent": { - "columnMatch": "Column2" - }, - "showBorder": true - } - }, - "customWidth": "50", - "name": "TabPercentTile" - }, - { - "type": 1, - "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." - }, - "name": "querytext26" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query26" - } - ] - }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", diff --git a/workbooks/alz_checklist.en_network_tabcounters_template.json b/workbooks/alz_checklist.en_network_tabcounters_template.json index 3d4e35dfe..d77c2933f 100644 --- a/workbooks/alz_checklist.en_network_tabcounters_template.json +++ b/workbooks/alz_checklist.en_network_tabcounters_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"89bf89f7-7147-4c45-8c00-42bd5b6f62fa\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"f74234f9-2135-4de1-9a4b-1e317ce1adcc\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Firewall\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Firewall\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"f4143294-ad8e-45a8-9a16-55298c86118c\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab2\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"fce5d8ad-341c-4ddf-9e8c-28c0c994d754\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"db5f2341-8d9e-4897-bf3d-cfc1fa70e78f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"d5cc6cdc-7552-4d9a-a3e4-e98c2b4c79a9\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"e279d28d-c3ee-4cad-bce6-daa3b400d57e\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"29d1d611-37e0-4308-901e-fa7810e574a6\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab7\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab0title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab0Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query24Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query24FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query24Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query25Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query25FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query25Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Firewall\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab1title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab1Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext24\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query24\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information.\"\n },\n \"name\": \"querytext25\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query25\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab2title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab2Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab3title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab3Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query27Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query27FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query27Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query28Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query28FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query28Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query29Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query29FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query29Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query30Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query30FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query30Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query31Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query31FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query31Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab4title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab4Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext27\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query27\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext28\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query28\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext29\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query29\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext30\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query30\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n },\n \"name\": \"querytext31\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query31\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab5title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab5Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query32Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query32FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query32Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query33Stats\",\n \"type\": 1,\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query33FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query33Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query34Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query34FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query34Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query35Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query35FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query35Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab6title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab6Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext32\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query32\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext33\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query33\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext34\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query34\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext35\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query35\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query26Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query26FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query26Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab7Success}/{Tab7Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab7title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab7Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext26\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query26\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab7\"\n },\n \"name\": \"tab7\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"fbc281ef-f267-4caa-9175-e0020134b644\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"e2257931-f963-455c-9f7a-ad6403c8d96f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"f7cb96d2-b731-4452-80d6-0f164b82fe4a\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"01360cd1-e5dd-45e5-a226-67c03dc0dccf\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Firewall\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Firewall\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"3907955b-f4d7-41c3-aed7-fcfdbb74a516\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab4\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"8cc858d6-a2a3-4e87-bd9e-dbb987dc89ca\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab5\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ec217b09-fef2-4a35-a7ea-a53ca431357d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"01e7565a-60c5-4ab0-bf8b-3c186d62ead1\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab7\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query27Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query27FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query27Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query28Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query28FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query28Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query29Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query29FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query29Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query30Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query30FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query30Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query31Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query31FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query31Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}+{Query27Stats:$.Success}+{Query28Stats:$.Success}+{Query29Stats:$.Success}+{Query30Stats:$.Success}+{Query31Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}+{Query27Stats:$.Total}+{Query28Stats:$.Total}+{Query29Stats:$.Total}+{Query30Stats:$.Total}+{Query31Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab0title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab0Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext27\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query27\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext28\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query28\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext29\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query29\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext30\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query30\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n },\n \"name\": \"querytext31\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query31\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab1title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab1Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab2title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab2Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query24Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query24FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query24Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query25Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled'| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query25FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query25Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query23Stats:$.Success}+{Query24Stats:$.Success}+{Query25Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query23Stats:$.Total}+{Query24Stats:$.Total}+{Query25Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Firewall\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab3title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab3Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext24\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query24\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information.\"\n },\n \"name\": \"querytext25\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query25\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query26Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query26FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query26Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query26Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab4title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab4Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext26\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query26\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab5title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab5Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab6title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab6Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query32Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query32FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query32Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query33Stats\",\n \"type\": 1,\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query33FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query33Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query34Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query34FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query34Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query35Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query35FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query35Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query32Stats:$.Success}+{Query33Stats:$.Success}+{Query34Stats:$.Success}+{Query35Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query32Stats:$.Total}+{Query33Stats:$.Total}+{Query34Stats:$.Total}+{Query35Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab7Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab7Success}/{Tab7Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab7title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab7Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext32\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query32\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext33\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query33\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext34\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query34\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext35\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query35\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab7\"\n },\n \"name\": \"tab7\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/alz_checklist.en_network_workbook.json b/workbooks/alz_checklist.en_network_workbook.json index 2c8115113..2bd51d732 100644 --- a/workbooks/alz_checklist.en_network_workbook.json +++ b/workbooks/alz_checklist.en_network_workbook.json @@ -70,25 +70,25 @@ "style": "tabs", "links": [ { - "id": "ffc48840-5e6f-402c-addb-f476e83811ea", + "id": "cb861f33-a7a7-41cf-9649-d7afabba7566", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Firewall", + "linkLabel": "Hybrid", "subTarget": "tab0", - "preText": "Firewall", + "preText": "Hybrid", "style": "primary" }, { - "id": "dda6810e-4e65-46d0-b648-9c2b63f4508a", + "id": "8cb6fd2e-540e-4ff1-b903-66521253c65f", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet", + "linkLabel": "PaaS", "subTarget": "tab1", - "preText": "Internet", + "preText": "PaaS", "style": "primary" }, { - "id": "b72b1530-87e1-45d5-80ce-b92ba949e542", + "id": "1b0c84fc-c1d0-4471-9a1f-c7ccee85adf9", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "IP plan", @@ -97,48 +97,48 @@ "style": "primary" }, { - "id": "85c9e0d8-be1e-4d23-8024-39117c2cd7f5", + "id": "30083dca-4639-4773-ba6a-d6f817b74a60", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hybrid", + "linkLabel": "Firewall", "subTarget": "tab3", - "preText": "Hybrid", + "preText": "Firewall", "style": "primary" }, { - "id": "279190a0-0975-43a7-a6e7-e857d2e71e4b", + "id": "f3a83fc0-a2f7-4e2f-bae8-8a3bb7d30ac6", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS", + "linkLabel": "Hub and spoke", "subTarget": "tab4", - "preText": "PaaS", + "preText": "Hub and spoke", "style": "primary" }, { - "id": "80e2857b-835c-49ed-a1c0-54ff1ff1a61f", + "id": "8b629670-7571-4f12-be6d-a0d9202b30e7", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Virtual WAN", + "linkLabel": "Internet", "subTarget": "tab5", - "preText": "Virtual WAN", + "preText": "Internet", "style": "primary" }, { - "id": "ad498229-1d33-41c0-a3bb-f29c2cf2679c", + "id": "ea0b7755-f79a-4e0a-a8a8-66603320cfc0", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke", + "linkLabel": "Segmentation", "subTarget": "tab6", - "preText": "Hub and spoke", + "preText": "Segmentation", "style": "primary" }, { - "id": "ffa74f8c-e1bb-4254-b810-ac1fa557f64f", + "id": "06180d64-902f-4879-90e9-52d18661da52", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Segmentation", + "linkLabel": "Virtual WAN", "subTarget": "tab7", - "preText": "Segmentation", + "preText": "Virtual WAN", "style": "primary" } ] @@ -154,84 +154,22 @@ { "type": 1, "content": { - "json": "## Firewall" + "json": "## Hybrid" }, "name": "tab0title" }, { "type": 1, "content": { - "json": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." - }, - "name": "querytext17" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 0, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query17" - }, - { - "type": 1, - "content": { - "json": "Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." + "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext18" + "name": "querytext10" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -280,20 +218,20 @@ ] } }, - "name": "query18" + "name": "query10" }, { "type": 1, "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information." + "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext19" + "name": "querytext11" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -342,20 +280,20 @@ ] } }, - "name": "query19" + "name": "query11" }, { "type": 1, "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." + "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext20" + "name": "querytext12" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -404,20 +342,20 @@ ] } }, - "name": "query20" + "name": "query12" }, { "type": 1, "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext21" + "name": "querytext13" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -466,20 +404,20 @@ ] } }, - "name": "query21" + "name": "query13" }, { "type": 1, "content": { - "json": "Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this." + "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." }, - "name": "querytext23" + "name": "querytext14" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -528,20 +466,20 @@ ] } }, - "name": "query23" + "name": "query14" }, { "type": 1, "content": { - "json": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this." + "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext24" + "name": "querytext15" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -590,20 +528,20 @@ ] } }, - "name": "query24" + "name": "query15" }, { "type": 1, "content": { - "json": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information." + "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." }, - "name": "querytext25" + "name": "querytext16" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -652,7 +590,7 @@ ] } }, - "name": "query25" + "name": "query16" } ] }, @@ -672,22 +610,22 @@ { "type": 1, "content": { - "json": "## Internet" + "json": "## PaaS" }, "name": "tab1title" }, { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this." + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." }, - "name": "querytext9" + "name": "querytext26" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -736,7 +674,7 @@ ] } }, - "name": "query9" + "name": "query26" } ] }, @@ -964,22 +902,22 @@ { "type": 1, "content": { - "json": "## Hybrid" + "json": "## Firewall" }, "name": "tab3title" }, { "type": 1, "content": { - "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext10" + "name": "querytext17" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1028,20 +966,20 @@ ] } }, - "name": "query10" + "name": "query17" }, { "type": 1, "content": { - "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext11" + "name": "querytext18" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1090,20 +1028,20 @@ ] } }, - "name": "query11" + "name": "query18" }, { "type": 1, "content": { - "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information." }, - "name": "querytext12" + "name": "querytext19" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1152,20 +1090,20 @@ ] } }, - "name": "query12" + "name": "query19" }, { "type": 1, "content": { - "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext13" + "name": "querytext20" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1214,20 +1152,20 @@ ] } }, - "name": "query13" + "name": "query20" }, { "type": 1, "content": { - "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." }, - "name": "querytext14" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1276,20 +1214,20 @@ ] } }, - "name": "query14" + "name": "query21" }, { "type": 1, "content": { - "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this." }, - "name": "querytext15" + "name": "querytext23" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1338,20 +1276,20 @@ ] } }, - "name": "query15" + "name": "query23" }, { "type": 1, "content": { - "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." + "json": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this." }, - "name": "querytext16" + "name": "querytext24" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1400,42 +1338,20 @@ ] } }, - "name": "query16" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab3" - }, - "name": "tab3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## PaaS" - }, - "name": "tab4title" + "name": "query24" }, { "type": 1, "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + "json": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information." }, - "name": "querytext26" + "name": "querytext25" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1484,16 +1400,16 @@ ] } }, - "name": "query26" + "name": "query25" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab4" + "value": "tab3" }, - "name": "tab4" + "name": "tab3" }, { "type": 12, @@ -1504,22 +1420,22 @@ { "type": 1, "content": { - "json": "## Virtual WAN" + "json": "## Hub and spoke" }, - "name": "tab5title" + "name": "tab4title" }, { "type": 1, "content": { - "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this." }, - "name": "querytext32" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1568,20 +1484,20 @@ ] } }, - "name": "query32" + "name": "query0" }, { "type": 1, "content": { - "json": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." + "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." }, - "name": "querytext33" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1630,20 +1546,20 @@ ] } }, - "name": "query33" + "name": "query1" }, { "type": 1, "content": { - "json": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." + "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." }, - "name": "querytext34" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1692,20 +1608,20 @@ ] } }, - "name": "query34" + "name": "query2" }, { "type": 1, "content": { - "json": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." + "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." }, - "name": "querytext35" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1754,42 +1670,20 @@ ] } }, - "name": "query35" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab5" - }, - "name": "tab5" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Hub and spoke" - }, - "name": "tab6title" + "name": "query3" }, { "type": 1, "content": { - "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this." + "json": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information." }, - "name": "querytext0" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1838,20 +1732,20 @@ ] } }, - "name": "query0" + "name": "query4" }, { "type": 1, "content": { - "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." + "json": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information." }, - "name": "querytext1" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1900,20 +1794,42 @@ ] } }, - "name": "query1" + "name": "query5" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab4" + }, + "name": "tab4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Internet" + }, + "name": "tab5title" }, { "type": 1, "content": { - "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this." }, - "name": "querytext2" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1962,20 +1878,42 @@ ] } }, - "name": "query2" + "name": "query9" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab5" + }, + "name": "tab5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Segmentation" + }, + "name": "tab6title" }, { "type": 1, "content": { - "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this." + "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." }, - "name": "querytext3" + "name": "querytext22" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2024,20 +1962,20 @@ ] } }, - "name": "query3" + "name": "query22" }, { "type": 1, "content": { - "json": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information." + "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." }, - "name": "querytext4" + "name": "querytext27" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2086,20 +2024,20 @@ ] } }, - "name": "query4" + "name": "query27" }, { "type": 1, "content": { - "json": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information." + "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." }, - "name": "querytext5" + "name": "querytext28" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2148,42 +2086,82 @@ ] } }, - "name": "query5" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab6" - }, - "name": "tab6" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ + "name": "query28" + }, { "type": 1, "content": { - "json": "## Segmentation" + "json": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "tab7title" + "name": "querytext29" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 0, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query29" }, { "type": 1, "content": { - "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this." + "json": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this." }, - "name": "querytext22" + "name": "querytext30" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2232,20 +2210,20 @@ ] } }, - "name": "query22" + "name": "query30" }, { "type": 1, "content": { - "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." + "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this." }, - "name": "querytext27" + "name": "querytext31" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2294,20 +2272,42 @@ ] } }, - "name": "query27" + "name": "query31" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab6" + }, + "name": "tab6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Virtual WAN" + }, + "name": "tab7title" }, { "type": 1, "content": { - "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." + "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext28" + "name": "querytext32" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2356,20 +2356,20 @@ ] } }, - "name": "query28" + "name": "query32" }, { "type": 1, "content": { - "json": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." + "json": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." }, - "name": "querytext29" + "name": "querytext33" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2418,20 +2418,20 @@ ] } }, - "name": "query29" + "name": "query33" }, { "type": 1, "content": { - "json": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this." + "json": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." }, - "name": "querytext30" + "name": "querytext34" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2480,20 +2480,20 @@ ] } }, - "name": "query30" + "name": "query34" }, { "type": 1, "content": { - "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this." + "json": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this." }, - "name": "querytext31" + "name": "querytext35" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2542,7 +2542,7 @@ ] } }, - "name": "query31" + "name": "query35" } ] }, diff --git a/workbooks/alz_checklist.en_network_workbook_template.json b/workbooks/alz_checklist.en_network_workbook_template.json index e25ee2a78..8a799b205 100644 --- a/workbooks/alz_checklist.en_network_workbook_template.json +++ b/workbooks/alz_checklist.en_network_workbook_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"ffc48840-5e6f-402c-addb-f476e83811ea\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Firewall\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Firewall\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"dda6810e-4e65-46d0-b648-9c2b63f4508a\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"b72b1530-87e1-45d5-80ce-b92ba949e542\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab2\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"85c9e0d8-be1e-4d23-8024-39117c2cd7f5\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"279190a0-0975-43a7-a6e7-e857d2e71e4b\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab4\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"80e2857b-835c-49ed-a1c0-54ff1ff1a61f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ad498229-1d33-41c0-a3bb-f29c2cf2679c\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ffa74f8c-e1bb-4254-b810-ac1fa557f64f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab7\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Firewall\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext24\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query24\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information.\"\n },\n \"name\": \"querytext25\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query25\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext26\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query26\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext32\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query32\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext33\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query33\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext34\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query34\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext35\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query35\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab7title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext27\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query27\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext28\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query28\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext29\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query29\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext30\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query30\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n },\n \"name\": \"querytext31\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query31\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab7\"\n },\n \"name\": \"tab7\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"cb861f33-a7a7-41cf-9649-d7afabba7566\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"8cb6fd2e-540e-4ff1-b903-66521253c65f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab1\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"1b0c84fc-c1d0-4471-9a1f-c7ccee85adf9\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab2\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"30083dca-4639-4773-ba6a-d6f817b74a60\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Firewall\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Firewall\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"f3a83fc0-a2f7-4e2f-bae8-8a3bb7d30ac6\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"8b629670-7571-4f12-be6d-a0d9202b30e7\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ea0b7755-f79a-4e0a-a8a8-66603320cfc0\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"06180d64-902f-4879-90e9-52d18661da52\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab7\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.. [This training](https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext26\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query26\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. Check [this link](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone) for further information.. [This training](https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Firewall\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable Azure Firewall DNS proxy configuration. Check [this link](https://learn.microsoft.com/azure/firewall/dns-details) for further information.. [This training](https://learn.microsoft.com/training/courses/az-700t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance. Check [this link](https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell) for further information.. [This training](https://learn.microsoft.com/training/courses/az-104t00/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext24\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query24\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. Check [this link](https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview) for further information.\"\n },\n \"name\": \"querytext25\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, /subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | where isempty(ddosProtectionPlanId) | , name, id = firewallId, tags, param1 = strcat('vNet: ', vNetName), param2 = 'ddosProtection: Disabled' | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query25\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-route-server/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.. [This training](https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Check [this link](https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-bastion/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-firewall/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext27\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query27\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext28\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query28\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext29\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query29\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows. Check [this link](https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext30\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query30\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n },\n \"name\": \"querytext31\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query31\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab7title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext32\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query32\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext33\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query33\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN. Check [this link](https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext34\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query34\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation) for further information.. [This training](https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext35\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query35\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab7\"\n },\n \"name\": \"tab7\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/appdelivery_checklist.en_network_counters_workbook.json b/workbooks/appdelivery_checklist.en_network_counters_workbook.json index 8cb7e9e89..231ac4748 100644 --- a/workbooks/appdelivery_checklist.en_network_counters_workbook.json +++ b/workbooks/appdelivery_checklist.en_network_counters_workbook.json @@ -287,6 +287,34 @@ }, "queryType": 8 }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query8Stats", + "type": 1, + "query": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query8FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query8Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", @@ -301,7 +329,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}" + "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}" } } ] @@ -320,7 +348,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}" + "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}" } } ] @@ -415,7 +443,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query1Stats:$.Total}+{Query5Stats:$.Total}" + "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query1Stats:$.Total}+{Query5Stats:$.Total}" } } ] @@ -434,7 +462,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query1Stats:$.Success}+{Query5Stats:$.Success}" + "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query1Stats:$.Success}+{Query5Stats:$.Success}" } } ] @@ -508,7 +536,7 @@ "style": "tabs", "links": [ { - "id": "df41b3e9-1513-4fd6-a452-1a73bef6e050", + "id": "842c8ee1-0afd-4c1f-a48d-8c346850ab47", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "App Gateway ({Tab0Success:value}/{Tab0Total:value})", @@ -517,7 +545,7 @@ "style": "primary" }, { - "id": "a4df8f42-c0ad-4ea5-b3b1-20aeebf8cbd6", + "id": "a8c454ab-b50b-4d1d-b369-b96f513f1aae", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "Load Balancer ({Tab1Success:value}/{Tab1Total:value})", @@ -913,6 +941,68 @@ } }, "name": "query7" + }, + { + "type": 1, + "content": { + "json": "You should encrypt traffic to the backend servers. Check [this link](https://learn.microsoft.com/azure/application-gateway/ssl-overview) for further information." + }, + "name": "querytext8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query8" } ] }, diff --git a/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json b/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json index 9606c4164..74dceccbf 100644 --- a/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json +++ b/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query1Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query1Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"df41b3e9-1513-4fd6-a452-1a73bef6e050\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"App Gateway ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"App Gateway\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"a4df8f42-c0ad-4ea5-b3b1-20aeebf8cbd6\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Load Balancer ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Load Balancer\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## App Gateway\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection) for further information.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Load Balancer\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query1Stats:$.Total}+{Query5Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query1Stats:$.Success}+{Query5Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"842c8ee1-0afd-4c1f-a48d-8c346850ab47\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"App Gateway ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"App Gateway\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"a8c454ab-b50b-4d1d-b369-b96f513f1aae\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Load Balancer ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Load Balancer\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## App Gateway\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection) for further information.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"You should encrypt traffic to the backend servers. Check [this link](https://learn.microsoft.com/azure/application-gateway/ssl-overview) for further information.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Load Balancer\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/appdelivery_checklist.en_network_workbook.json b/workbooks/appdelivery_checklist.en_network_workbook.json index 62c012a8e..8c34d3702 100644 --- a/workbooks/appdelivery_checklist.en_network_workbook.json +++ b/workbooks/appdelivery_checklist.en_network_workbook.json @@ -70,21 +70,21 @@ "style": "tabs", "links": [ { - "id": "5923dd62-1bff-46b6-8a34-33b92e5b81ef", + "id": "849f6f19-53d3-4a15-8901-5fc567a80efc", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "App Gateway", + "linkLabel": "Load Balancer", "subTarget": "tab0", - "preText": "App Gateway", + "preText": "Load Balancer", "style": "primary" }, { - "id": "5a62b75c-3039-4305-ae5c-ffe3403027fe", + "id": "c8c84999-a671-4d7f-86e2-d00192ee10be", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Load Balancer", + "linkLabel": "App Gateway", "subTarget": "tab1", - "preText": "Load Balancer", + "preText": "App Gateway", "style": "primary" } ] @@ -100,22 +100,22 @@ { "type": 1, "content": { - "json": "## App Gateway" + "json": "## Load Balancer" }, "name": "tab0title" }, { "type": 1, "content": { - "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information." }, - "name": "querytext0" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -164,20 +164,20 @@ ] } }, - "name": "query0" + "name": "query1" }, { "type": 1, "content": { - "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information." }, - "name": "querytext2" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -226,20 +226,42 @@ ] } }, - "name": "query2" + "name": "query5" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## App Gateway" + }, + "name": "tab1title" }, { "type": 1, "content": { - "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext3" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -288,20 +310,20 @@ ] } }, - "name": "query3" + "name": "query0" }, { "type": 1, "content": { - "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext4" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -350,20 +372,20 @@ ] } }, - "name": "query4" + "name": "query2" }, { "type": 1, "content": { - "json": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information." + "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext6" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -412,20 +434,20 @@ ] } }, - "name": "query6" + "name": "query3" }, { "type": 1, "content": { - "json": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection) for further information." + "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext7" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -474,42 +496,82 @@ ] } }, - "name": "query7" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab0" - }, - "name": "tab0" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ + "name": "query4" + }, { "type": 1, "content": { - "json": "## Load Balancer" + "json": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information." }, - "name": "tab1title" + "name": "querytext6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query6" }, { "type": 1, "content": { - "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information." + "json": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection) for further information." }, - "name": "querytext1" + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -558,20 +620,20 @@ ] } }, - "name": "query1" + "name": "query7" }, { "type": 1, "content": { - "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information." + "json": "You should encrypt traffic to the backend servers. Check [this link](https://learn.microsoft.com/azure/application-gateway/ssl-overview) for further information." }, - "name": "querytext5" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -620,7 +682,7 @@ ] } }, - "name": "query5" + "name": "query8" } ] }, diff --git a/workbooks/appdelivery_checklist.en_network_workbook_template.json b/workbooks/appdelivery_checklist.en_network_workbook_template.json index 198836081..b07d8da77 100644 --- a/workbooks/appdelivery_checklist.en_network_workbook_template.json +++ b/workbooks/appdelivery_checklist.en_network_workbook_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"5923dd62-1bff-46b6-8a34-33b92e5b81ef\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"App Gateway\",\n \"subTarget\": \"tab0\",\n \"preText\": \"App Gateway\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"5a62b75c-3039-4305-ae5c-ffe3403027fe\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Load Balancer\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Load Balancer\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## App Gateway\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection) for further information.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Load Balancer\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"849f6f19-53d3-4a15-8901-5fc567a80efc\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Load Balancer\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Load Balancer\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"c8c84999-a671-4d7f-86e2-d00192ee10be\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"App Gateway\",\n \"subTarget\": \"tab1\",\n \"preText\": \"App Gateway\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Load Balancer\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## App Gateway\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection) for further information.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"You should encrypt traffic to the backend servers. Check [this link](https://learn.microsoft.com/azure/application-gateway/ssl-overview) for further information.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]"